Analysis
-
max time kernel
27s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28-10-2024 15:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ecN.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ecN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ecN.exe
-
Size
96KB
-
MD5
863ef911a0d1436591302f4ec75e2480
-
SHA1
c8d7f3338e334441babd2625da393cda05a8b4ad
-
SHA256
e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ec
-
SHA512
1dd27c6c076e653ce837c2bfd34910b9f2e9f183e4c5b8c80acec2a7b345b2b05cf61e51f3162234f206a8ca6481af0d417107913c3354408c266303a149789a
-
SSDEEP
1536:9jRu+2+xYOCTnhnVtstbEwGhbDxLjjHjh2Lx7RZObZUUWaegPYA:nu4yhXs9EhhbDtjjD6xClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abkhkgbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgoboc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plmpblnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobgihgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeehln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbepdhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpoolael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfaefd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekhacbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ednbncmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejmhkiig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedfqeka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfadlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhjopbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqeqqk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cadjgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekfndmfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iphecepe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfdddm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdejhfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdmeoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagbgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhonngce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqfemqod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aollokco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcnonob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdaqmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqlfaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjhhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqncaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlphbbbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhjlli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnclmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oopijc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjhhld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnldjekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjakccop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldmleam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqnlhpfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihdgkpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaompi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdhcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ancefgfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iigpli32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
resource yara_rule behavioral1/files/0x000500000001a507-600.dat family_bruteratel behavioral1/files/0x000300000001fe29-3862.dat family_bruteratel behavioral1/files/0x00040000000204c2-4190.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2704 Knmamp32.exe 2688 Konndhmb.exe 2860 Lifbmn32.exe 2824 Lqmjnk32.exe 2964 Lihobnap.exe 608 Lkgkoiqc.exe 2456 Lflplbpi.exe 2452 Lkihdioa.exe 2848 Lbcpac32.exe 2080 Lfolaang.exe 2772 Lgpiij32.exe 2444 Ledibnco.exe 1432 Lipecm32.exe 2732 Lnlnlc32.exe 1316 Meffhnal.exe 2096 Mjcoqdoc.exe 572 Mamgmofp.exe 3060 Mclcijfd.exe 1324 Mhgoji32.exe 1848 Mjekfd32.exe 1540 Mmdgbp32.exe 1716 Mapccndn.exe 564 Mcnpojca.exe 2380 Mfllkece.exe 2700 Mjhhld32.exe 1556 Mmfdhojb.exe 2204 Mjjdacik.exe 2556 Mmhamoho.exe 2600 Mfaefd32.exe 2992 Mioabp32.exe 1756 Npijoj32.exe 2064 Nefbga32.exe 2868 Nhdocl32.exe 2100 Nbjcqe32.exe 2616 Nidkmojn.exe 2644 Noacef32.exe 1908 Naopaa32.exe 1740 Nhiholof.exe 1572 Nkhdkgnj.exe 3064 Nemhhpmp.exe 2748 Nhlddkmc.exe 1684 Nkjapglg.exe 836 Nmhmlbkk.exe 444 Odbeilbg.exe 2364 Omkjbb32.exe 960 Opifnm32.exe 912 Ocgbji32.exe 1828 Oiakgcnl.exe 2832 Opkccm32.exe 1508 Ocjophem.exe 2568 Ogekpg32.exe 576 Olbchn32.exe 2828 Ooqpdj32.exe 880 Oghhfg32.exe 1544 Oekhacbn.exe 2384 Ohidmoaa.exe 1728 Oldpnn32.exe 2428 Ocohkh32.exe 772 Oaaifdhb.exe 2908 Ohkaco32.exe 864 Olgmcmgh.exe 2288 Pcaepg32.exe 1240 Padeldeo.exe 2016 Phnnho32.exe -
Loads dropped DLL 64 IoCs
pid Process 2168 e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ecN.exe 2168 e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ecN.exe 2704 Knmamp32.exe 2704 Knmamp32.exe 2688 Konndhmb.exe 2688 Konndhmb.exe 2860 Lifbmn32.exe 2860 Lifbmn32.exe 2824 Lqmjnk32.exe 2824 Lqmjnk32.exe 2964 Lihobnap.exe 2964 Lihobnap.exe 608 Lkgkoiqc.exe 608 Lkgkoiqc.exe 2456 Lflplbpi.exe 2456 Lflplbpi.exe 2452 Lkihdioa.exe 2452 Lkihdioa.exe 2848 Lbcpac32.exe 2848 Lbcpac32.exe 2080 Lfolaang.exe 2080 Lfolaang.exe 2772 Lgpiij32.exe 2772 Lgpiij32.exe 2444 Ledibnco.exe 2444 Ledibnco.exe 1432 Lipecm32.exe 1432 Lipecm32.exe 2732 Lnlnlc32.exe 2732 Lnlnlc32.exe 1316 Meffhnal.exe 1316 Meffhnal.exe 2096 Mjcoqdoc.exe 2096 Mjcoqdoc.exe 572 Mamgmofp.exe 572 Mamgmofp.exe 3060 Mclcijfd.exe 3060 Mclcijfd.exe 1324 Mhgoji32.exe 1324 Mhgoji32.exe 1848 Mjekfd32.exe 1848 Mjekfd32.exe 1540 Mmdgbp32.exe 1540 Mmdgbp32.exe 1716 Mapccndn.exe 1716 Mapccndn.exe 564 Mcnpojca.exe 564 Mcnpojca.exe 2380 Mfllkece.exe 2380 Mfllkece.exe 2700 Mjhhld32.exe 2700 Mjhhld32.exe 1556 Mmfdhojb.exe 1556 Mmfdhojb.exe 2204 Mjjdacik.exe 2204 Mjjdacik.exe 2556 Mmhamoho.exe 2556 Mmhamoho.exe 2600 Mfaefd32.exe 2600 Mfaefd32.exe 2992 Mioabp32.exe 2992 Mioabp32.exe 1756 Npijoj32.exe 1756 Npijoj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nphgph32.dll Jfofol32.exe File opened for modification C:\Windows\SysWOW64\Loqmba32.exe Lpnmgdli.exe File created C:\Windows\SysWOW64\Mmfdhojb.exe Mjhhld32.exe File created C:\Windows\SysWOW64\Ajnpecbj.exe Akkoig32.exe File created C:\Windows\SysWOW64\Dfigpahm.dll Dkigoimd.exe File opened for modification C:\Windows\SysWOW64\Ifoqjo32.exe Idadnd32.exe File created C:\Windows\SysWOW64\Gmoloenf.dll Pafdjmkq.exe File created C:\Windows\SysWOW64\Eogmcjef.exe Eklqcl32.exe File opened for modification C:\Windows\SysWOW64\Iimfld32.exe Ieajkfmd.exe File opened for modification C:\Windows\SysWOW64\Lbcbjlmb.exe Lkjjma32.exe File opened for modification C:\Windows\SysWOW64\Coacbfii.exe Bmbgfkje.exe File created C:\Windows\SysWOW64\Dpccjn32.dll Mapccndn.exe File created C:\Windows\SysWOW64\Mioabp32.exe Mfaefd32.exe File created C:\Windows\SysWOW64\Bgnfdm32.exe Bepjha32.exe File created C:\Windows\SysWOW64\Goiehm32.exe Fqfemqod.exe File opened for modification C:\Windows\SysWOW64\Iefcfe32.exe Imokehhl.exe File created C:\Windows\SysWOW64\Jgabdlfb.exe Jojkco32.exe File created C:\Windows\SysWOW64\Gkcapaif.dll Epecbd32.exe File created C:\Windows\SysWOW64\Gghkdp32.exe Gcmoda32.exe File created C:\Windows\SysWOW64\Omppei32.dll Lkakicam.exe File opened for modification C:\Windows\SysWOW64\Obdojcef.exe Opfbngfb.exe File opened for modification C:\Windows\SysWOW64\Mimgeigj.exe Mfokinhf.exe File opened for modification C:\Windows\SysWOW64\Foafdoag.exe Fmcjhdbc.exe File created C:\Windows\SysWOW64\Hcohnaep.dll Pmgbao32.exe File created C:\Windows\SysWOW64\Jncfhkjh.dll Fqdiga32.exe File created C:\Windows\SysWOW64\Dpegcq32.exe Dmgkgeah.exe File opened for modification C:\Windows\SysWOW64\Fmegncpp.exe Fdnolfon.exe File created C:\Windows\SysWOW64\Hgbfnngi.exe Hahnac32.exe File opened for modification C:\Windows\SysWOW64\Dmojkc32.exe Dpkibo32.exe File opened for modification C:\Windows\SysWOW64\Qmifhq32.exe Qjkjle32.exe File created C:\Windows\SysWOW64\Iaeegh32.exe Ijklknbn.exe File opened for modification C:\Windows\SysWOW64\Jkpbdq32.exe Jgdfdbhk.exe File created C:\Windows\SysWOW64\Lnbnfb32.dll Agpcihcf.exe File created C:\Windows\SysWOW64\Qqfdfdee.dll Bckjhl32.exe File created C:\Windows\SysWOW64\Qndigd32.exe Qfmafg32.exe File opened for modification C:\Windows\SysWOW64\Mngjeamd.exe Mjkndb32.exe File created C:\Windows\SysWOW64\Agdmdg32.exe Aciqcifh.exe File opened for modification C:\Windows\SysWOW64\Bnldjekl.exe Boidnh32.exe File created C:\Windows\SysWOW64\Jdnmma32.exe Jmdepg32.exe File created C:\Windows\SysWOW64\Lpnmgdli.exe Lhfefgkg.exe File created C:\Windows\SysWOW64\Bqgmfkhg.exe Bniajoic.exe File opened for modification C:\Windows\SysWOW64\Enmkijgm.dll Jehlkhig.exe File created C:\Windows\SysWOW64\Aoagccfn.exe Akfkbd32.exe File created C:\Windows\SysWOW64\Gdgqdaoh.dll Cnfqccna.exe File opened for modification C:\Windows\SysWOW64\Nfkapb32.exe Ndmecgba.exe File created C:\Windows\SysWOW64\Ffbafegj.dll Aopahjll.exe File created C:\Windows\SysWOW64\Jihcbj32.dll Eoepnk32.exe File created C:\Windows\SysWOW64\Ohbamn32.dll Jolghndm.exe File created C:\Windows\SysWOW64\Qqfkbadh.dll Lkjjma32.exe File opened for modification C:\Windows\SysWOW64\Lqipkhbj.exe Lbfook32.exe File created C:\Windows\SysWOW64\Jbglcb32.dll Lgchgb32.exe File opened for modification C:\Windows\SysWOW64\Lqqpgj32.exe Lbnpkmfg.exe File created C:\Windows\SysWOW64\Mhonngce.exe Meabakda.exe File opened for modification C:\Windows\SysWOW64\Qkibcg32.exe Qgmfchei.exe File created C:\Windows\SysWOW64\Iamdkfnc.exe Ioohokoo.exe File opened for modification C:\Windows\SysWOW64\Ajmfad32.exe Abfnpg32.exe File created C:\Windows\SysWOW64\Mfogcjhb.dll Abfnpg32.exe File created C:\Windows\SysWOW64\Dpqnhadq.exe Cmbalfem.exe File created C:\Windows\SysWOW64\Bbpiog32.dll Hhjcic32.exe File opened for modification C:\Windows\SysWOW64\Ccpcckck.exe Cpdgbm32.exe File created C:\Windows\SysWOW64\Gmmfaa32.exe Goiehm32.exe File created C:\Windows\SysWOW64\Hcopgk32.dll Aohdmdoh.exe File created C:\Windows\SysWOW64\Ecinnn32.dll Pdbdqh32.exe File created C:\Windows\SysWOW64\Ancefgfd.exe Akeijlfq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7268 7204 WerFault.exe 810 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqiimfam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maefamlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ancefgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacclpae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhejkcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglehp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohidmoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifdjeoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnpkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfldoph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjglkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanefo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmfchei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhmcmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihiphln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqmjnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnlnlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bibpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccpoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbaii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copjdhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknmhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfbaabj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqqnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghkdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmecmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinqgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdhif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkglnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcilf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcmbgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfkpknkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdefgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqqpgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcjnnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjmcpnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegabegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaqbln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnoijbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfapjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgjaeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhdacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmfdhojb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnnho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjallg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dchmkkkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgckjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpadhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcgphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjhmcok.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agpcihcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eknmhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncobd32.dll" Kpdjaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blgdjk32.dll" Egokonjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdefgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olophhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plmpblnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphmloih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnlpo32.dll" Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagina32.dll" Jajcdjca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpbpkpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iipiljgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iibfajdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpbbn32.dll" Jdaqmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjdofm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmnfdoq.dll" Mlfacfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bekmle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcbncfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egikjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godonkii.dll" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olmcchlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdnlccec.dll" Nmhmlbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akeijlfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkfbfjdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdpkbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjpqpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioohokoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lifbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfeceln.dll" Eamilh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pifbjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibkkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biliep32.dll" Cmbalfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ellcac32.dll" Gqnbhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbdpeq32.dll" Mfglep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khmggg32.dll" Cllkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjfgpjhf.dll" Cljodo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iphecepe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpdgbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akgddhmc.dll" Hkiicmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpcmjq32.dll" Cadjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgaebe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpkpadnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkmand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phmaeh32.dll" Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Palkkl32.dll" Anjlebjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nabopjmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdgqdaoh.dll" Cnfqccna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chlfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmjbki32.dll" Bnfblgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhioeeeo.dll" Dcfpel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfebhg32.dll" Nlcibc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akfkbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjljina.dll" Nhiholof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjpmh32.dll" Obdojcef.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2168 wrote to memory of 2704 2168 e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ecN.exe 30 PID 2168 wrote to memory of 2704 2168 e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ecN.exe 30 PID 2168 wrote to memory of 2704 2168 e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ecN.exe 30 PID 2168 wrote to memory of 2704 2168 e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ecN.exe 30 PID 2704 wrote to memory of 2688 2704 Knmamp32.exe 31 PID 2704 wrote to memory of 2688 2704 Knmamp32.exe 31 PID 2704 wrote to memory of 2688 2704 Knmamp32.exe 31 PID 2704 wrote to memory of 2688 2704 Knmamp32.exe 31 PID 2688 wrote to memory of 2860 2688 Konndhmb.exe 32 PID 2688 wrote to memory of 2860 2688 Konndhmb.exe 32 PID 2688 wrote to memory of 2860 2688 Konndhmb.exe 32 PID 2688 wrote to memory of 2860 2688 Konndhmb.exe 32 PID 2860 wrote to memory of 2824 2860 Lifbmn32.exe 33 PID 2860 wrote to memory of 2824 2860 Lifbmn32.exe 33 PID 2860 wrote to memory of 2824 2860 Lifbmn32.exe 33 PID 2860 wrote to memory of 2824 2860 Lifbmn32.exe 33 PID 2824 wrote to memory of 2964 2824 Lqmjnk32.exe 34 PID 2824 wrote to memory of 2964 2824 Lqmjnk32.exe 34 PID 2824 wrote to memory of 2964 2824 Lqmjnk32.exe 34 PID 2824 wrote to memory of 2964 2824 Lqmjnk32.exe 34 PID 2964 wrote to memory of 608 2964 Lihobnap.exe 35 PID 2964 wrote to memory of 608 2964 Lihobnap.exe 35 PID 2964 wrote to memory of 608 2964 Lihobnap.exe 35 PID 2964 wrote to memory of 608 2964 Lihobnap.exe 35 PID 608 wrote to memory of 2456 608 Lkgkoiqc.exe 36 PID 608 wrote to memory of 2456 608 Lkgkoiqc.exe 36 PID 608 wrote to memory of 2456 608 Lkgkoiqc.exe 36 PID 608 wrote to memory of 2456 608 Lkgkoiqc.exe 36 PID 2456 wrote to memory of 2452 2456 Lflplbpi.exe 37 PID 2456 wrote to memory of 2452 2456 Lflplbpi.exe 37 PID 2456 wrote to memory of 2452 2456 Lflplbpi.exe 37 PID 2456 wrote to memory of 2452 2456 Lflplbpi.exe 37 PID 2452 wrote to memory of 2848 2452 Lkihdioa.exe 38 PID 2452 wrote to memory of 2848 2452 Lkihdioa.exe 38 PID 2452 wrote to memory of 2848 2452 Lkihdioa.exe 38 PID 2452 wrote to memory of 2848 2452 Lkihdioa.exe 38 PID 2848 wrote to memory of 2080 2848 Lbcpac32.exe 39 PID 2848 wrote to memory of 2080 2848 Lbcpac32.exe 39 PID 2848 wrote to memory of 2080 2848 Lbcpac32.exe 39 PID 2848 wrote to memory of 2080 2848 Lbcpac32.exe 39 PID 2080 wrote to memory of 2772 2080 Lfolaang.exe 40 PID 2080 wrote to memory of 2772 2080 Lfolaang.exe 40 PID 2080 wrote to memory of 2772 2080 Lfolaang.exe 40 PID 2080 wrote to memory of 2772 2080 Lfolaang.exe 40 PID 2772 wrote to memory of 2444 2772 Lgpiij32.exe 41 PID 2772 wrote to memory of 2444 2772 Lgpiij32.exe 41 PID 2772 wrote to memory of 2444 2772 Lgpiij32.exe 41 PID 2772 wrote to memory of 2444 2772 Lgpiij32.exe 41 PID 2444 wrote to memory of 1432 2444 Ledibnco.exe 42 PID 2444 wrote to memory of 1432 2444 Ledibnco.exe 42 PID 2444 wrote to memory of 1432 2444 Ledibnco.exe 42 PID 2444 wrote to memory of 1432 2444 Ledibnco.exe 42 PID 1432 wrote to memory of 2732 1432 Lipecm32.exe 43 PID 1432 wrote to memory of 2732 1432 Lipecm32.exe 43 PID 1432 wrote to memory of 2732 1432 Lipecm32.exe 43 PID 1432 wrote to memory of 2732 1432 Lipecm32.exe 43 PID 2732 wrote to memory of 1316 2732 Lnlnlc32.exe 44 PID 2732 wrote to memory of 1316 2732 Lnlnlc32.exe 44 PID 2732 wrote to memory of 1316 2732 Lnlnlc32.exe 44 PID 2732 wrote to memory of 1316 2732 Lnlnlc32.exe 44 PID 1316 wrote to memory of 2096 1316 Meffhnal.exe 45 PID 1316 wrote to memory of 2096 1316 Meffhnal.exe 45 PID 1316 wrote to memory of 2096 1316 Meffhnal.exe 45 PID 1316 wrote to memory of 2096 1316 Meffhnal.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ecN.exe"C:\Users\Admin\AppData\Local\Temp\e1f328691370f4c89810af39d6306d6329b62904df2248b183c47c006dccc0ecN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\Lipecm32.exeC:\Windows\system32\Lipecm32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1324 -
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Mapccndn.exeC:\Windows\system32\Mapccndn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2380 -
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Mmfdhojb.exeC:\Windows\system32\Mmfdhojb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1556 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Mmhamoho.exeC:\Windows\system32\Mmhamoho.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Nefbga32.exeC:\Windows\system32\Nefbga32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe34⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe35⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe36⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe37⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe38⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Nhiholof.exeC:\Windows\system32\Nhiholof.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Nkhdkgnj.exeC:\Windows\system32\Nkhdkgnj.exe40⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe41⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe42⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe43⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Odbeilbg.exeC:\Windows\system32\Odbeilbg.exe45⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe46⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Opifnm32.exeC:\Windows\system32\Opifnm32.exe47⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe48⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe49⤵
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Opkccm32.exeC:\Windows\system32\Opkccm32.exe50⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe51⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ogekpg32.exeC:\Windows\system32\Ogekpg32.exe52⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe53⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Ooqpdj32.exeC:\Windows\system32\Ooqpdj32.exe54⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Oghhfg32.exeC:\Windows\system32\Oghhfg32.exe55⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Oldpnn32.exeC:\Windows\system32\Oldpnn32.exe58⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Ocohkh32.exeC:\Windows\system32\Ocohkh32.exe59⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Oaaifdhb.exeC:\Windows\system32\Oaaifdhb.exe60⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Ohkaco32.exeC:\Windows\system32\Ohkaco32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe62⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe63⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Padeldeo.exeC:\Windows\system32\Padeldeo.exe64⤵
- Executes dropped EXE
PID:1240 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2016 -
C:\Windows\SysWOW64\Plijimee.exeC:\Windows\system32\Plijimee.exe66⤵PID:1632
-
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe67⤵PID:1704
-
C:\Windows\SysWOW64\Peanbblf.exeC:\Windows\system32\Peanbblf.exe68⤵PID:3048
-
C:\Windows\SysWOW64\Pgckjk32.exeC:\Windows\system32\Pgckjk32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe70⤵PID:1480
-
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe71⤵PID:1500
-
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe72⤵PID:2184
-
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe73⤵PID:1764
-
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe74⤵PID:2440
-
C:\Windows\SysWOW64\Pqnlhpfb.exeC:\Windows\system32\Pqnlhpfb.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1960 -
C:\Windows\SysWOW64\Pclhdl32.exeC:\Windows\system32\Pclhdl32.exe76⤵PID:2412
-
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe77⤵PID:2472
-
C:\Windows\SysWOW64\Pqphnp32.exeC:\Windows\system32\Pqphnp32.exe78⤵PID:1564
-
C:\Windows\SysWOW64\Qgjqjjll.exeC:\Windows\system32\Qgjqjjll.exe79⤵PID:2220
-
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe80⤵
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe81⤵PID:1748
-
C:\Windows\SysWOW64\Qoeeolig.exeC:\Windows\system32\Qoeeolig.exe82⤵PID:1492
-
C:\Windows\SysWOW64\Qfonkfqd.exeC:\Windows\system32\Qfonkfqd.exe83⤵PID:612
-
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe84⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Qmifhq32.exeC:\Windows\system32\Qmifhq32.exe85⤵PID:2676
-
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe86⤵PID:2276
-
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe87⤵
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Ajmfad32.exeC:\Windows\system32\Ajmfad32.exe88⤵PID:2624
-
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe89⤵PID:1640
-
C:\Windows\SysWOW64\Aojojl32.exeC:\Windows\system32\Aojojl32.exe90⤵PID:2244
-
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe91⤵PID:264
-
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe92⤵PID:668
-
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe93⤵PID:2516
-
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2112 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe96⤵PID:2068
-
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe97⤵PID:2900
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe98⤵PID:2560
-
C:\Windows\SysWOW64\Abmdafpp.exeC:\Windows\system32\Abmdafpp.exe99⤵PID:992
-
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe100⤵PID:1836
-
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe103⤵PID:2952
-
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe104⤵PID:2148
-
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe105⤵PID:2940
-
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe106⤵
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe107⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe108⤵PID:2592
-
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe109⤵PID:2736
-
C:\Windows\SysWOW64\Bnhoag32.exeC:\Windows\system32\Bnhoag32.exe110⤵PID:2404
-
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe111⤵PID:2192
-
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe112⤵PID:2528
-
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe113⤵PID:2040
-
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe114⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe115⤵PID:1468
-
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe116⤵PID:1344
-
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe118⤵PID:2584
-
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe119⤵PID:1668
-
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe120⤵PID:2788
-
C:\Windows\SysWOW64\Bekmle32.exeC:\Windows\system32\Bekmle32.exe121⤵
- Modifies registry class
PID:2076
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-