Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22-10-2024 04:08
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exe
Resource
win7-20240729-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exe
-
Size
96KB
-
MD5
580be8f77e4e46d640780aca3f160a50
-
SHA1
bd1bf4f3a6b89c9b1e9ea28027847789cfa38fc8
-
SHA256
fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956
-
SHA512
029b16bbf327a9d0d73ecf2eab203a42564a71e5d79f959782cc6a6cb8fdc8090489d5f8e3e7fd27535f31b7f3bb63d09f49e1bacba66fbfcc9b9fcd3ddca4a6
-
SSDEEP
1536:tmRKex/pnR82tv4mHjiKsd5sg01mmJj1lI5DAwEXsY2L47RZObZUUWaegPYA:8lm2FHHjiKsd5sJ1mmJhlIWN8p4ClUU2
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Afqhjj32.exeNickoldp.exeHememgdi.exeJqhdfe32.exeAnhpkg32.exeManjaldo.exeFakglf32.exeHpgfmeag.exeEgflml32.exeAhchdb32.exeEmdhhdqb.exeFodgkp32.exeJkcmjpma.exeOffpbi32.exeOpaqpn32.exeBikcbc32.exeHlbpme32.exeFfdilo32.exeNjnokdaq.exeLpdankjg.exeMdepmh32.exeIdokma32.exePilbocej.exeGhoijebj.exePmecbkgj.exeOccjjnap.exeHljaigmo.exeGieommdc.exeJnlbgq32.exeOckinl32.exeHcjldp32.exeQlggjlep.exeFbpfeh32.exeCdqkifmb.exeDkjpdcfj.exeMidnqh32.exeDkbbinig.exeMmkafhnb.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afqhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nickoldp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hememgdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqhdfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Manjaldo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakglf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfmeag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egflml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahchdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdhhdqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fodgkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcmjpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offpbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opaqpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikcbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlbpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffdilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njnokdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpdankjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdepmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idokma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilbocej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoijebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmecbkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Occjjnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hljaigmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gieommdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ockinl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjldp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlggjlep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpfeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdqkifmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjpdcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Midnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbbinig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmkafhnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Detect BruteRatel badger 9 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001d6c6-1669.dat family_bruteratel behavioral1/files/0x000400000001d83f-1785.dat family_bruteratel behavioral1/files/0x000400000001da1a-2149.dat family_bruteratel behavioral1/files/0x000300000002100c-7379.dat family_bruteratel behavioral1/files/0x0003000000021112-7800.dat family_bruteratel behavioral1/files/0x00030000000216d2-11192.dat family_bruteratel behavioral1/files/0x0003000000021ddc-14304.dat family_bruteratel behavioral1/files/0x0003000000023a53-18383.dat family_bruteratel behavioral1/files/0x0002000000023d43-19901.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Lpqlemaj.exeLoclai32.exeLkjmfjmi.exeLofifi32.exeLadebd32.exeLklikj32.exeLohelidp.exeMhqjen32.exeMojbaham.exeMhcfjnhm.exeMjdcbf32.exeMpnkopeh.exeMclgklel.exeMjfphf32.exeMdldeo32.exeMgjpaj32.exeMlgiiaij.exeMqbejp32.exeMcaafk32.exeMfpmbf32.exeMhninb32.exeNqeapo32.exeNccnlk32.exeNfbjhf32.exeNjmfhe32.exeNkobpmlo.exeNbhkmg32.exeNmnojp32.exeNomkfk32.exeNbkgbg32.exeNffccejb.exeNoohlkpc.exeNnahgh32.exeNigldq32.exeNgjlpmnn.exeNbpqmfmd.exeNqbaic32.exeOnfabgch.exeOmiand32.exeOccjjnap.exeOninhgae.exeOqgjdbpi.exeOpjkpo32.exeOfdclinq.exeOibohdmd.exeOplgeoea.exeOchcem32.exeOffpbi32.exeOjblbgdg.exeOielnd32.exeOlchjp32.exeOcjpkm32.exeObmpgjbb.exeOekmceaf.exeOighcd32.exeOleepo32.exeOpaqpn32.exePndalkgf.exePfkimhhi.exePenihe32.exePiieicgl.exePpcmfn32.exePnfnajed.exePadjmfdg.exepid Process 2728 Lpqlemaj.exe 2164 Loclai32.exe 2436 Lkjmfjmi.exe 2744 Lofifi32.exe 2652 Ladebd32.exe 752 Lklikj32.exe 1044 Lohelidp.exe 2108 Mhqjen32.exe 1216 Mojbaham.exe 2768 Mhcfjnhm.exe 1084 Mjdcbf32.exe 2472 Mpnkopeh.exe 592 Mclgklel.exe 2192 Mjfphf32.exe 2372 Mdldeo32.exe 1324 Mgjpaj32.exe 1212 Mlgiiaij.exe 1584 Mqbejp32.exe 1556 Mcaafk32.exe 1288 Mfpmbf32.exe 1956 Mhninb32.exe 2324 Nqeapo32.exe 2492 Nccnlk32.exe 396 Nfbjhf32.exe 2292 Njmfhe32.exe 2832 Nkobpmlo.exe 2116 Nbhkmg32.exe 2628 Nmnojp32.exe 2976 Nomkfk32.exe 2568 Nbkgbg32.exe 1488 Nffccejb.exe 2156 Noohlkpc.exe 2384 Nnahgh32.exe 2168 Nigldq32.exe 584 Ngjlpmnn.exe 1508 Nbpqmfmd.exe 2448 Nqbaic32.exe 780 Onfabgch.exe 1244 Omiand32.exe 2360 Occjjnap.exe 1732 Oninhgae.exe 2428 Oqgjdbpi.exe 996 Opjkpo32.exe 1852 Ofdclinq.exe 1652 Oibohdmd.exe 2064 Oplgeoea.exe 2484 Ochcem32.exe 2256 Offpbi32.exe 1448 Ojblbgdg.exe 2480 Oielnd32.exe 2576 Olchjp32.exe 2588 Ocjpkm32.exe 2612 Obmpgjbb.exe 2500 Oekmceaf.exe 2144 Oighcd32.exe 552 Oleepo32.exe 2812 Opaqpn32.exe 1436 Pndalkgf.exe 2248 Pfkimhhi.exe 2368 Penihe32.exe 2252 Piieicgl.exe 2872 Ppcmfn32.exe 2260 Pnfnajed.exe 2456 Padjmfdg.exe -
Loads dropped DLL 64 IoCs
Processes:
fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exeLpqlemaj.exeLoclai32.exeLkjmfjmi.exeLofifi32.exeLadebd32.exeLklikj32.exeLohelidp.exeMhqjen32.exeMojbaham.exeMhcfjnhm.exeMjdcbf32.exeMpnkopeh.exeMclgklel.exeMjfphf32.exeMdldeo32.exeMgjpaj32.exeMlgiiaij.exeMqbejp32.exeMcaafk32.exeMfpmbf32.exeMhninb32.exeNqeapo32.exeNccnlk32.exeNfbjhf32.exeNjmfhe32.exeNkobpmlo.exeNbhkmg32.exeNmnojp32.exeNomkfk32.exeNbkgbg32.exeNffccejb.exepid Process 2412 fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exe 2412 fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exe 2728 Lpqlemaj.exe 2728 Lpqlemaj.exe 2164 Loclai32.exe 2164 Loclai32.exe 2436 Lkjmfjmi.exe 2436 Lkjmfjmi.exe 2744 Lofifi32.exe 2744 Lofifi32.exe 2652 Ladebd32.exe 2652 Ladebd32.exe 752 Lklikj32.exe 752 Lklikj32.exe 1044 Lohelidp.exe 1044 Lohelidp.exe 2108 Mhqjen32.exe 2108 Mhqjen32.exe 1216 Mojbaham.exe 1216 Mojbaham.exe 2768 Mhcfjnhm.exe 2768 Mhcfjnhm.exe 1084 Mjdcbf32.exe 1084 Mjdcbf32.exe 2472 Mpnkopeh.exe 2472 Mpnkopeh.exe 592 Mclgklel.exe 592 Mclgklel.exe 2192 Mjfphf32.exe 2192 Mjfphf32.exe 2372 Mdldeo32.exe 2372 Mdldeo32.exe 1324 Mgjpaj32.exe 1324 Mgjpaj32.exe 1212 Mlgiiaij.exe 1212 Mlgiiaij.exe 1584 Mqbejp32.exe 1584 Mqbejp32.exe 1556 Mcaafk32.exe 1556 Mcaafk32.exe 1288 Mfpmbf32.exe 1288 Mfpmbf32.exe 1956 Mhninb32.exe 1956 Mhninb32.exe 2324 Nqeapo32.exe 2324 Nqeapo32.exe 2492 Nccnlk32.exe 2492 Nccnlk32.exe 396 Nfbjhf32.exe 396 Nfbjhf32.exe 2292 Njmfhe32.exe 2292 Njmfhe32.exe 2832 Nkobpmlo.exe 2832 Nkobpmlo.exe 2116 Nbhkmg32.exe 2116 Nbhkmg32.exe 2628 Nmnojp32.exe 2628 Nmnojp32.exe 2976 Nomkfk32.exe 2976 Nomkfk32.exe 2568 Nbkgbg32.exe 2568 Nbkgbg32.exe 1488 Nffccejb.exe 1488 Nffccejb.exe -
Drops file in System32 directory 64 IoCs
Processes:
Imogcj32.exePpkmjlca.exeKnjdimdh.exeIoefdpne.exeNmjmekan.exeOoemcb32.exeNomkfk32.exeCqjhcfpc.exeEpcddopf.exeHkmjjn32.exeIlgjhena.exeDajgfboj.exeHaleefoe.exeOmiand32.exeOjblbgdg.exeAmafgc32.exeBomhnb32.exeFladmn32.exeOeoeplfn.exeQblfkgqb.exeCgnpjkhj.exeBkkioeig.exeNoohlkpc.exeOffpbi32.exeNnahgh32.exeIocioq32.exeBjiljf32.exeEdjlgq32.exeDfinam32.exeEmeobj32.exePbgefa32.exedescription ioc Process File created C:\Windows\SysWOW64\Mgmjbn32.dll File opened for modification C:\Windows\SysWOW64\Nfcdfiob.exe File opened for modification C:\Windows\SysWOW64\Lohiob32.exe File opened for modification C:\Windows\SysWOW64\Iomcpe32.exe Imogcj32.exe File opened for modification C:\Windows\SysWOW64\Pbjifgcd.exe Ppkmjlca.exe File opened for modification C:\Windows\SysWOW64\Kfaljjdj.exe Knjdimdh.exe File opened for modification C:\Windows\SysWOW64\Iadbqlmh.exe Ioefdpne.exe File created C:\Windows\SysWOW64\Qlcbff32.dll Nmjmekan.exe File opened for modification C:\Windows\SysWOW64\Oeoeplfn.exe Ooemcb32.exe File opened for modification C:\Windows\SysWOW64\Odckfb32.exe File opened for modification C:\Windows\SysWOW64\Imkndofe.exe File created C:\Windows\SysWOW64\Medefa32.dll Nomkfk32.exe File created C:\Windows\SysWOW64\Dgfigi32.dll Cqjhcfpc.exe File created C:\Windows\SysWOW64\Gbmiha32.dll Epcddopf.exe File created C:\Windows\SysWOW64\Bbocak32.exe File created C:\Windows\SysWOW64\Hnkffi32.exe Hkmjjn32.exe File opened for modification C:\Windows\SysWOW64\Ioefdpne.exe Ilgjhena.exe File opened for modification C:\Windows\SysWOW64\Ddhcbnnn.exe Dajgfboj.exe File created C:\Windows\SysWOW64\Ndcjglje.dll Haleefoe.exe File created C:\Windows\SysWOW64\Ekgfkl32.exe File opened for modification C:\Windows\SysWOW64\Occjjnap.exe Omiand32.exe File created C:\Windows\SysWOW64\Oielnd32.exe Ojblbgdg.exe File created C:\Windows\SysWOW64\Aaaqjc32.dll Ojblbgdg.exe File created C:\Windows\SysWOW64\Kmlbeoba.dll File created C:\Windows\SysWOW64\Agboqe32.dll File opened for modification C:\Windows\SysWOW64\Kghkppbp.exe File created C:\Windows\SysWOW64\Appbcn32.exe Amafgc32.exe File opened for modification C:\Windows\SysWOW64\Bakdjn32.exe Bomhnb32.exe File created C:\Windows\SysWOW64\Iockhigl.exe File created C:\Windows\SysWOW64\Ogmngn32.exe File created C:\Windows\SysWOW64\Qmcnifll.dll File created C:\Windows\SysWOW64\Ddggblin.dll File opened for modification C:\Windows\SysWOW64\Eefdgeig.exe File created C:\Windows\SysWOW64\Dmlfacbk.dll File opened for modification C:\Windows\SysWOW64\Fcilnl32.exe Fladmn32.exe File created C:\Windows\SysWOW64\Fqhelqjm.dll Oeoeplfn.exe File created C:\Windows\SysWOW64\Bbfijm32.dll File created C:\Windows\SysWOW64\Dbkgliff.dll File created C:\Windows\SysWOW64\Fpnnjc32.dll File created C:\Windows\SysWOW64\Fkapkq32.exe File created C:\Windows\SysWOW64\Oeanjk32.dll File created C:\Windows\SysWOW64\Nhejknlm.dll File created C:\Windows\SysWOW64\Ihcbim32.dll Qblfkgqb.exe File opened for modification C:\Windows\SysWOW64\Cjmmffgn.exe Cgnpjkhj.exe File created C:\Windows\SysWOW64\Qamnbhdj.dll Bkkioeig.exe File created C:\Windows\SysWOW64\Hgobpd32.exe File created C:\Windows\SysWOW64\Ohopde32.dll Noohlkpc.exe File created C:\Windows\SysWOW64\Ibddbplp.dll Offpbi32.exe File opened for modification C:\Windows\SysWOW64\Ocdnloph.exe File created C:\Windows\SysWOW64\Enadon32.dll Nnahgh32.exe File created C:\Windows\SysWOW64\Iaaekl32.exe Iocioq32.exe File created C:\Windows\SysWOW64\Ndehjnpo.exe File created C:\Windows\SysWOW64\Jfdkkkqh.dll Bjiljf32.exe File opened for modification C:\Windows\SysWOW64\Egihcl32.exe Edjlgq32.exe File created C:\Windows\SysWOW64\Enlhahnp.dll File opened for modification C:\Windows\SysWOW64\Kdgoelnk.exe File opened for modification C:\Windows\SysWOW64\Lhbhdnio.exe File created C:\Windows\SysWOW64\Dqobnf32.exe Dfinam32.exe File created C:\Windows\SysWOW64\Eelgcg32.exe Emeobj32.exe File created C:\Windows\SysWOW64\Dcming32.dll Pbgefa32.exe File created C:\Windows\SysWOW64\Kdnfhbgm.dll File created C:\Windows\SysWOW64\Ihgmjcla.dll File created C:\Windows\SysWOW64\Oollcfel.dll File created C:\Windows\SysWOW64\Pjkkeqgf.dll -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 2360 8740 2136 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Ebcmfj32.exeHlbpme32.exeNccnlk32.exeBjoohdbd.exeHchoop32.exeJhkclc32.exeBbchkime.exeDhobgp32.exeBhnffi32.exeAhedjb32.exeMdgmbhgh.exePiohgbng.exeKnjdimdh.exeFkkhpadq.exeFlqkjo32.exeCeickb32.exeJbakpi32.exeHgfooe32.exeElieipej.exeKbkdpnil.exeNgeljh32.exeBmlbaqfh.exeGmoppefc.exeEmdhhdqb.exeKepgmh32.exePjpmdd32.exeDjeljd32.exeKqkalenn.exeMaocekoo.exeBepjjn32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjoohdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchoop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkclc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbchkime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhobgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhnffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahedjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgmbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piohgbng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knjdimdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkhpadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceickb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbakpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elieipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkdpnil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngeljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlbaqfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmoppefc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdhhdqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqkalenn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maocekoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepjjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Ilgjhena.exeAfpapcnc.exeCglfndaa.exeIfgklp32.exeDjafaf32.exeNpiiafpa.exePogegeoj.exeHalcmn32.exeBaqhapdj.exeOojfnakl.exeOqmokioh.exeIfengpdh.exeCjoilfek.exeMmkafhnb.exeIhbdhepp.exeCgdciiod.exeQcmkhi32.exeBfmqigba.exeOogiha32.exeKpfbegei.exeBpboinpd.exeDdppmclb.exeFakglf32.exeObmpgjbb.exeGhaeoe32.exeGlfgnh32.exeJgkdigfa.exeOibohdmd.exeMdojnm32.exeLbojjq32.exeFladmn32.exeKfaljjdj.exeMaapjjml.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akkiob32.dll" Ilgjhena.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afpapcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cglfndaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opoihm32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfgnbedd.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifgklp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djafaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npiiafpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nihodebm.dll" Pogegeoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Halcmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llpaflnl.dll" Baqhapdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oojfnakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmocoj32.dll" Oqmokioh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pladek32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgcpif32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coiege32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpaihe32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbcgao32.dll" Mmkafhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimfjoho.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmfala32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihbdhepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjkmi32.dll" Cgdciiod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjpkq32.dll" Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kipdmjne.dll" Bfmqigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpboioea.dll" Oogiha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpfbegei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpboinpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddppmclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghefgc32.dll" Fakglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlcbociq.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blibpj32.dll" Obmpgjbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghaeoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glfgnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgkdigfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oibohdmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdojnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbojjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmhmkfc.dll" Fladmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkebebd.dll" Kfaljjdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maapjjml.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exeLpqlemaj.exeLoclai32.exeLkjmfjmi.exeLofifi32.exeLadebd32.exeLklikj32.exeLohelidp.exeMhqjen32.exeMojbaham.exeMhcfjnhm.exeMjdcbf32.exeMpnkopeh.exeMclgklel.exeMjfphf32.exeMdldeo32.exedescription pid Process procid_target PID 2412 wrote to memory of 2728 2412 fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exe 30 PID 2412 wrote to memory of 2728 2412 fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exe 30 PID 2412 wrote to memory of 2728 2412 fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exe 30 PID 2412 wrote to memory of 2728 2412 fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exe 30 PID 2728 wrote to memory of 2164 2728 Lpqlemaj.exe 31 PID 2728 wrote to memory of 2164 2728 Lpqlemaj.exe 31 PID 2728 wrote to memory of 2164 2728 Lpqlemaj.exe 31 PID 2728 wrote to memory of 2164 2728 Lpqlemaj.exe 31 PID 2164 wrote to memory of 2436 2164 Loclai32.exe 32 PID 2164 wrote to memory of 2436 2164 Loclai32.exe 32 PID 2164 wrote to memory of 2436 2164 Loclai32.exe 32 PID 2164 wrote to memory of 2436 2164 Loclai32.exe 32 PID 2436 wrote to memory of 2744 2436 Lkjmfjmi.exe 33 PID 2436 wrote to memory of 2744 2436 Lkjmfjmi.exe 33 PID 2436 wrote to memory of 2744 2436 Lkjmfjmi.exe 33 PID 2436 wrote to memory of 2744 2436 Lkjmfjmi.exe 33 PID 2744 wrote to memory of 2652 2744 Lofifi32.exe 34 PID 2744 wrote to memory of 2652 2744 Lofifi32.exe 34 PID 2744 wrote to memory of 2652 2744 Lofifi32.exe 34 PID 2744 wrote to memory of 2652 2744 Lofifi32.exe 34 PID 2652 wrote to memory of 752 2652 Ladebd32.exe 35 PID 2652 wrote to memory of 752 2652 Ladebd32.exe 35 PID 2652 wrote to memory of 752 2652 Ladebd32.exe 35 PID 2652 wrote to memory of 752 2652 Ladebd32.exe 35 PID 752 wrote to memory of 1044 752 Lklikj32.exe 36 PID 752 wrote to memory of 1044 752 Lklikj32.exe 36 PID 752 wrote to memory of 1044 752 Lklikj32.exe 36 PID 752 wrote to memory of 1044 752 Lklikj32.exe 36 PID 1044 wrote to memory of 2108 1044 Lohelidp.exe 37 PID 1044 wrote to memory of 2108 1044 Lohelidp.exe 37 PID 1044 wrote to memory of 2108 1044 Lohelidp.exe 37 PID 1044 wrote to memory of 2108 1044 Lohelidp.exe 37 PID 2108 wrote to memory of 1216 2108 Mhqjen32.exe 38 PID 2108 wrote to memory of 1216 2108 Mhqjen32.exe 38 PID 2108 wrote to memory of 1216 2108 Mhqjen32.exe 38 PID 2108 wrote to memory of 1216 2108 Mhqjen32.exe 38 PID 1216 wrote to memory of 2768 1216 Mojbaham.exe 39 PID 1216 wrote to memory of 2768 1216 Mojbaham.exe 39 PID 1216 wrote to memory of 2768 1216 Mojbaham.exe 39 PID 1216 wrote to memory of 2768 1216 Mojbaham.exe 39 PID 2768 wrote to memory of 1084 2768 Mhcfjnhm.exe 40 PID 2768 wrote to memory of 1084 2768 Mhcfjnhm.exe 40 PID 2768 wrote to memory of 1084 2768 Mhcfjnhm.exe 40 PID 2768 wrote to memory of 1084 2768 Mhcfjnhm.exe 40 PID 1084 wrote to memory of 2472 1084 Mjdcbf32.exe 41 PID 1084 wrote to memory of 2472 1084 Mjdcbf32.exe 41 PID 1084 wrote to memory of 2472 1084 Mjdcbf32.exe 41 PID 1084 wrote to memory of 2472 1084 Mjdcbf32.exe 41 PID 2472 wrote to memory of 592 2472 Mpnkopeh.exe 42 PID 2472 wrote to memory of 592 2472 Mpnkopeh.exe 42 PID 2472 wrote to memory of 592 2472 Mpnkopeh.exe 42 PID 2472 wrote to memory of 592 2472 Mpnkopeh.exe 42 PID 592 wrote to memory of 2192 592 Mclgklel.exe 43 PID 592 wrote to memory of 2192 592 Mclgklel.exe 43 PID 592 wrote to memory of 2192 592 Mclgklel.exe 43 PID 592 wrote to memory of 2192 592 Mclgklel.exe 43 PID 2192 wrote to memory of 2372 2192 Mjfphf32.exe 44 PID 2192 wrote to memory of 2372 2192 Mjfphf32.exe 44 PID 2192 wrote to memory of 2372 2192 Mjfphf32.exe 44 PID 2192 wrote to memory of 2372 2192 Mjfphf32.exe 44 PID 2372 wrote to memory of 1324 2372 Mdldeo32.exe 45 PID 2372 wrote to memory of 1324 2372 Mdldeo32.exe 45 PID 2372 wrote to memory of 1324 2372 Mdldeo32.exe 45 PID 2372 wrote to memory of 1324 2372 Mdldeo32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exe"C:\Users\Admin\AppData\Local\Temp\fd9210fa9366fd64a5708bb42c9882a39c92aa75fcfdce090959f4bcb43f7956N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Lpqlemaj.exeC:\Windows\system32\Lpqlemaj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Loclai32.exeC:\Windows\system32\Loclai32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Lkjmfjmi.exeC:\Windows\system32\Lkjmfjmi.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Lklikj32.exeC:\Windows\system32\Lklikj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Mhqjen32.exeC:\Windows\system32\Mhqjen32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Mojbaham.exeC:\Windows\system32\Mojbaham.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Mjdcbf32.exeC:\Windows\system32\Mjdcbf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Mclgklel.exeC:\Windows\system32\Mclgklel.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1288 -
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Nqeapo32.exeC:\Windows\system32\Nqeapo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Nccnlk32.exeC:\Windows\system32\Nccnlk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Nfbjhf32.exeC:\Windows\system32\Nfbjhf32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Nbkgbg32.exeC:\Windows\system32\Nbkgbg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1488 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2384 -
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe35⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe36⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe37⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Nqbaic32.exeC:\Windows\system32\Nqbaic32.exe38⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Onfabgch.exeC:\Windows\system32\Onfabgch.exe39⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1244 -
C:\Windows\SysWOW64\Occjjnap.exeC:\Windows\system32\Occjjnap.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe42⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe43⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe44⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe45⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Oplgeoea.exeC:\Windows\system32\Oplgeoea.exe47⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe48⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe51⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe52⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe53⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Obmpgjbb.exeC:\Windows\system32\Obmpgjbb.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe55⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe56⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe57⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe59⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe60⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe61⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Piieicgl.exeC:\Windows\system32\Piieicgl.exe62⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe63⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe64⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe65⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe66⤵PID:2092
-
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe68⤵PID:2148
-
C:\Windows\SysWOW64\Pjmnfk32.exeC:\Windows\system32\Pjmnfk32.exe69⤵PID:1320
-
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe70⤵PID:2764
-
C:\Windows\SysWOW64\Paggce32.exeC:\Windows\system32\Paggce32.exe71⤵PID:2604
-
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe72⤵PID:1500
-
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe73⤵PID:2416
-
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe74⤵PID:2200
-
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe75⤵PID:2172
-
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe76⤵PID:2644
-
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe77⤵PID:1836
-
C:\Windows\SysWOW64\Phcleoho.exeC:\Windows\system32\Phcleoho.exe78⤵PID:2188
-
C:\Windows\SysWOW64\Pfflql32.exeC:\Windows\system32\Pfflql32.exe79⤵PID:2160
-
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe80⤵PID:2264
-
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe81⤵PID:896
-
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe82⤵PID:1460
-
C:\Windows\SysWOW64\Pfhhflmg.exeC:\Windows\system32\Pfhhflmg.exe83⤵PID:2672
-
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe84⤵PID:2444
-
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe85⤵PID:2740
-
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe86⤵PID:2096
-
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe87⤵PID:1536
-
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe88⤵PID:2112
-
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe89⤵PID:1724
-
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe90⤵PID:1856
-
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe91⤵PID:976
-
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe92⤵PID:1964
-
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe93⤵PID:2180
-
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe94⤵PID:2088
-
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe95⤵PID:2460
-
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe96⤵PID:2032
-
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe97⤵PID:1148
-
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe98⤵PID:2580
-
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe99⤵PID:2824
-
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe100⤵PID:1620
-
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe102⤵PID:1892
-
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe103⤵PID:3032
-
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe104⤵
- System Location Discovery: System Language Discovery
PID:852 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe105⤵PID:1768
-
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe106⤵PID:3052
-
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe107⤵PID:1268
-
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe108⤵PID:1664
-
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe109⤵PID:2080
-
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe110⤵PID:2704
-
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe111⤵PID:2876
-
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe112⤵PID:2712
-
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe113⤵PID:2616
-
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe114⤵PID:1192
-
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe115⤵PID:1760
-
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe116⤵PID:2136
-
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe117⤵PID:2176
-
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe118⤵PID:1616
-
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe119⤵PID:3024
-
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe120⤵PID:2908
-
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe121⤵PID:2100
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-