Analysis
-
max time kernel
45s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 02:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe
-
Size
96KB
-
MD5
d1f9b3cd8ef3223d59b651b7654ae5c0
-
SHA1
0b9d6d19e1d1dc1b64179b8d7a7ee2fcdc981b61
-
SHA256
ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e
-
SHA512
9f65e249f796522ca26ef5d8c17baae8ba20a7527c81c02ef0d319bd8f97e8334b94b8f2f9869c31446a236ee64348cb3888d2b0f8a6cf02c893c78b2082489e
-
SSDEEP
1536:x8M+kpVNZ0/AxsPAv2+aDafDQzVm2LO7RZObZUUWaegPYA:xckpVNCXufEpOClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjmpfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbidof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjomoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iobbfggm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkglenej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bamdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Condfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edkbdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnaokn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblinp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmccnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edghighp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmkpchmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkgchckl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjoaibo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgcoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcjihk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfqejoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdobqgpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjfdpckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fljhmmci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ickoimie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpojlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Happkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igojmjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpigeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcjffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onqaonnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcgdgnmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laidie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Colegflh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chdjpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgdmkhnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkcjlhdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danaqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efbpihoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndfppije.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpgaohej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcbhmehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjaiaolb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdonndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alnoepam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emilqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjbaooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbdbbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfpdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fibqhibd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnpih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbqbioeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jabajc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Makmnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijfpif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffghlcei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igojmjgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aolihc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fibqhibd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhlogo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijpjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obniel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcaghm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kejdqffo.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x000400000001d9bf-2134.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 1516 Kdincdcl.exe 2856 Kldchgag.exe 2316 Kemgqm32.exe 2572 Lohiob32.exe 2880 Lhpmhgbf.exe 2784 Lednal32.exe 2196 Ldikbhfh.exe 2472 Lnaokn32.exe 2092 Ljhppo32.exe 3052 Ldndng32.exe 1984 Mjkmfn32.exe 584 Mccaodgj.exe 1272 Mjofanld.exe 2244 Mdigakic.exe 1652 Mhgpgjoj.exe 2576 Nndhpqma.exe 2484 Nnfeep32.exe 2548 Nccmng32.exe 1932 Ndbjgjqh.exe 1488 Ncggifep.exe 2436 Njaoeq32.exe 2020 Nfhpjaba.exe 920 Olehbh32.exe 2280 Oenmkngi.exe 1472 Ofmiea32.exe 1356 Opennf32.exe 2852 Ollncgjq.exe 2816 Oedclm32.exe 2288 Oakcan32.exe 2456 Pjchjcmf.exe 2884 Pjfdpckc.exe 2732 Ppcmhj32.exe 2596 Ppejmj32.exe 1676 Ppgfciee.exe 2112 Qlnghj32.exe 2300 Qhehmkqn.exe 3044 Amdmkb32.exe 1260 Aabfqp32.exe 3028 Akjjifji.exe 2328 Apjpglfn.exe 2272 Aefhpc32.exe 2512 Alqplmlb.exe 2684 Bfieec32.exe 1968 Bpnibl32.exe 1644 Cgfqii32.exe 288 Cghmni32.exe 844 Cqqbgoba.exe 1992 Cmgblphf.exe 1964 Cfpgee32.exe 2964 Cmjoaofc.exe 932 Dfbdje32.exe 2820 Dkolblkk.exe 2312 Dbidof32.exe 1576 Dkaihkih.exe 2736 Danaqbgp.exe 2768 Dieiap32.exe 2592 Dgjfbllj.exe 2028 Dndoof32.exe 1916 Dcaghm32.exe 2176 Emilqb32.exe 436 Efbpihoo.exe 2424 Eagdgaoe.exe 2492 Ejpipf32.exe 612 Epmahmcm.exe -
Loads dropped DLL 64 IoCs
pid Process 840 ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe 840 ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe 1516 Kdincdcl.exe 1516 Kdincdcl.exe 2856 Kldchgag.exe 2856 Kldchgag.exe 2316 Kemgqm32.exe 2316 Kemgqm32.exe 2572 Lohiob32.exe 2572 Lohiob32.exe 2880 Lhpmhgbf.exe 2880 Lhpmhgbf.exe 2784 Lednal32.exe 2784 Lednal32.exe 2196 Ldikbhfh.exe 2196 Ldikbhfh.exe 2472 Lnaokn32.exe 2472 Lnaokn32.exe 2092 Ljhppo32.exe 2092 Ljhppo32.exe 3052 Ldndng32.exe 3052 Ldndng32.exe 1984 Mjkmfn32.exe 1984 Mjkmfn32.exe 584 Mccaodgj.exe 584 Mccaodgj.exe 1272 Mjofanld.exe 1272 Mjofanld.exe 2244 Mdigakic.exe 2244 Mdigakic.exe 1652 Mhgpgjoj.exe 1652 Mhgpgjoj.exe 2576 Nndhpqma.exe 2576 Nndhpqma.exe 2484 Nnfeep32.exe 2484 Nnfeep32.exe 2548 Nccmng32.exe 2548 Nccmng32.exe 1932 Ndbjgjqh.exe 1932 Ndbjgjqh.exe 1488 Ncggifep.exe 1488 Ncggifep.exe 2436 Njaoeq32.exe 2436 Njaoeq32.exe 2020 Nfhpjaba.exe 2020 Nfhpjaba.exe 920 Olehbh32.exe 920 Olehbh32.exe 2280 Oenmkngi.exe 2280 Oenmkngi.exe 1472 Ofmiea32.exe 1472 Ofmiea32.exe 1356 Opennf32.exe 1356 Opennf32.exe 2852 Ollncgjq.exe 2852 Ollncgjq.exe 2816 Oedclm32.exe 2816 Oedclm32.exe 2288 Oakcan32.exe 2288 Oakcan32.exe 2456 Pjchjcmf.exe 2456 Pjchjcmf.exe 2884 Pjfdpckc.exe 2884 Pjfdpckc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jfkdik32.exe Jaolad32.exe File created C:\Windows\SysWOW64\Cnnohmog.exe Chafpfqp.exe File created C:\Windows\SysWOW64\Danaqbgp.exe Dkaihkih.exe File created C:\Windows\SysWOW64\Fkkdedfm.dll Fljhmmci.exe File created C:\Windows\SysWOW64\Hiichkog.exe Hlebog32.exe File created C:\Windows\SysWOW64\Pdedejnm.dll Hejaon32.exe File created C:\Windows\SysWOW64\Cgcoal32.exe Cpigeblb.exe File created C:\Windows\SysWOW64\Lepfoe32.exe Kofnbk32.exe File opened for modification C:\Windows\SysWOW64\Ngcebnen.exe Ndeifbfj.exe File created C:\Windows\SysWOW64\Iobbfggm.exe Ihhjjm32.exe File opened for modification C:\Windows\SysWOW64\Jqjdon32.exe Jgbpfhpc.exe File created C:\Windows\SysWOW64\Lbqgnl32.dll Jqjdon32.exe File opened for modification C:\Windows\SysWOW64\Pkbcjn32.exe Pbjoaibo.exe File opened for modification C:\Windows\SysWOW64\Fhlogo32.exe Eabgjeef.exe File created C:\Windows\SysWOW64\Mdajff32.exe Modano32.exe File created C:\Windows\SysWOW64\Peoanckj.exe Pkglenej.exe File opened for modification C:\Windows\SysWOW64\Pgnmjokn.exe Peoanckj.exe File created C:\Windows\SysWOW64\Lkfibnjf.dll Picdejbg.exe File created C:\Windows\SysWOW64\Blklfk32.exe Bcbhmehg.exe File opened for modification C:\Windows\SysWOW64\Jgbpfhpc.exe Ibehna32.exe File opened for modification C:\Windows\SysWOW64\Kgkokjjd.exe Kjgoaflj.exe File opened for modification C:\Windows\SysWOW64\Okgpfjbo.exe Oaolne32.exe File created C:\Windows\SysWOW64\Bpnibl32.exe Bfieec32.exe File created C:\Windows\SysWOW64\Nqamaeii.exe Nflidmic.exe File created C:\Windows\SysWOW64\Lllkaobc.exe Lebcdd32.exe File opened for modification C:\Windows\SysWOW64\Jdhmel32.exe Jgdmkhnp.exe File created C:\Windows\SysWOW64\Jgdmkhnp.exe Jqjdon32.exe File created C:\Windows\SysWOW64\Ijpjlh32.dll Hjaiaolb.exe File created C:\Windows\SysWOW64\Joagkd32.exe Jdlcnkfg.exe File opened for modification C:\Windows\SysWOW64\Ppcmhj32.exe Pjfdpckc.exe File created C:\Windows\SysWOW64\Afjdbifq.dll Mkplnp32.exe File opened for modification C:\Windows\SysWOW64\Bkgchckl.exe Bhiglh32.exe File created C:\Windows\SysWOW64\Imkbeqem.exe Igojmjgf.exe File opened for modification C:\Windows\SysWOW64\Kfkjnh32.exe Kigidd32.exe File created C:\Windows\SysWOW64\Qpmbgaid.exe Qegnii32.exe File opened for modification C:\Windows\SysWOW64\Ihhjjm32.exe Ipmeej32.exe File created C:\Windows\SysWOW64\Qckajclq.dll Kecpipck.exe File created C:\Windows\SysWOW64\Epmahmcm.exe Ejpipf32.exe File opened for modification C:\Windows\SysWOW64\Ikhqbo32.exe Icmlnmgb.exe File created C:\Windows\SysWOW64\Pjkegjeg.dll Ofmiea32.exe File created C:\Windows\SysWOW64\Ghagjj32.exe Gfpkbbmo.exe File created C:\Windows\SysWOW64\Liaenblm.exe Lcdmekne.exe File opened for modification C:\Windows\SysWOW64\Cidhcg32.exe Condfo32.exe File created C:\Windows\SysWOW64\Mbljajog.dll Kldchgag.exe File opened for modification C:\Windows\SysWOW64\Qhehmkqn.exe Qlnghj32.exe File opened for modification C:\Windows\SysWOW64\Hdcebagp.exe Hjnaehgj.exe File created C:\Windows\SysWOW64\Pgnmjokn.exe Peoanckj.exe File created C:\Windows\SysWOW64\Hpbhip32.dll Ogadkajl.exe File opened for modification C:\Windows\SysWOW64\Pegaje32.exe Pjbnmm32.exe File opened for modification C:\Windows\SysWOW64\Jbbgge32.exe Jijbnppi.exe File created C:\Windows\SysWOW64\Ghqqpd32.exe Gaghcjhd.exe File created C:\Windows\SysWOW64\Ppaldc32.dll Klapha32.exe File created C:\Windows\SysWOW64\Dijbqion.dll Phknlfem.exe File created C:\Windows\SysWOW64\Janjga32.dll Ppcmhj32.exe File opened for modification C:\Windows\SysWOW64\Fkdoii32.exe Fpojlp32.exe File created C:\Windows\SysWOW64\Iecaad32.exe Iniidj32.exe File created C:\Windows\SysWOW64\Cdmdnmic.dll Kphbmp32.exe File created C:\Windows\SysWOW64\Npghai32.dll Cqfdem32.exe File opened for modification C:\Windows\SysWOW64\Jcmjfiab.exe Jmcbio32.exe File opened for modification C:\Windows\SysWOW64\Nfhpjaba.exe Njaoeq32.exe File opened for modification C:\Windows\SysWOW64\Pjfdpckc.exe Pjchjcmf.exe File opened for modification C:\Windows\SysWOW64\Bambjnfn.exe Bdiaqj32.exe File created C:\Windows\SysWOW64\Dcijmhdj.exe Dnmada32.exe File created C:\Windows\SysWOW64\Pjfghl32.exe Panboflg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2284 1260 WerFault.exe 499 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmiea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndhpqma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndeifbfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Condfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncggifep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnakege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jilmkffb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndfppije.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haiagm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbhmehg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qloiqcbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgoaflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnoepam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkmfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijbjpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldhldpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmjfiab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmppcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmdff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogiegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plkchdiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjjifji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qajiek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkmdmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djnbdlla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fallil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjaiaolb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbiggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidlodkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahmpfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmbgaid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbnjpic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oggkklnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgnie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjqfpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkkcbdhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdigakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndbjgjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkplnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnaihhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobfgcdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcjlhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhkiae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peooek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blklfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkjjofe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhjfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbebcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjnaehgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cljajh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkdoii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngdadoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmchhhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpogjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqadknn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfpdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcngkmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lebcdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boadlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoflpbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnofbg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onqaonnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhqbmehb.dll" Pjdjbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fomflmlg.dll" Qjacai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gniidaih.dll" Blplkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edkbdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdlcnkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qlnghj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpdficc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjmchhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhbhecjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihhjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlimimpg.dll" Qnjbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didpkp32.dll" Ghqqpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lehfcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdincdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdmpg32.dll" Bpnibl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkbjlk32.dll" Gpagbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llooad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogiegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkgchckl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kecpipck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmdcof32.dll" Nccmng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opennf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bagncl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chafpfqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koqddqkg.dll" Efihcpqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaoiol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jijbnppi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeommfnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olehbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dieiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbanhfjd.dll" Eiefqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ickoimie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lllkaobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfabkg32.dll" Makmnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cchfha32.dll" Mkcjlhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Meecojqp.dll" Fcehpbdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmipmlan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkolblkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Colegflh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdobqgpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofjcfle.dll" Ljjkgfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiefqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pifcdbhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpehnofm.dll" Lednal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmlfacbk.dll" Ldikbhfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llnhgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjqfpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbjoaibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajojpafh.dll" Pgnmjokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dihbqgdl.dll" Pfpdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifndph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pepigm32.dll" Lhkiae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modano32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcbhmehg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noajmlnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogfagmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Panboflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceeaikk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbblpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgbiggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfediek.dll" Kidlodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhcacd.dll" Pjfghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhnkggl.dll" Dkookd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 840 wrote to memory of 1516 840 ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe 29 PID 840 wrote to memory of 1516 840 ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe 29 PID 840 wrote to memory of 1516 840 ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe 29 PID 840 wrote to memory of 1516 840 ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe 29 PID 1516 wrote to memory of 2856 1516 Kdincdcl.exe 30 PID 1516 wrote to memory of 2856 1516 Kdincdcl.exe 30 PID 1516 wrote to memory of 2856 1516 Kdincdcl.exe 30 PID 1516 wrote to memory of 2856 1516 Kdincdcl.exe 30 PID 2856 wrote to memory of 2316 2856 Kldchgag.exe 31 PID 2856 wrote to memory of 2316 2856 Kldchgag.exe 31 PID 2856 wrote to memory of 2316 2856 Kldchgag.exe 31 PID 2856 wrote to memory of 2316 2856 Kldchgag.exe 31 PID 2316 wrote to memory of 2572 2316 Kemgqm32.exe 32 PID 2316 wrote to memory of 2572 2316 Kemgqm32.exe 32 PID 2316 wrote to memory of 2572 2316 Kemgqm32.exe 32 PID 2316 wrote to memory of 2572 2316 Kemgqm32.exe 32 PID 2572 wrote to memory of 2880 2572 Lohiob32.exe 33 PID 2572 wrote to memory of 2880 2572 Lohiob32.exe 33 PID 2572 wrote to memory of 2880 2572 Lohiob32.exe 33 PID 2572 wrote to memory of 2880 2572 Lohiob32.exe 33 PID 2880 wrote to memory of 2784 2880 Lhpmhgbf.exe 34 PID 2880 wrote to memory of 2784 2880 Lhpmhgbf.exe 34 PID 2880 wrote to memory of 2784 2880 Lhpmhgbf.exe 34 PID 2880 wrote to memory of 2784 2880 Lhpmhgbf.exe 34 PID 2784 wrote to memory of 2196 2784 Lednal32.exe 35 PID 2784 wrote to memory of 2196 2784 Lednal32.exe 35 PID 2784 wrote to memory of 2196 2784 Lednal32.exe 35 PID 2784 wrote to memory of 2196 2784 Lednal32.exe 35 PID 2196 wrote to memory of 2472 2196 Ldikbhfh.exe 36 PID 2196 wrote to memory of 2472 2196 Ldikbhfh.exe 36 PID 2196 wrote to memory of 2472 2196 Ldikbhfh.exe 36 PID 2196 wrote to memory of 2472 2196 Ldikbhfh.exe 36 PID 2472 wrote to memory of 2092 2472 Lnaokn32.exe 37 PID 2472 wrote to memory of 2092 2472 Lnaokn32.exe 37 PID 2472 wrote to memory of 2092 2472 Lnaokn32.exe 37 PID 2472 wrote to memory of 2092 2472 Lnaokn32.exe 37 PID 2092 wrote to memory of 3052 2092 Ljhppo32.exe 38 PID 2092 wrote to memory of 3052 2092 Ljhppo32.exe 38 PID 2092 wrote to memory of 3052 2092 Ljhppo32.exe 38 PID 2092 wrote to memory of 3052 2092 Ljhppo32.exe 38 PID 3052 wrote to memory of 1984 3052 Ldndng32.exe 39 PID 3052 wrote to memory of 1984 3052 Ldndng32.exe 39 PID 3052 wrote to memory of 1984 3052 Ldndng32.exe 39 PID 3052 wrote to memory of 1984 3052 Ldndng32.exe 39 PID 1984 wrote to memory of 584 1984 Mjkmfn32.exe 40 PID 1984 wrote to memory of 584 1984 Mjkmfn32.exe 40 PID 1984 wrote to memory of 584 1984 Mjkmfn32.exe 40 PID 1984 wrote to memory of 584 1984 Mjkmfn32.exe 40 PID 584 wrote to memory of 1272 584 Mccaodgj.exe 41 PID 584 wrote to memory of 1272 584 Mccaodgj.exe 41 PID 584 wrote to memory of 1272 584 Mccaodgj.exe 41 PID 584 wrote to memory of 1272 584 Mccaodgj.exe 41 PID 1272 wrote to memory of 2244 1272 Mjofanld.exe 42 PID 1272 wrote to memory of 2244 1272 Mjofanld.exe 42 PID 1272 wrote to memory of 2244 1272 Mjofanld.exe 42 PID 1272 wrote to memory of 2244 1272 Mjofanld.exe 42 PID 2244 wrote to memory of 1652 2244 Mdigakic.exe 43 PID 2244 wrote to memory of 1652 2244 Mdigakic.exe 43 PID 2244 wrote to memory of 1652 2244 Mdigakic.exe 43 PID 2244 wrote to memory of 1652 2244 Mdigakic.exe 43 PID 1652 wrote to memory of 2576 1652 Mhgpgjoj.exe 44 PID 1652 wrote to memory of 2576 1652 Mhgpgjoj.exe 44 PID 1652 wrote to memory of 2576 1652 Mhgpgjoj.exe 44 PID 1652 wrote to memory of 2576 1652 Mhgpgjoj.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe"C:\Users\Admin\AppData\Local\Temp\ac673b1c809632a3c9a18ff3e9b9795d9c889e4a563e15a4947e8d2d5003579e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\Kdincdcl.exeC:\Windows\system32\Kdincdcl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Kldchgag.exeC:\Windows\system32\Kldchgag.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Lohiob32.exeC:\Windows\system32\Lohiob32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Lhpmhgbf.exeC:\Windows\system32\Lhpmhgbf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Lednal32.exeC:\Windows\system32\Lednal32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Ldikbhfh.exeC:\Windows\system32\Ldikbhfh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Lnaokn32.exeC:\Windows\system32\Lnaokn32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Ljhppo32.exeC:\Windows\system32\Ljhppo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Ldndng32.exeC:\Windows\system32\Ldndng32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Mjkmfn32.exeC:\Windows\system32\Mjkmfn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984 -
C:\Windows\SysWOW64\Mccaodgj.exeC:\Windows\system32\Mccaodgj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Mjofanld.exeC:\Windows\system32\Mjofanld.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Mdigakic.exeC:\Windows\system32\Mdigakic.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Mhgpgjoj.exeC:\Windows\system32\Mhgpgjoj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Nndhpqma.exeC:\Windows\system32\Nndhpqma.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Nnfeep32.exeC:\Windows\system32\Nnfeep32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Nccmng32.exeC:\Windows\system32\Nccmng32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Ndbjgjqh.exeC:\Windows\system32\Ndbjgjqh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Nfhpjaba.exeC:\Windows\system32\Nfhpjaba.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2020 -
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Oenmkngi.exeC:\Windows\system32\Oenmkngi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Ofmiea32.exeC:\Windows\system32\Ofmiea32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\Opennf32.exeC:\Windows\system32\Opennf32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Ollncgjq.exeC:\Windows\system32\Ollncgjq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Oedclm32.exeC:\Windows\system32\Oedclm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Ppcmhj32.exeC:\Windows\system32\Ppcmhj32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2732 -
C:\Windows\SysWOW64\Ppejmj32.exeC:\Windows\system32\Ppejmj32.exe34⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Ppgfciee.exeC:\Windows\system32\Ppgfciee.exe35⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Qhehmkqn.exeC:\Windows\system32\Qhehmkqn.exe37⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe38⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Aabfqp32.exeC:\Windows\system32\Aabfqp32.exe39⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Akjjifji.exeC:\Windows\system32\Akjjifji.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Apjpglfn.exeC:\Windows\system32\Apjpglfn.exe41⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe42⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe43⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Bpnibl32.exeC:\Windows\system32\Bpnibl32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1968 -
C:\Windows\SysWOW64\Cgfqii32.exeC:\Windows\system32\Cgfqii32.exe46⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Cghmni32.exeC:\Windows\system32\Cghmni32.exe47⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe48⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe49⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Cfpgee32.exeC:\Windows\system32\Cfpgee32.exe50⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Cmjoaofc.exeC:\Windows\system32\Cmjoaofc.exe51⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe52⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Dkolblkk.exeC:\Windows\system32\Dkolblkk.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Dbidof32.exeC:\Windows\system32\Dbidof32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Dkaihkih.exeC:\Windows\system32\Dkaihkih.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Danaqbgp.exeC:\Windows\system32\Danaqbgp.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe58⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Dndoof32.exeC:\Windows\system32\Dndoof32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Efbpihoo.exeC:\Windows\system32\Efbpihoo.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe63⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Epmahmcm.exeC:\Windows\system32\Epmahmcm.exe65⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Eiefqc32.exeC:\Windows\system32\Eiefqc32.exe66⤵
- Modifies registry class
PID:1552 -
C:\Windows\SysWOW64\Eoanij32.exeC:\Windows\system32\Eoanij32.exe67⤵PID:1244
-
C:\Windows\SysWOW64\Ehjbaooe.exeC:\Windows\system32\Ehjbaooe.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Eabgjeef.exeC:\Windows\system32\Eabgjeef.exe69⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Fhlogo32.exeC:\Windows\system32\Fhlogo32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:572 -
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe71⤵PID:1540
-
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Fagqed32.exeC:\Windows\system32\Fagqed32.exe73⤵PID:2988
-
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe74⤵PID:2740
-
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe75⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Fkbadifn.exeC:\Windows\system32\Fkbadifn.exe76⤵PID:2616
-
C:\Windows\SysWOW64\Fpojlp32.exeC:\Windows\system32\Fpojlp32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1292 -
C:\Windows\SysWOW64\Fkdoii32.exeC:\Windows\system32\Fkdoii32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe79⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Ggkoojip.exeC:\Windows\system32\Ggkoojip.exe80⤵PID:1704
-
C:\Windows\SysWOW64\Gdophn32.exeC:\Windows\system32\Gdophn32.exe81⤵PID:1840
-
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe82⤵
- System Location Discovery: System Language Discovery
PID:368 -
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe83⤵PID:1716
-
C:\Windows\SysWOW64\Ghaeaaki.exeC:\Windows\system32\Ghaeaaki.exe84⤵PID:1076
-
C:\Windows\SysWOW64\Gcfioj32.exeC:\Windows\system32\Gcfioj32.exe85⤵PID:2284
-
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe86⤵PID:1668
-
C:\Windows\SysWOW64\Gcifdj32.exeC:\Windows\system32\Gcifdj32.exe87⤵PID:1756
-
C:\Windows\SysWOW64\Glajmppm.exeC:\Windows\system32\Glajmppm.exe88⤵PID:2644
-
C:\Windows\SysWOW64\Hancef32.exeC:\Windows\system32\Hancef32.exe89⤵PID:2864
-
C:\Windows\SysWOW64\Hgkknm32.exeC:\Windows\system32\Hgkknm32.exe90⤵PID:1596
-
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe92⤵PID:2760
-
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe93⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Hcdihn32.exeC:\Windows\system32\Hcdihn32.exe94⤵PID:2888
-
C:\Windows\SysWOW64\Hjnaehgj.exeC:\Windows\system32\Hjnaehgj.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Hdcebagp.exeC:\Windows\system32\Hdcebagp.exe96⤵PID:2488
-
C:\Windows\SysWOW64\Hjpnjheg.exeC:\Windows\system32\Hjpnjheg.exe97⤵PID:1124
-
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe98⤵PID:2604
-
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe99⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Iihgadhl.exeC:\Windows\system32\Iihgadhl.exe101⤵PID:524
-
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe102⤵
- Drops file in System32 directory
PID:1392 -
C:\Windows\SysWOW64\Ikhqbo32.exeC:\Windows\system32\Ikhqbo32.exe103⤵PID:2868
-
C:\Windows\SysWOW64\Ifndph32.exeC:\Windows\system32\Ifndph32.exe104⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe105⤵
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Iecaad32.exeC:\Windows\system32\Iecaad32.exe106⤵PID:2440
-
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Jbgbjh32.exeC:\Windows\system32\Jbgbjh32.exe108⤵PID:1400
-
C:\Windows\SysWOW64\Jmqckf32.exeC:\Windows\system32\Jmqckf32.exe109⤵PID:1200
-
C:\Windows\SysWOW64\Jgfghodj.exeC:\Windows\system32\Jgfghodj.exe110⤵PID:1812
-
C:\Windows\SysWOW64\Jaolad32.exeC:\Windows\system32\Jaolad32.exe111⤵
- Drops file in System32 directory
PID:1408 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2564 -
C:\Windows\SysWOW64\Jaahgd32.exeC:\Windows\system32\Jaahgd32.exe113⤵PID:1724
-
C:\Windows\SysWOW64\Jbbenlof.exeC:\Windows\system32\Jbbenlof.exe114⤵PID:2008
-
C:\Windows\SysWOW64\Jilmkffb.exeC:\Windows\system32\Jilmkffb.exe115⤵
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe116⤵PID:2124
-
C:\Windows\SysWOW64\Jecnpg32.exeC:\Windows\system32\Jecnpg32.exe117⤵PID:2720
-
C:\Windows\SysWOW64\Kphbmp32.exeC:\Windows\system32\Kphbmp32.exe118⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Kfbjjjci.exeC:\Windows\system32\Kfbjjjci.exe119⤵PID:1172
-
C:\Windows\SysWOW64\Kbikokin.exeC:\Windows\system32\Kbikokin.exe120⤵PID:3040
-
C:\Windows\SysWOW64\Kiccle32.exeC:\Windows\system32\Kiccle32.exe121⤵PID:1312
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-