Analysis
-
max time kernel
77s -
max time network
21s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 15:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exe
-
Size
96KB
-
MD5
dde9374128534d36307d426c00c2b590
-
SHA1
10b9f2fe0d099b7fd8bd8ff768af98c74d620ee9
-
SHA256
f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128
-
SHA512
171840088a8f0ff59cb69f5b69dccc918a797d51cde400461176bc452771e509b7a4d0956907765c50f2c66a1fa3b3cbd6eedfc75f82c6a3157ce9ee744fc723
-
SSDEEP
1536:EOY1l9TBLjQIPqClc8ssBajo42LW7RZObZUUWaegPYA:u1l59cIP/RWClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Qnpbbn32.exeMdidhfdp.exeGnahoh32.exeNijdcdgn.exeDgjdjghf.exeIapjad32.exeOdmhjp32.exeChigmlml.exeAlgida32.exeOindpd32.exeCocpjf32.exeBmhncg32.exeCdpfiekl.exeAdohpe32.exeFgmmnj32.exeGceghn32.exeJhedachg.exeNldbbbno.exeKbmahjbk.exeFfcdlncp.exeIdaimfjf.exeOnelbfab.exeLekeak32.exeHhmioa32.exeGmipmlan.exeGaokhdja.exeCipaqqli.exeMlidplcf.exeLnkjfcik.exeNoalfe32.exePonokmah.exeKhlhiijk.exeMbcofobg.exeNqjmec32.exeAbcppcdc.exeNdekok32.exeInjnfl32.exeKbjmhd32.exePofnok32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnpbbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdidhfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnahoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijdcdgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjdjghf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmhjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chigmlml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Algida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oindpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocpjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Algida32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhncg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdpfiekl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adohpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgmmnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gceghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhedachg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nldbbbno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmahjbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffcdlncp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idaimfjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onelbfab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lekeak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhmioa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmipmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaokhdja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cipaqqli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlidplcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnkjfcik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noalfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ponokmah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlhiijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcofobg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqjmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abcppcdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndekok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Injnfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbjmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofnok32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 6 IoCs
Processes:
resource yara_rule behavioral1/files/0x000400000001e239-3184.dat family_bruteratel behavioral1/files/0x000300000002098c-5129.dat family_bruteratel behavioral1/files/0x0003000000020b65-5586.dat family_bruteratel behavioral1/files/0x0003000000020cca-5942.dat family_bruteratel behavioral1/files/0x0003000000020e03-6336.dat family_bruteratel behavioral1/files/0x0003000000021249-9100.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Jigmeagl.exeJkeialfp.exeJboanfmm.exeJgljfmkd.exeJnfbcg32.exeKmkodd32.exeKceganoe.exeKnkkngol.exeKgcpgl32.exeKjalch32.exeKmphpc32.exeKbmahjbk.exeKmbeecaq.exeKbonmjph.exeKofnbk32.exeLhnckp32.exeLafgdfbm.exeLinoeccp.exeLbfdnijp.exeLaidie32.exeLhclfphg.exeLomdcj32.exeLegmpdga.exeLghigl32.exeLanmde32.exeLhgeao32.exeLiibigjq.exeMdnffpif.exeMlikkbga.exeMgoohk32.exeMedligko.exeMhbhecjc.exeMomqbm32.exeMefiog32.exeMcjihk32.exeMhgbpb32.exeNlcnaaog.exeNapfihmn.exeNhjofbdk.exeNabcog32.exeNjmhcj32.exeNadpdg32.exeNdclpb32.exeNqjmec32.exeNchiao32.exeNjbanida.exeOcjfgo32.exeOjdndi32.exeOqnfqcjk.exeObpbhk32.exeOmeged32.exeObbonk32.exeOilgje32.exeOofpgolq.exeObdlcjkd.exeOindpd32.exeOkmqlp32.exeOnkmhl32.exeOeeeeehe.exeOkomappb.exePnminkof.exePegaje32.exePnpfckmc.exePejnpe32.exepid Process 348 Jigmeagl.exe 2408 Jkeialfp.exe 2864 Jboanfmm.exe 2748 Jgljfmkd.exe 2016 Jnfbcg32.exe 2604 Kmkodd32.exe 1940 Kceganoe.exe 2000 Knkkngol.exe 2456 Kgcpgl32.exe 2888 Kjalch32.exe 1372 Kmphpc32.exe 2904 Kbmahjbk.exe 1764 Kmbeecaq.exe 868 Kbonmjph.exe 2432 Kofnbk32.exe 1416 Lhnckp32.exe 1244 Lafgdfbm.exe 2480 Linoeccp.exe 2424 Lbfdnijp.exe 2376 Laidie32.exe 1536 Lhclfphg.exe 1760 Lomdcj32.exe 2004 Legmpdga.exe 276 Lghigl32.exe 492 Lanmde32.exe 2368 Lhgeao32.exe 2224 Liibigjq.exe 2740 Mdnffpif.exe 2780 Mlikkbga.exe 2644 Mgoohk32.exe 3056 Medligko.exe 1040 Mhbhecjc.exe 2104 Momqbm32.exe 2876 Mefiog32.exe 2656 Mcjihk32.exe 2912 Mhgbpb32.exe 2920 Nlcnaaog.exe 1440 Napfihmn.exe 1136 Nhjofbdk.exe 1732 Nabcog32.exe 2392 Njmhcj32.exe 740 Nadpdg32.exe 1100 Ndclpb32.exe 2540 Nqjmec32.exe 1616 Nchiao32.exe 1996 Njbanida.exe 628 Ocjfgo32.exe 1456 Ojdndi32.exe 2944 Oqnfqcjk.exe 2532 Obpbhk32.exe 2596 Omeged32.exe 2632 Obbonk32.exe 3052 Oilgje32.exe 620 Oofpgolq.exe 1652 Obdlcjkd.exe 2648 Oindpd32.exe 2792 Okmqlp32.exe 1704 Onkmhl32.exe 2036 Oeeeeehe.exe 1512 Okomappb.exe 2208 Pnminkof.exe 2552 Pegaje32.exe 1640 Pnpfckmc.exe 2020 Pejnpe32.exe -
Loads dropped DLL 64 IoCs
Processes:
f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exeJigmeagl.exeJkeialfp.exeJboanfmm.exeJgljfmkd.exeJnfbcg32.exeKmkodd32.exeKceganoe.exeKnkkngol.exeKgcpgl32.exeKjalch32.exeKmphpc32.exeKbmahjbk.exeKmbeecaq.exeKbonmjph.exeKofnbk32.exeLhnckp32.exeLafgdfbm.exeLinoeccp.exeLbfdnijp.exeLaidie32.exeLhclfphg.exeLomdcj32.exeLegmpdga.exeLghigl32.exeLanmde32.exeLhgeao32.exeLiibigjq.exeMdnffpif.exeMlikkbga.exeMgoohk32.exeMedligko.exepid Process 2128 f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exe 2128 f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exe 348 Jigmeagl.exe 348 Jigmeagl.exe 2408 Jkeialfp.exe 2408 Jkeialfp.exe 2864 Jboanfmm.exe 2864 Jboanfmm.exe 2748 Jgljfmkd.exe 2748 Jgljfmkd.exe 2016 Jnfbcg32.exe 2016 Jnfbcg32.exe 2604 Kmkodd32.exe 2604 Kmkodd32.exe 1940 Kceganoe.exe 1940 Kceganoe.exe 2000 Knkkngol.exe 2000 Knkkngol.exe 2456 Kgcpgl32.exe 2456 Kgcpgl32.exe 2888 Kjalch32.exe 2888 Kjalch32.exe 1372 Kmphpc32.exe 1372 Kmphpc32.exe 2904 Kbmahjbk.exe 2904 Kbmahjbk.exe 1764 Kmbeecaq.exe 1764 Kmbeecaq.exe 868 Kbonmjph.exe 868 Kbonmjph.exe 2432 Kofnbk32.exe 2432 Kofnbk32.exe 1416 Lhnckp32.exe 1416 Lhnckp32.exe 1244 Lafgdfbm.exe 1244 Lafgdfbm.exe 2480 Linoeccp.exe 2480 Linoeccp.exe 2424 Lbfdnijp.exe 2424 Lbfdnijp.exe 2376 Laidie32.exe 2376 Laidie32.exe 1536 Lhclfphg.exe 1536 Lhclfphg.exe 1760 Lomdcj32.exe 1760 Lomdcj32.exe 2004 Legmpdga.exe 2004 Legmpdga.exe 276 Lghigl32.exe 276 Lghigl32.exe 492 Lanmde32.exe 492 Lanmde32.exe 2368 Lhgeao32.exe 2368 Lhgeao32.exe 2224 Liibigjq.exe 2224 Liibigjq.exe 2740 Mdnffpif.exe 2740 Mdnffpif.exe 2780 Mlikkbga.exe 2780 Mlikkbga.exe 2644 Mgoohk32.exe 2644 Mgoohk32.exe 3056 Medligko.exe 3056 Medligko.exe -
Drops file in System32 directory 64 IoCs
Processes:
Linoeccp.exeCokqfhpa.exeEnmplm32.exeGjomlp32.exeDlepmnhq.exeCbhejf32.exeKbedmedg.exeDoqmjaac.exeJfffmo32.exeNmgiga32.exeJoajdmma.exeLghigl32.exeEiheok32.exeDindme32.exeFhjcmcep.exeGpiadq32.exeJddfbf32.exeLfeegfkf.exeCcjpfmic.exeDcgiejje.exeJjheklqc.exeOakdkn32.exeCocpjf32.exeJbhlilip.exeOejfelin.exeDokjlcjh.exePdkgcd32.exeEogckqkk.exeEcdhonoc.exeLkbphfab.exePpidbidd.exeEbccal32.exePcmadj32.exeObkjhpjj.exeMlfgkleh.exeNelkme32.exeCghpgbce.exeDopfpkng.exeLhjjle32.exeLhodgebh.exedescription ioc Process File created C:\Windows\SysWOW64\Lbfdnijp.exe Linoeccp.exe File created C:\Windows\SysWOW64\Fmmpoeaf.dll Cokqfhpa.exe File created C:\Windows\SysWOW64\Nadbgo32.dll File created C:\Windows\SysWOW64\Ofmigm32.exe File opened for modification C:\Windows\SysWOW64\Eqklhh32.exe Enmplm32.exe File created C:\Windows\SysWOW64\Gaiehjfb.exe Gjomlp32.exe File opened for modification C:\Windows\SysWOW64\Doclijgd.exe Dlepmnhq.exe File created C:\Windows\SysWOW64\Gfafnphf.dll File created C:\Windows\SysWOW64\Appikd32.exe File created C:\Windows\SysWOW64\Ndmjbh32.dll File created C:\Windows\SysWOW64\Cibnfpjg.exe Cbhejf32.exe File created C:\Windows\SysWOW64\Jqfaka32.dll File created C:\Windows\SysWOW64\Eagdimif.exe File created C:\Windows\SysWOW64\Klgnci32.dll File created C:\Windows\SysWOW64\Dcoocn32.dll File created C:\Windows\SysWOW64\Lihcmpal.dll Kbedmedg.exe File created C:\Windows\SysWOW64\Khaipfcj.dll Doqmjaac.exe File created C:\Windows\SysWOW64\Eenbnl32.dll Jfffmo32.exe File opened for modification C:\Windows\SysWOW64\Nenaho32.exe Nmgiga32.exe File created C:\Windows\SysWOW64\Ecidbfbb.exe File created C:\Windows\SysWOW64\Nbfjckjc.exe File created C:\Windows\SysWOW64\Jndjoi32.exe Joajdmma.exe File opened for modification C:\Windows\SysWOW64\Ippflkok.exe File opened for modification C:\Windows\SysWOW64\Lanmde32.exe Lghigl32.exe File created C:\Windows\SysWOW64\Epamlegl.exe Eiheok32.exe File created C:\Windows\SysWOW64\Hmmjhgce.dll Dindme32.exe File created C:\Windows\SysWOW64\Ponbjgho.dll Fhjcmcep.exe File opened for modification C:\Windows\SysWOW64\Gbgnpl32.exe Gpiadq32.exe File created C:\Windows\SysWOW64\Hpjodn32.dll Jddfbf32.exe File opened for modification C:\Windows\SysWOW64\Oiboedpn.exe File created C:\Windows\SysWOW64\Ebjpqc32.dll File opened for modification C:\Windows\SysWOW64\Licbca32.exe Lfeegfkf.exe File opened for modification C:\Windows\SysWOW64\Cidhcg32.exe Ccjpfmic.exe File opened for modification C:\Windows\SysWOW64\Deeeafii.exe Dcgiejje.exe File created C:\Windows\SysWOW64\Jlfahgpf.exe Jjheklqc.exe File created C:\Windows\SysWOW64\Hmhgjahb.exe File created C:\Windows\SysWOW64\Mpodpeba.dll File created C:\Windows\SysWOW64\Ciagloib.dll File opened for modification C:\Windows\SysWOW64\Ohdmhhod.exe Oakdkn32.exe File created C:\Windows\SysWOW64\Cablfb32.exe Cocpjf32.exe File created C:\Windows\SysWOW64\Pdgbkhca.dll File opened for modification C:\Windows\SysWOW64\Iacojc32.exe File opened for modification C:\Windows\SysWOW64\Kdkkkqlk.exe File created C:\Windows\SysWOW64\Hkigbh32.dll File created C:\Windows\SysWOW64\Jcndqobj.dll Jbhlilip.exe File created C:\Windows\SysWOW64\Ehkflp32.dll Oejfelin.exe File opened for modification C:\Windows\SysWOW64\Dfecim32.exe Dokjlcjh.exe File created C:\Windows\SysWOW64\Pkeppngm.exe Pdkgcd32.exe File opened for modification C:\Windows\SysWOW64\Ebfpglkn.exe Eogckqkk.exe File created C:\Windows\SysWOW64\Ekkppkpf.exe Ecdhonoc.exe File opened for modification C:\Windows\SysWOW64\Lcihicad.exe Lkbphfab.exe File created C:\Windows\SysWOW64\Poldnf32.exe Ppidbidd.exe File opened for modification C:\Windows\SysWOW64\Fdojendk.exe File created C:\Windows\SysWOW64\Gghcjdmg.dll Ebccal32.exe File opened for modification C:\Windows\SysWOW64\Pjgiad32.exe Pcmadj32.exe File created C:\Windows\SysWOW64\Oejfelin.exe Obkjhpjj.exe File created C:\Windows\SysWOW64\Okabeg32.dll Mlfgkleh.exe File created C:\Windows\SysWOW64\Dhmkfhnl.dll Nelkme32.exe File created C:\Windows\SysWOW64\Higcbj32.dll File created C:\Windows\SysWOW64\Pcemeqqm.dll Cghpgbce.exe File opened for modification C:\Windows\SysWOW64\Deckeo32.exe File created C:\Windows\SysWOW64\Dejnme32.exe Dopfpkng.exe File created C:\Windows\SysWOW64\Lkhfhaea.exe Lhjjle32.exe File opened for modification C:\Windows\SysWOW64\Lbghpjih.exe Lhodgebh.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 1748 376 1711 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Qiqpmp32.exeFknido32.exeFccncknc.exeNabcog32.exeFfcdlncp.exeDciekjhc.exeFbebcp32.exeDlgjie32.exeLnipilbb.exePdkgcd32.exeLqdfmihh.exeIdlgohcl.exePobhfl32.exeOqnfqcjk.exeAeajcf32.exeIedmhlqf.exeFliefa32.exeKjbnlqld.exePockoeeg.exeHleegpgb.exeClbdobpc.exeIdojon32.exeLoicnemp.exeHhfqejoh.exeEclejclg.exeLnmglbgh.exePdpcgl32.exeGnkkeg32.exePeandcih.exeConmkh32.exeMmmpfm32.exeChigmlml.exeNmccnc32.exeNahemf32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiqpmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fknido32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccncknc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabcog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcdlncp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dciekjhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbebcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnipilbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqdfmihh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idlgohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqnfqcjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeajcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedmhlqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbnlqld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pockoeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hleegpgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbdobpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idojon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loicnemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfqejoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclejclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmglbgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdpcgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnkkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peandcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conmkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmmpfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chigmlml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmccnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahemf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Bichbckg.exeLjnebe32.exeOlhfdl32.exeBplofekp.exeJcknqicd.exeBigpdjpm.exeOehmamnn.exeMmjlfgml.exeAbejlj32.exeOcbnqfln.exeIhcidgpj.exeMfbnfcli.exeMhpeem32.exeFfahgn32.exeKigkmmql.exeIhhlbegd.exeNijdcdgn.exeCidhcg32.exeAaqnmbdd.exeIbigeojp.exeGnahoh32.exeLhclfphg.exeFjnkac32.exeHgconl32.exeJlcmhann.exeNieffgok.exeEmlkoknp.exeLcdmekne.exeMfdklc32.exeGfnnmboa.exeLnkjfcik.exeCpadpg32.exeGcpdip32.exeAmlhmb32.exeFjbfek32.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bichbckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljnebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Empbllfi.dll" Olhfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ookjbg32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bplofekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fncckn32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcknqicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abcpho32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bigpdjpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccpjae32.dll" Oehmamnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmjlfgml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkqnod32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pngaopfb.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abejlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocbnqfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgeamnhd.dll" Ihcidgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfbnfcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhpeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffahgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kigkmmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jflhlf32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihhlbegd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maidfgml.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijdcdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhgdkh32.dll" Cidhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlikco32.dll" Aaqnmbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jopkbala.dll" Ibigeojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phoijjdk.dll" Gnahoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbkmhlo.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaenpkpd.dll" Lhclfphg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjnkac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgconl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmfoaha.dll" Jlcmhann.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nieffgok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bimkhe32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjoflo32.dll" Emlkoknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdmekne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpmnd32.dll" Mfdklc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amppecdn.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfnnmboa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acogalan.dll" Lnkjfcik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdlmpk32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpadpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjhffd32.dll" Gcpdip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klkqcadn.dll" Amlhmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjbfek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exeJigmeagl.exeJkeialfp.exeJboanfmm.exeJgljfmkd.exeJnfbcg32.exeKmkodd32.exeKceganoe.exeKnkkngol.exeKgcpgl32.exeKjalch32.exeKmphpc32.exeKbmahjbk.exeKmbeecaq.exeKbonmjph.exeKofnbk32.exedescription pid Process procid_target PID 2128 wrote to memory of 348 2128 f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exe 29 PID 2128 wrote to memory of 348 2128 f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exe 29 PID 2128 wrote to memory of 348 2128 f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exe 29 PID 2128 wrote to memory of 348 2128 f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exe 29 PID 348 wrote to memory of 2408 348 Jigmeagl.exe 30 PID 348 wrote to memory of 2408 348 Jigmeagl.exe 30 PID 348 wrote to memory of 2408 348 Jigmeagl.exe 30 PID 348 wrote to memory of 2408 348 Jigmeagl.exe 30 PID 2408 wrote to memory of 2864 2408 Jkeialfp.exe 31 PID 2408 wrote to memory of 2864 2408 Jkeialfp.exe 31 PID 2408 wrote to memory of 2864 2408 Jkeialfp.exe 31 PID 2408 wrote to memory of 2864 2408 Jkeialfp.exe 31 PID 2864 wrote to memory of 2748 2864 Jboanfmm.exe 32 PID 2864 wrote to memory of 2748 2864 Jboanfmm.exe 32 PID 2864 wrote to memory of 2748 2864 Jboanfmm.exe 32 PID 2864 wrote to memory of 2748 2864 Jboanfmm.exe 32 PID 2748 wrote to memory of 2016 2748 Jgljfmkd.exe 33 PID 2748 wrote to memory of 2016 2748 Jgljfmkd.exe 33 PID 2748 wrote to memory of 2016 2748 Jgljfmkd.exe 33 PID 2748 wrote to memory of 2016 2748 Jgljfmkd.exe 33 PID 2016 wrote to memory of 2604 2016 Jnfbcg32.exe 34 PID 2016 wrote to memory of 2604 2016 Jnfbcg32.exe 34 PID 2016 wrote to memory of 2604 2016 Jnfbcg32.exe 34 PID 2016 wrote to memory of 2604 2016 Jnfbcg32.exe 34 PID 2604 wrote to memory of 1940 2604 Kmkodd32.exe 35 PID 2604 wrote to memory of 1940 2604 Kmkodd32.exe 35 PID 2604 wrote to memory of 1940 2604 Kmkodd32.exe 35 PID 2604 wrote to memory of 1940 2604 Kmkodd32.exe 35 PID 1940 wrote to memory of 2000 1940 Kceganoe.exe 36 PID 1940 wrote to memory of 2000 1940 Kceganoe.exe 36 PID 1940 wrote to memory of 2000 1940 Kceganoe.exe 36 PID 1940 wrote to memory of 2000 1940 Kceganoe.exe 36 PID 2000 wrote to memory of 2456 2000 Knkkngol.exe 37 PID 2000 wrote to memory of 2456 2000 Knkkngol.exe 37 PID 2000 wrote to memory of 2456 2000 Knkkngol.exe 37 PID 2000 wrote to memory of 2456 2000 Knkkngol.exe 37 PID 2456 wrote to memory of 2888 2456 Kgcpgl32.exe 38 PID 2456 wrote to memory of 2888 2456 Kgcpgl32.exe 38 PID 2456 wrote to memory of 2888 2456 Kgcpgl32.exe 38 PID 2456 wrote to memory of 2888 2456 Kgcpgl32.exe 38 PID 2888 wrote to memory of 1372 2888 Kjalch32.exe 39 PID 2888 wrote to memory of 1372 2888 Kjalch32.exe 39 PID 2888 wrote to memory of 1372 2888 Kjalch32.exe 39 PID 2888 wrote to memory of 1372 2888 Kjalch32.exe 39 PID 1372 wrote to memory of 2904 1372 Kmphpc32.exe 40 PID 1372 wrote to memory of 2904 1372 Kmphpc32.exe 40 PID 1372 wrote to memory of 2904 1372 Kmphpc32.exe 40 PID 1372 wrote to memory of 2904 1372 Kmphpc32.exe 40 PID 2904 wrote to memory of 1764 2904 Kbmahjbk.exe 41 PID 2904 wrote to memory of 1764 2904 Kbmahjbk.exe 41 PID 2904 wrote to memory of 1764 2904 Kbmahjbk.exe 41 PID 2904 wrote to memory of 1764 2904 Kbmahjbk.exe 41 PID 1764 wrote to memory of 868 1764 Kmbeecaq.exe 42 PID 1764 wrote to memory of 868 1764 Kmbeecaq.exe 42 PID 1764 wrote to memory of 868 1764 Kmbeecaq.exe 42 PID 1764 wrote to memory of 868 1764 Kmbeecaq.exe 42 PID 868 wrote to memory of 2432 868 Kbonmjph.exe 43 PID 868 wrote to memory of 2432 868 Kbonmjph.exe 43 PID 868 wrote to memory of 2432 868 Kbonmjph.exe 43 PID 868 wrote to memory of 2432 868 Kbonmjph.exe 43 PID 2432 wrote to memory of 1416 2432 Kofnbk32.exe 44 PID 2432 wrote to memory of 1416 2432 Kofnbk32.exe 44 PID 2432 wrote to memory of 1416 2432 Kofnbk32.exe 44 PID 2432 wrote to memory of 1416 2432 Kofnbk32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exe"C:\Users\Admin\AppData\Local\Temp\f1f525aa5263a62ef383655b00c80be9b198dbcef5d418170b7e538bd43af128N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Jigmeagl.exeC:\Windows\system32\Jigmeagl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Jkeialfp.exeC:\Windows\system32\Jkeialfp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Jgljfmkd.exeC:\Windows\system32\Jgljfmkd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Jnfbcg32.exeC:\Windows\system32\Jnfbcg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Kmkodd32.exeC:\Windows\system32\Kmkodd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Kceganoe.exeC:\Windows\system32\Kceganoe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Knkkngol.exeC:\Windows\system32\Knkkngol.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Kgcpgl32.exeC:\Windows\system32\Kgcpgl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Kjalch32.exeC:\Windows\system32\Kjalch32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Kmphpc32.exeC:\Windows\system32\Kmphpc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Kbmahjbk.exeC:\Windows\system32\Kbmahjbk.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Kmbeecaq.exeC:\Windows\system32\Kmbeecaq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Kbonmjph.exeC:\Windows\system32\Kbonmjph.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Kofnbk32.exeC:\Windows\system32\Kofnbk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Lhnckp32.exeC:\Windows\system32\Lhnckp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Windows\SysWOW64\Lafgdfbm.exeC:\Windows\system32\Lafgdfbm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Linoeccp.exeC:\Windows\system32\Linoeccp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Lbfdnijp.exeC:\Windows\system32\Lbfdnijp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Laidie32.exeC:\Windows\system32\Laidie32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Lhclfphg.exeC:\Windows\system32\Lhclfphg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Lomdcj32.exeC:\Windows\system32\Lomdcj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Legmpdga.exeC:\Windows\system32\Legmpdga.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Lghigl32.exeC:\Windows\system32\Lghigl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:276 -
C:\Windows\SysWOW64\Lanmde32.exeC:\Windows\system32\Lanmde32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:492 -
C:\Windows\SysWOW64\Lhgeao32.exeC:\Windows\system32\Lhgeao32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Liibigjq.exeC:\Windows\system32\Liibigjq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Mdnffpif.exeC:\Windows\system32\Mdnffpif.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Mlikkbga.exeC:\Windows\system32\Mlikkbga.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Mgoohk32.exeC:\Windows\system32\Mgoohk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Medligko.exeC:\Windows\system32\Medligko.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Mhbhecjc.exeC:\Windows\system32\Mhbhecjc.exe33⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Momqbm32.exeC:\Windows\system32\Momqbm32.exe34⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Mefiog32.exeC:\Windows\system32\Mefiog32.exe35⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Mcjihk32.exeC:\Windows\system32\Mcjihk32.exe36⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Mhgbpb32.exeC:\Windows\system32\Mhgbpb32.exe37⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Nlcnaaog.exeC:\Windows\system32\Nlcnaaog.exe38⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Napfihmn.exeC:\Windows\system32\Napfihmn.exe39⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Nhjofbdk.exeC:\Windows\system32\Nhjofbdk.exe40⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Nabcog32.exeC:\Windows\system32\Nabcog32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Njmhcj32.exeC:\Windows\system32\Njmhcj32.exe42⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Nadpdg32.exeC:\Windows\system32\Nadpdg32.exe43⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Ndclpb32.exeC:\Windows\system32\Ndclpb32.exe44⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Nqjmec32.exeC:\Windows\system32\Nqjmec32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Nchiao32.exeC:\Windows\system32\Nchiao32.exe46⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Njbanida.exeC:\Windows\system32\Njbanida.exe47⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe48⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Ojdndi32.exeC:\Windows\system32\Ojdndi32.exe49⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Oqnfqcjk.exeC:\Windows\system32\Oqnfqcjk.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe51⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Omeged32.exeC:\Windows\system32\Omeged32.exe52⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Obbonk32.exeC:\Windows\system32\Obbonk32.exe53⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Oilgje32.exeC:\Windows\system32\Oilgje32.exe54⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Oofpgolq.exeC:\Windows\system32\Oofpgolq.exe55⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Obdlcjkd.exeC:\Windows\system32\Obdlcjkd.exe56⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Oindpd32.exeC:\Windows\system32\Oindpd32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Okmqlp32.exeC:\Windows\system32\Okmqlp32.exe58⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Onkmhl32.exeC:\Windows\system32\Onkmhl32.exe59⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe60⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Okomappb.exeC:\Windows\system32\Okomappb.exe61⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Pnminkof.exeC:\Windows\system32\Pnminkof.exe62⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Pegaje32.exeC:\Windows\system32\Pegaje32.exe63⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Pnpfckmc.exeC:\Windows\system32\Pnpfckmc.exe64⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Pejnpe32.exeC:\Windows\system32\Pejnpe32.exe65⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Pfkkhmjn.exeC:\Windows\system32\Pfkkhmjn.exe66⤵PID:900
-
C:\Windows\SysWOW64\Paqoef32.exeC:\Windows\system32\Paqoef32.exe67⤵PID:3012
-
C:\Windows\SysWOW64\Pcokaa32.exeC:\Windows\system32\Pcokaa32.exe68⤵PID:2192
-
C:\Windows\SysWOW64\Pjicnlqe.exeC:\Windows\system32\Pjicnlqe.exe69⤵PID:1580
-
C:\Windows\SysWOW64\Pmgpjgph.exeC:\Windows\system32\Pmgpjgph.exe70⤵PID:2972
-
C:\Windows\SysWOW64\Pcahga32.exeC:\Windows\system32\Pcahga32.exe71⤵PID:2620
-
C:\Windows\SysWOW64\Pjkpckob.exeC:\Windows\system32\Pjkpckob.exe72⤵PID:2896
-
C:\Windows\SysWOW64\Pmimpf32.exeC:\Windows\system32\Pmimpf32.exe73⤵PID:1340
-
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe74⤵PID:2516
-
C:\Windows\SysWOW64\Qfbahldf.exeC:\Windows\system32\Qfbahldf.exe75⤵PID:2916
-
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe76⤵PID:2072
-
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe77⤵PID:1620
-
C:\Windows\SysWOW64\Qibjjgag.exeC:\Windows\system32\Qibjjgag.exe78⤵PID:2420
-
C:\Windows\SysWOW64\Qnpbbn32.exeC:\Windows\system32\Qnpbbn32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064 -
C:\Windows\SysWOW64\Ahhgkdfo.exeC:\Windows\system32\Ahhgkdfo.exe80⤵PID:2768
-
C:\Windows\SysWOW64\Anbohn32.exeC:\Windows\system32\Anbohn32.exe81⤵PID:1200
-
C:\Windows\SysWOW64\Adohpe32.exeC:\Windows\system32\Adohpe32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1224 -
C:\Windows\SysWOW64\Alfpab32.exeC:\Windows\system32\Alfpab32.exe83⤵PID:852
-
C:\Windows\SysWOW64\Andlmnki.exeC:\Windows\system32\Andlmnki.exe84⤵PID:788
-
C:\Windows\SysWOW64\Adadedjq.exeC:\Windows\system32\Adadedjq.exe85⤵PID:2812
-
C:\Windows\SysWOW64\Ajkmbo32.exeC:\Windows\system32\Ajkmbo32.exe86⤵PID:2700
-
C:\Windows\SysWOW64\Adcakdhn.exeC:\Windows\system32\Adcakdhn.exe87⤵PID:2436
-
C:\Windows\SysWOW64\Ajmihn32.exeC:\Windows\system32\Ajmihn32.exe88⤵PID:1648
-
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe89⤵PID:1388
-
C:\Windows\SysWOW64\Abhnlqlf.exeC:\Windows\system32\Abhnlqlf.exe90⤵PID:396
-
C:\Windows\SysWOW64\Aibfik32.exeC:\Windows\system32\Aibfik32.exe91⤵PID:988
-
C:\Windows\SysWOW64\Bplofekp.exeC:\Windows\system32\Bplofekp.exe92⤵
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Beignlig.exeC:\Windows\system32\Beignlig.exe93⤵PID:2484
-
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe94⤵PID:1052
-
C:\Windows\SysWOW64\Bgichoqj.exeC:\Windows\system32\Bgichoqj.exe95⤵PID:1768
-
C:\Windows\SysWOW64\Bigpdjpm.exeC:\Windows\system32\Bigpdjpm.exe96⤵
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe97⤵PID:2868
-
C:\Windows\SysWOW64\Bbpdmp32.exeC:\Windows\system32\Bbpdmp32.exe98⤵PID:2084
-
C:\Windows\SysWOW64\Blhifemo.exeC:\Windows\system32\Blhifemo.exe99⤵PID:2276
-
C:\Windows\SysWOW64\Baeanl32.exeC:\Windows\system32\Baeanl32.exe100⤵PID:2684
-
C:\Windows\SysWOW64\Bepmokco.exeC:\Windows\system32\Bepmokco.exe101⤵PID:3040
-
C:\Windows\SysWOW64\Bljeke32.exeC:\Windows\system32\Bljeke32.exe102⤵PID:2932
-
C:\Windows\SysWOW64\Bnkbcmaj.exeC:\Windows\system32\Bnkbcmaj.exe103⤵PID:1824
-
C:\Windows\SysWOW64\Cdejpg32.exeC:\Windows\system32\Cdejpg32.exe104⤵PID:2988
-
C:\Windows\SysWOW64\Ckoblapc.exeC:\Windows\system32\Ckoblapc.exe105⤵PID:2200
-
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe106⤵PID:1880
-
C:\Windows\SysWOW64\Cdhgegfd.exeC:\Windows\system32\Cdhgegfd.exe107⤵PID:1832
-
C:\Windows\SysWOW64\Ckboba32.exeC:\Windows\system32\Ckboba32.exe108⤵PID:2956
-
C:\Windows\SysWOW64\Calgoken.exeC:\Windows\system32\Calgoken.exe109⤵PID:2088
-
C:\Windows\SysWOW64\Cdjckfda.exeC:\Windows\system32\Cdjckfda.exe110⤵PID:408
-
C:\Windows\SysWOW64\Cghpgbce.exeC:\Windows\system32\Cghpgbce.exe111⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Cnbhcl32.exeC:\Windows\system32\Cnbhcl32.exe112⤵PID:1072
-
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe113⤵
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Ccoplcii.exeC:\Windows\system32\Ccoplcii.exe114⤵PID:2372
-
C:\Windows\SysWOW64\Cjiiim32.exeC:\Windows\system32\Cjiiim32.exe115⤵PID:1840
-
C:\Windows\SysWOW64\Clheeh32.exeC:\Windows\system32\Clheeh32.exe116⤵PID:1980
-
C:\Windows\SysWOW64\Cofaad32.exeC:\Windows\system32\Cofaad32.exe117⤵PID:1220
-
C:\Windows\SysWOW64\Cfpinnfj.exeC:\Windows\system32\Cfpinnfj.exe118⤵PID:2616
-
C:\Windows\SysWOW64\Dpenkgfq.exeC:\Windows\system32\Dpenkgfq.exe119⤵PID:2640
-
C:\Windows\SysWOW64\Dcdjgbed.exeC:\Windows\system32\Dcdjgbed.exe120⤵PID:2688
-
C:\Windows\SysWOW64\Djnbdlla.exeC:\Windows\system32\Djnbdlla.exe121⤵PID:2628
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-