Analysis
-
max time kernel
67s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-11-2024 19:36
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe
-
Size
96KB
-
MD5
b69588f8e06b44308b7bd7c08e725320
-
SHA1
4d84c9bb280db1b30bf79ca621221423bfa2bb3f
-
SHA256
a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfd
-
SHA512
76a175b74e558aea8869450fea1bb8678b657dc465f5d14c388eb373074f6d3007875295967f967aba5017d0ff794d8b4bc27de908b46a9fcd82faeeaa4d8d50
-
SSDEEP
1536:GAHlEJ6i/qFmDG0lbvdTd/xadCsJqb2LB7RZObZUUWaegPYAC:PlpiiEbT9EdCJ4BClUUWaen
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpeimhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imaglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdiaqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffeoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaibpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdkap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkepdbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnbpcje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khonbhch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbhno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhbbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdmneoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ognakk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeahjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kplhfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmpdoffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flhnqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbmnfajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dobcekld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijddokdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdibapb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkhjin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heoadcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anbohn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nimaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qahnid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpbmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgfbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniidj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feppqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omjgkjof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfmlif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elaego32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijddokdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oakdkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfoko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhdihlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfbjjjci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpliec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fffckf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmldj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqjceidf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcfojhhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpmjplag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbfpafn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paihgboc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpomdmqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emlkoknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhmioa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdnfalea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dalffg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhifemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfodojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhaogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jphcgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obamebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onqaonnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefncd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnnbfjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieoiai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpeojha.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x00040000000206c1-5092.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 3012 Kemgqm32.exe 2868 Klgpmgod.exe 2844 Kikpgk32.exe 3024 Lklmoccl.exe 2824 Lhbjmg32.exe 2536 Ljfckodo.exe 2692 Lkepdbkb.exe 1484 Ldndng32.exe 3040 Mccaodgj.exe 2300 Mfdjpo32.exe 1296 Moloidjl.exe 1096 Mfhcknpf.exe 1536 Nndhpqma.exe 2236 Nqdaal32.exe 2192 Nmkbfmpf.exe 1968 Nffcebdd.exe 2012 Oiglfm32.exe 2584 Omddmkhl.exe 288 Obamebfc.exe 1816 Obdjjb32.exe 1672 Ohqbbi32.exe 2008 Ohcohh32.exe 572 Pegpamoo.exe 2292 Pnodjb32.exe 2384 Papmlmbp.exe 1132 Pbaide32.exe 1044 Pbcfie32.exe 1608 Ppgfciee.exe 2456 Qpjchicb.exe 3004 Qamleagn.exe 2940 Akfaof32.exe 2708 Aekelo32.exe 2596 Apeflmjc.exe 1172 Aimkeb32.exe 1844 Akmgoehg.exe 3044 Bcjhig32.exe 2972 Bfkakbpp.exe 1984 Bkhjcing.exe 1996 Bhljlnma.exe 1612 Bofbih32.exe 2908 Cjifpdib.exe 1652 Deedfacn.exe 1776 Dnpedghl.exe 1552 Dapnfb32.exe 1832 Djibogkn.exe 640 Dfpcdh32.exe 2524 Efbpihoo.exe 1756 Eagdgaoe.exe 2656 Efdmohmm.exe 2648 Elaego32.exe 1116 Ebkndibq.exe 2276 Eeijpdbd.exe 1604 Eponmmaj.exe 2572 Eelfedpa.exe 2904 Eodknifb.exe 2784 Eenckc32.exe 2356 Fpcghl32.exe 580 Feppqc32.exe 1020 Fkmhij32.exe 3036 Fagqed32.exe 2900 Fkpeojha.exe 1524 Fhcehngk.exe 2404 Fmpnpe32.exe 2412 Fkdoii32.exe -
Loads dropped DLL 64 IoCs
pid Process 2792 a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe 2792 a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe 3012 Kemgqm32.exe 3012 Kemgqm32.exe 2868 Klgpmgod.exe 2868 Klgpmgod.exe 2844 Kikpgk32.exe 2844 Kikpgk32.exe 3024 Lklmoccl.exe 3024 Lklmoccl.exe 2824 Lhbjmg32.exe 2824 Lhbjmg32.exe 2536 Ljfckodo.exe 2536 Ljfckodo.exe 2692 Lkepdbkb.exe 2692 Lkepdbkb.exe 1484 Ldndng32.exe 1484 Ldndng32.exe 3040 Mccaodgj.exe 3040 Mccaodgj.exe 2300 Mfdjpo32.exe 2300 Mfdjpo32.exe 1296 Moloidjl.exe 1296 Moloidjl.exe 1096 Mfhcknpf.exe 1096 Mfhcknpf.exe 1536 Nndhpqma.exe 1536 Nndhpqma.exe 2236 Nqdaal32.exe 2236 Nqdaal32.exe 2192 Nmkbfmpf.exe 2192 Nmkbfmpf.exe 1968 Nffcebdd.exe 1968 Nffcebdd.exe 2012 Oiglfm32.exe 2012 Oiglfm32.exe 2584 Omddmkhl.exe 2584 Omddmkhl.exe 288 Obamebfc.exe 288 Obamebfc.exe 1816 Obdjjb32.exe 1816 Obdjjb32.exe 1672 Ohqbbi32.exe 1672 Ohqbbi32.exe 2008 Ohcohh32.exe 2008 Ohcohh32.exe 572 Pegpamoo.exe 572 Pegpamoo.exe 2292 Pnodjb32.exe 2292 Pnodjb32.exe 2384 Papmlmbp.exe 2384 Papmlmbp.exe 1132 Pbaide32.exe 1132 Pbaide32.exe 1044 Pbcfie32.exe 1044 Pbcfie32.exe 1608 Ppgfciee.exe 1608 Ppgfciee.exe 2456 Qpjchicb.exe 2456 Qpjchicb.exe 3004 Qamleagn.exe 3004 Qamleagn.exe 2940 Akfaof32.exe 2940 Akfaof32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ibbioilj.exe Imepgbnc.exe File created C:\Windows\SysWOW64\Lelnjj32.dll Emieflec.exe File opened for modification C:\Windows\SysWOW64\Bekobn32.exe Bkckihel.exe File opened for modification C:\Windows\SysWOW64\Hmbdlc32.exe Haldgbkc.exe File created C:\Windows\SysWOW64\Dfnlkl32.dll Jedlph32.exe File created C:\Windows\SysWOW64\Bglghdbc.exe Baoopndk.exe File opened for modification C:\Windows\SysWOW64\Lpkmkl32.exe Ljnebe32.exe File opened for modification C:\Windows\SysWOW64\Dklkkoqf.exe Coejfn32.exe File created C:\Windows\SysWOW64\Lmiqhhnn.dll Ldndng32.exe File opened for modification C:\Windows\SysWOW64\Cpafhpaj.exe Ckdnpicb.exe File opened for modification C:\Windows\SysWOW64\Jknnoppp.exe Injnfl32.exe File created C:\Windows\SysWOW64\Fkkdedfm.dll Fkmhij32.exe File created C:\Windows\SysWOW64\Hialpf32.dll Lmbadfdl.exe File created C:\Windows\SysWOW64\Mknaahhn.exe Mafmhcam.exe File created C:\Windows\SysWOW64\Ecgnmaod.dll Fmcchb32.exe File created C:\Windows\SysWOW64\Inhpjehm.dll Omddmkhl.exe File opened for modification C:\Windows\SysWOW64\Jmqckf32.exe Jgdkbo32.exe File created C:\Windows\SysWOW64\Gnqolikm.exe Fnnbfjmp.exe File opened for modification C:\Windows\SysWOW64\Kbefen32.exe Khmamhek.exe File created C:\Windows\SysWOW64\Npaeak32.dll Qamleagn.exe File created C:\Windows\SysWOW64\Fbeimf32.exe Fimedaoe.exe File created C:\Windows\SysWOW64\Andlmnki.exe Aelgdhei.exe File created C:\Windows\SysWOW64\Mipanmej.dll Odkkdqmd.exe File opened for modification C:\Windows\SysWOW64\Pneiaidn.exe Pfjdmggb.exe File opened for modification C:\Windows\SysWOW64\Bpajjmon.exe Belfldoh.exe File created C:\Windows\SysWOW64\Fmcchb32.exe Ebnokjpf.exe File created C:\Windows\SysWOW64\Eelfedpa.exe Eponmmaj.exe File created C:\Windows\SysWOW64\Kjdiigbm.exe Kidlodkj.exe File created C:\Windows\SysWOW64\Bfodod32.dll Ejkampao.exe File created C:\Windows\SysWOW64\Giogonlb.exe Gljfeimi.exe File created C:\Windows\SysWOW64\Ebfpglkn.exe Ehnknfdn.exe File opened for modification C:\Windows\SysWOW64\Bamfloef.exe Bibagmhk.exe File created C:\Windows\SysWOW64\Kikmdack.dll Nijdcdgn.exe File created C:\Windows\SysWOW64\Nceeaikk.exe Nimaic32.exe File created C:\Windows\SysWOW64\Iigkka32.dll Hbmnfajm.exe File created C:\Windows\SysWOW64\Laifbnho.exe Lphjkfbq.exe File opened for modification C:\Windows\SysWOW64\Mpeidjfo.exe Mhjdpgic.exe File opened for modification C:\Windows\SysWOW64\Paihgboc.exe Phacnm32.exe File opened for modification C:\Windows\SysWOW64\Ddjkhl32.exe Dlbcgo32.exe File created C:\Windows\SysWOW64\Okipcb32.dll Gaiijgbi.exe File opened for modification C:\Windows\SysWOW64\Klapha32.exe Kalkjh32.exe File opened for modification C:\Windows\SysWOW64\Apdobg32.exe Aijgemok.exe File created C:\Windows\SysWOW64\Hkljljko.exe Heoadcmh.exe File created C:\Windows\SysWOW64\Objdcnnk.dll Lneghd32.exe File created C:\Windows\SysWOW64\Gigjch32.exe Flcjjdpe.exe File opened for modification C:\Windows\SysWOW64\Ebnokjpf.exe Ejcjfgbk.exe File created C:\Windows\SysWOW64\Gmleda32.dll Mhbdce32.exe File created C:\Windows\SysWOW64\Pbgniekp.dll Pkebig32.exe File created C:\Windows\SysWOW64\Oclblaid.dll Obamebfc.exe File created C:\Windows\SysWOW64\Dhpbdd32.dll Dpbgghhl.exe File created C:\Windows\SysWOW64\Jbmdig32.exe Jkcllmhb.exe File opened for modification C:\Windows\SysWOW64\Kqijck32.exe Knkngp32.exe File created C:\Windows\SysWOW64\Hlbooaoe.exe Glpbiaqg.exe File created C:\Windows\SysWOW64\Kkbdib32.exe Kfflal32.exe File created C:\Windows\SysWOW64\Laodbj32.dll Gheola32.exe File created C:\Windows\SysWOW64\Cqfdem32.exe Chkpakla.exe File opened for modification C:\Windows\SysWOW64\Gaibpa32.exe Gkojcgga.exe File created C:\Windows\SysWOW64\Ccmcfc32.exe Cnpknl32.exe File created C:\Windows\SysWOW64\Nbckeb32.exe Nikflm32.exe File created C:\Windows\SysWOW64\Goiihmom.dll Kceganoe.exe File created C:\Windows\SysWOW64\Lebcdd32.exe Lljolodf.exe File created C:\Windows\SysWOW64\Mdlfpcnd.exe Moomgmpm.exe File opened for modification C:\Windows\SysWOW64\Oigmbagp.exe Opohil32.exe File created C:\Windows\SysWOW64\Amieek32.dll Cbmoeeod.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4188 1560 WerFault.exe 740 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcbib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejkampao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miekhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allbpqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neddfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccadhkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdjpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geqnho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilggefh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haoggh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meonlkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpliac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qahnid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogfagmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahkhgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcoal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhalag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlpmjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqjdon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkpakla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbaelej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjbpemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkkdqmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnglekch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feklja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glmckikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiiepcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghmeikh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokmel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgfciee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaibpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknnoppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlkba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbegonmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelinm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpqlmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpncbjqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moloidjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifikehii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiaqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blhifemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklmoccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdgqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkkhckl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idofmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhedachg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddoiei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbokkagk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npjonlee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckdnpicb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gioigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgihopao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeahjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hegdinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpomdmqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpkobnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmaialjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoeiniea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eponmmaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dapnfb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhcehngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acoacabb.dll" Ldfgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnllf32.dll" Dcppmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkckdi32.dll" Lebcdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlfdjphd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apeflmjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncnmhajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlidpopk.dll" Miekhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfkkek32.dll" Pfjdmggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdneoh32.dll" Eeijpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbaboaj.dll" Jfffmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfmclold.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmbdlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkbcjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfcmcckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhjdpgic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqakem32.dll" Momckfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khonbhch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Addgcj32.dll" Idofmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgpeimhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlmkdf32.dll" Kemcookp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eggpoami.dll" Jhbfcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbighojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgmbbkij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojhdmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lljffe32.dll" Aoilcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hchbcmlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobhbe32.dll" Endmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hldopgbl.dll" Jbmgapgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjdmjiae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ginefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbhkngcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahkgbnpi.dll" Nbckeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohilhjfg.dll" Heoadcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aefipolf.dll" Dggcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecnbpcje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmmboc32.dll" Qnkdeagl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcmbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajlema32.dll" Moloidjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbkhcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngmoao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lphjkfbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pafklb32.dll" Ehgoaiml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgbfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbpcgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meonlkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odbcnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbmgapgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fimedaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjdgjhi.dll" Qahnid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpeidjfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ediggoma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeijpdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jknnoppp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Filnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgbpfhpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Panboflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafacd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jocdqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koogdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfninhkj.dll" Ehpjmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Papmlmbp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2792 wrote to memory of 3012 2792 a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe 29 PID 2792 wrote to memory of 3012 2792 a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe 29 PID 2792 wrote to memory of 3012 2792 a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe 29 PID 2792 wrote to memory of 3012 2792 a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe 29 PID 3012 wrote to memory of 2868 3012 Kemgqm32.exe 30 PID 3012 wrote to memory of 2868 3012 Kemgqm32.exe 30 PID 3012 wrote to memory of 2868 3012 Kemgqm32.exe 30 PID 3012 wrote to memory of 2868 3012 Kemgqm32.exe 30 PID 2868 wrote to memory of 2844 2868 Klgpmgod.exe 31 PID 2868 wrote to memory of 2844 2868 Klgpmgod.exe 31 PID 2868 wrote to memory of 2844 2868 Klgpmgod.exe 31 PID 2868 wrote to memory of 2844 2868 Klgpmgod.exe 31 PID 2844 wrote to memory of 3024 2844 Kikpgk32.exe 32 PID 2844 wrote to memory of 3024 2844 Kikpgk32.exe 32 PID 2844 wrote to memory of 3024 2844 Kikpgk32.exe 32 PID 2844 wrote to memory of 3024 2844 Kikpgk32.exe 32 PID 3024 wrote to memory of 2824 3024 Lklmoccl.exe 33 PID 3024 wrote to memory of 2824 3024 Lklmoccl.exe 33 PID 3024 wrote to memory of 2824 3024 Lklmoccl.exe 33 PID 3024 wrote to memory of 2824 3024 Lklmoccl.exe 33 PID 2824 wrote to memory of 2536 2824 Lhbjmg32.exe 34 PID 2824 wrote to memory of 2536 2824 Lhbjmg32.exe 34 PID 2824 wrote to memory of 2536 2824 Lhbjmg32.exe 34 PID 2824 wrote to memory of 2536 2824 Lhbjmg32.exe 34 PID 2536 wrote to memory of 2692 2536 Ljfckodo.exe 35 PID 2536 wrote to memory of 2692 2536 Ljfckodo.exe 35 PID 2536 wrote to memory of 2692 2536 Ljfckodo.exe 35 PID 2536 wrote to memory of 2692 2536 Ljfckodo.exe 35 PID 2692 wrote to memory of 1484 2692 Lkepdbkb.exe 36 PID 2692 wrote to memory of 1484 2692 Lkepdbkb.exe 36 PID 2692 wrote to memory of 1484 2692 Lkepdbkb.exe 36 PID 2692 wrote to memory of 1484 2692 Lkepdbkb.exe 36 PID 1484 wrote to memory of 3040 1484 Ldndng32.exe 37 PID 1484 wrote to memory of 3040 1484 Ldndng32.exe 37 PID 1484 wrote to memory of 3040 1484 Ldndng32.exe 37 PID 1484 wrote to memory of 3040 1484 Ldndng32.exe 37 PID 3040 wrote to memory of 2300 3040 Mccaodgj.exe 38 PID 3040 wrote to memory of 2300 3040 Mccaodgj.exe 38 PID 3040 wrote to memory of 2300 3040 Mccaodgj.exe 38 PID 3040 wrote to memory of 2300 3040 Mccaodgj.exe 38 PID 2300 wrote to memory of 1296 2300 Mfdjpo32.exe 39 PID 2300 wrote to memory of 1296 2300 Mfdjpo32.exe 39 PID 2300 wrote to memory of 1296 2300 Mfdjpo32.exe 39 PID 2300 wrote to memory of 1296 2300 Mfdjpo32.exe 39 PID 1296 wrote to memory of 1096 1296 Moloidjl.exe 40 PID 1296 wrote to memory of 1096 1296 Moloidjl.exe 40 PID 1296 wrote to memory of 1096 1296 Moloidjl.exe 40 PID 1296 wrote to memory of 1096 1296 Moloidjl.exe 40 PID 1096 wrote to memory of 1536 1096 Mfhcknpf.exe 41 PID 1096 wrote to memory of 1536 1096 Mfhcknpf.exe 41 PID 1096 wrote to memory of 1536 1096 Mfhcknpf.exe 41 PID 1096 wrote to memory of 1536 1096 Mfhcknpf.exe 41 PID 1536 wrote to memory of 2236 1536 Nndhpqma.exe 42 PID 1536 wrote to memory of 2236 1536 Nndhpqma.exe 42 PID 1536 wrote to memory of 2236 1536 Nndhpqma.exe 42 PID 1536 wrote to memory of 2236 1536 Nndhpqma.exe 42 PID 2236 wrote to memory of 2192 2236 Nqdaal32.exe 43 PID 2236 wrote to memory of 2192 2236 Nqdaal32.exe 43 PID 2236 wrote to memory of 2192 2236 Nqdaal32.exe 43 PID 2236 wrote to memory of 2192 2236 Nqdaal32.exe 43 PID 2192 wrote to memory of 1968 2192 Nmkbfmpf.exe 44 PID 2192 wrote to memory of 1968 2192 Nmkbfmpf.exe 44 PID 2192 wrote to memory of 1968 2192 Nmkbfmpf.exe 44 PID 2192 wrote to memory of 1968 2192 Nmkbfmpf.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe"C:\Users\Admin\AppData\Local\Temp\a9b463f8f17892fd7f97c42eabbc974b84405cecee52056d91c83ca968b29cfdN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Kemgqm32.exeC:\Windows\system32\Kemgqm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Klgpmgod.exeC:\Windows\system32\Klgpmgod.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Kikpgk32.exeC:\Windows\system32\Kikpgk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Lklmoccl.exeC:\Windows\system32\Lklmoccl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Lhbjmg32.exeC:\Windows\system32\Lhbjmg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Ljfckodo.exeC:\Windows\system32\Ljfckodo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Lkepdbkb.exeC:\Windows\system32\Lkepdbkb.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Ldndng32.exeC:\Windows\system32\Ldndng32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Mccaodgj.exeC:\Windows\system32\Mccaodgj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Mfdjpo32.exeC:\Windows\system32\Mfdjpo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Moloidjl.exeC:\Windows\system32\Moloidjl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Mfhcknpf.exeC:\Windows\system32\Mfhcknpf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1096 -
C:\Windows\SysWOW64\Nndhpqma.exeC:\Windows\system32\Nndhpqma.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Windows\SysWOW64\Nqdaal32.exeC:\Windows\system32\Nqdaal32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Nffcebdd.exeC:\Windows\system32\Nffcebdd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1968 -
C:\Windows\SysWOW64\Oiglfm32.exeC:\Windows\system32\Oiglfm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Omddmkhl.exeC:\Windows\system32\Omddmkhl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:288 -
C:\Windows\SysWOW64\Obdjjb32.exeC:\Windows\system32\Obdjjb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Ohqbbi32.exeC:\Windows\system32\Ohqbbi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Ohcohh32.exeC:\Windows\system32\Ohcohh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Pegpamoo.exeC:\Windows\system32\Pegpamoo.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Pnodjb32.exeC:\Windows\system32\Pnodjb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2292 -
C:\Windows\SysWOW64\Papmlmbp.exeC:\Windows\system32\Papmlmbp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Pbaide32.exeC:\Windows\system32\Pbaide32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1132 -
C:\Windows\SysWOW64\Pbcfie32.exeC:\Windows\system32\Pbcfie32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Ppgfciee.exeC:\Windows\system32\Ppgfciee.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Qpjchicb.exeC:\Windows\system32\Qpjchicb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Qamleagn.exeC:\Windows\system32\Qamleagn.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Akfaof32.exeC:\Windows\system32\Akfaof32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Aekelo32.exeC:\Windows\system32\Aekelo32.exe33⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Apeflmjc.exeC:\Windows\system32\Apeflmjc.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Aimkeb32.exeC:\Windows\system32\Aimkeb32.exe35⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe36⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Bcjhig32.exeC:\Windows\system32\Bcjhig32.exe37⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe38⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe39⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe40⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Bofbih32.exeC:\Windows\system32\Bofbih32.exe41⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Cjifpdib.exeC:\Windows\system32\Cjifpdib.exe42⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Deedfacn.exeC:\Windows\system32\Deedfacn.exe43⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe44⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Dapnfb32.exeC:\Windows\system32\Dapnfb32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Djibogkn.exeC:\Windows\system32\Djibogkn.exe46⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe47⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Efbpihoo.exeC:\Windows\system32\Efbpihoo.exe48⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe49⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Efdmohmm.exeC:\Windows\system32\Efdmohmm.exe50⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Ebkndibq.exeC:\Windows\system32\Ebkndibq.exe52⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe55⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe56⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Fpcghl32.exeC:\Windows\system32\Fpcghl32.exe58⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Feppqc32.exeC:\Windows\system32\Feppqc32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Fkmhij32.exeC:\Windows\system32\Fkmhij32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Fagqed32.exeC:\Windows\system32\Fagqed32.exe61⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1524 -
C:\Windows\SysWOW64\Fmpnpe32.exeC:\Windows\system32\Fmpnpe32.exe64⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Fkdoii32.exeC:\Windows\system32\Fkdoii32.exe65⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe66⤵PID:2604
-
C:\Windows\SysWOW64\Gmegkd32.exeC:\Windows\system32\Gmegkd32.exe67⤵PID:388
-
C:\Windows\SysWOW64\Ggmldj32.exeC:\Windows\system32\Ggmldj32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2688 -
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe69⤵PID:1988
-
C:\Windows\SysWOW64\Ginefe32.exeC:\Windows\system32\Ginefe32.exe70⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe71⤵
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe72⤵PID:2984
-
C:\Windows\SysWOW64\Gheola32.exeC:\Windows\system32\Gheola32.exe73⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Hancef32.exeC:\Windows\system32\Hancef32.exe74⤵PID:2312
-
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe75⤵PID:3032
-
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe76⤵PID:2768
-
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe77⤵PID:2808
-
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe78⤵PID:2960
-
C:\Windows\SysWOW64\Hgpeimhf.exeC:\Windows\system32\Hgpeimhf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Hdcebagp.exeC:\Windows\system32\Hdcebagp.exe80⤵PID:1260
-
C:\Windows\SysWOW64\Hnljkf32.exeC:\Windows\system32\Hnljkf32.exe81⤵PID:2272
-
C:\Windows\SysWOW64\Hchbcmlh.exeC:\Windows\system32\Hchbcmlh.exe82⤵
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe83⤵PID:2216
-
C:\Windows\SysWOW64\Imaglc32.exeC:\Windows\system32\Imaglc32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:612 -
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe85⤵
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe86⤵PID:1624
-
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe87⤵PID:472
-
C:\Windows\SysWOW64\Imepgbnc.exeC:\Windows\system32\Imepgbnc.exe88⤵
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Ibbioilj.exeC:\Windows\system32\Ibbioilj.exe89⤵PID:2852
-
C:\Windows\SysWOW64\Iilalc32.exeC:\Windows\system32\Iilalc32.exe90⤵PID:2864
-
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3016 -
C:\Windows\SysWOW64\Iganmp32.exeC:\Windows\system32\Iganmp32.exe92⤵PID:2728
-
C:\Windows\SysWOW64\Jbgbjh32.exeC:\Windows\system32\Jbgbjh32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2068 -
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe94⤵
- Drops file in System32 directory
PID:3048 -
C:\Windows\SysWOW64\Jmqckf32.exeC:\Windows\system32\Jmqckf32.exe95⤵PID:584
-
C:\Windows\SysWOW64\Jgfghodj.exeC:\Windows\system32\Jgfghodj.exe96⤵PID:2188
-
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe97⤵PID:848
-
C:\Windows\SysWOW64\Jpdibapb.exeC:\Windows\system32\Jpdibapb.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2432 -
C:\Windows\SysWOW64\Jjimpj32.exeC:\Windows\system32\Jjimpj32.exe99⤵PID:844
-
C:\Windows\SysWOW64\Jecnpg32.exeC:\Windows\system32\Jecnpg32.exe100⤵PID:2000
-
C:\Windows\SysWOW64\Klmfmacc.exeC:\Windows\system32\Klmfmacc.exe101⤵PID:2964
-
C:\Windows\SysWOW64\Kfbjjjci.exeC:\Windows\system32\Kfbjjjci.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe103⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe104⤵PID:2148
-
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe105⤵PID:2052
-
C:\Windows\SysWOW64\Khhpmbeb.exeC:\Windows\system32\Khhpmbeb.exe106⤵PID:1660
-
C:\Windows\SysWOW64\Kmeiei32.exeC:\Windows\system32\Kmeiei32.exe107⤵PID:2304
-
C:\Windows\SysWOW64\Kelqff32.exeC:\Windows\system32\Kelqff32.exe108⤵PID:2700
-
C:\Windows\SysWOW64\Koeeoljm.exeC:\Windows\system32\Koeeoljm.exe109⤵PID:1448
-
C:\Windows\SysWOW64\Lpfagd32.exeC:\Windows\system32\Lpfagd32.exe110⤵PID:592
-
C:\Windows\SysWOW64\Lhmjha32.exeC:\Windows\system32\Lhmjha32.exe111⤵PID:2548
-
C:\Windows\SysWOW64\Linfpi32.exeC:\Windows\system32\Linfpi32.exe112⤵PID:1408
-
C:\Windows\SysWOW64\Lphnlcnh.exeC:\Windows\system32\Lphnlcnh.exe113⤵PID:2436
-
C:\Windows\SysWOW64\Lgbfin32.exeC:\Windows\system32\Lgbfin32.exe114⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Ldfgbb32.exeC:\Windows\system32\Ldfgbb32.exe115⤵
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe116⤵PID:2928
-
C:\Windows\SysWOW64\Macnjk32.exeC:\Windows\system32\Macnjk32.exe117⤵PID:2084
-
C:\Windows\SysWOW64\Mdcfle32.exeC:\Windows\system32\Mdcfle32.exe118⤵PID:2764
-
C:\Windows\SysWOW64\Mdfcaegj.exeC:\Windows\system32\Mdfcaegj.exe119⤵PID:2064
-
C:\Windows\SysWOW64\Mlcekgbb.exeC:\Windows\system32\Mlcekgbb.exe120⤵PID:2424
-
C:\Windows\SysWOW64\Ncnmhajo.exeC:\Windows\system32\Ncnmhajo.exe121⤵
- Modifies registry class
PID:2428
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-