Analysis
-
max time kernel
52s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
26-11-2024 16:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exe
-
Size
96KB
-
MD5
8f24e2a25ddcfad1d6fd7bbe8d7d1bd0
-
SHA1
1f066ffc694bcdddc00388ce19502929d1d43d67
-
SHA256
21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594
-
SHA512
b224181d25e2aa3e64bc420ebc56913ffcf082c2632dd3fd5f8b7c91655bc594cd5bef8e58106adb9885b33a520c8458370a05416a27ee8ead7bcca79f7d76f9
-
SSDEEP
1536:4XTXf1lk1lCaCLNQ2HVw72LFG7RZObZUUWaegPYA:4XTdlk1ljCRQwUClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Dkgippgb.exeCmbalfem.exeEfjlgmlf.exeOcjophem.exeAidphq32.exePgbdodnh.exeMkddnf32.exeOijjka32.exeGnpflj32.exeIpdojfgh.exeEheecbia.exeBkpeci32.exeKglcogeo.exeEamilh32.exeDdblgn32.exePdlkiepd.exeBfpnmj32.exePhpjnnki.exeIlofhffj.exeCfnmfn32.exeKlehgh32.exeDpgcip32.exeFmegncpp.exeNplfdj32.exeCpnaca32.exeLgkhdddo.exeBlmfea32.exeLipecm32.exeJeadap32.exeAmcbankf.exeAkeijlfq.exeIlabmedg.exeDpcjnabn.exeFbdlkj32.exeEcnmpa32.exeOldpnn32.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkgippgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmbalfem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjlgmlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjophem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aidphq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgbdodnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkddnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijjka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnpflj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipdojfgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eheecbia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkpeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglcogeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamilh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlkiepd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfpnmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phpjnnki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilofhffj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnmfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klehgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpgcip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmegncpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpnaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmbalfem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgkhdddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blmfea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lipecm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeadap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akeijlfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilabmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpcjnabn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdlkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnmpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldpnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 6 IoCs
Processes:
resource yara_rule behavioral1/files/0x0003000000021022-7512.dat family_bruteratel behavioral1/files/0x000300000002114c-8025.dat family_bruteratel behavioral1/files/0x0003000000021b45-12702.dat family_bruteratel behavioral1/files/0x000200000002309d-14487.dat family_bruteratel behavioral1/files/0x00020000000230a5-14505.dat family_bruteratel behavioral1/files/0x0003000000023a1d-17321.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Oalfhf32.exeOdjbdb32.exeOghopm32.exeOnbgmg32.exeOqacic32.exeOhhkjp32.exeOgkkfmml.exeOnecbg32.exeOqcpob32.exeOcalkn32.exeOgmhkmki.exePkidlk32.exePngphgbf.exePqemdbaj.exePfbelipa.exePjnamh32.exePokieo32.exePfdabino.exePmojocel.exePcibkm32.exePfgngh32.exePiekcd32.exePmagdbci.exePckoam32.exePdlkiepd.exePkfceo32.exeQbplbi32.exeQflhbhgg.exeQijdocfj.exeQngmgjeb.exeQeaedd32.exeQgoapp32.exeAbeemhkh.exeAaheie32.exeAecaidjl.exeAnlfbi32.exeAajbne32.exeAeenochi.exeAfgkfl32.exeAnnbhi32.exeApoooa32.exeAgfgqo32.exeAigchgkh.exeAmcpie32.exeApalea32.exeAfkdakjb.exeAijpnfif.exeAmelne32.exeAcpdko32.exeAfnagk32.exeAeqabgoj.exeBmhideol.exeBlkioa32.exeBbdallnd.exeBfpnmj32.exeBiojif32.exeBlmfea32.exeBnkbam32.exeBiafnecn.exeBhdgjb32.exeBonoflae.exeBalkchpi.exeBdkgocpm.exeBlaopqpo.exepid Process 2816 Oalfhf32.exe 3020 Odjbdb32.exe 2588 Oghopm32.exe 2368 Onbgmg32.exe 696 Oqacic32.exe 2916 Ohhkjp32.exe 2088 Ogkkfmml.exe 1680 Onecbg32.exe 2976 Oqcpob32.exe 2316 Ocalkn32.exe 2340 Ogmhkmki.exe 1160 Pkidlk32.exe 1764 Pngphgbf.exe 1580 Pqemdbaj.exe 2548 Pfbelipa.exe 2056 Pjnamh32.exe 1148 Pokieo32.exe 1532 Pfdabino.exe 2160 Pmojocel.exe 2364 Pcibkm32.exe 1712 Pfgngh32.exe 316 Piekcd32.exe 1312 Pmagdbci.exe 2272 Pckoam32.exe 2132 Pdlkiepd.exe 2184 Pkfceo32.exe 2764 Qbplbi32.exe 2312 Qflhbhgg.exe 592 Qijdocfj.exe 2636 Qngmgjeb.exe 1920 Qeaedd32.exe 1228 Qgoapp32.exe 2968 Abeemhkh.exe 468 Aaheie32.exe 1960 Aecaidjl.exe 2768 Anlfbi32.exe 2920 Aajbne32.exe 1676 Aeenochi.exe 1420 Afgkfl32.exe 2244 Annbhi32.exe 1608 Apoooa32.exe 1940 Agfgqo32.exe 1284 Aigchgkh.exe 868 Amcpie32.exe 1808 Apalea32.exe 1804 Afkdakjb.exe 2672 Aijpnfif.exe 2456 Amelne32.exe 2812 Acpdko32.exe 2748 Afnagk32.exe 2892 Aeqabgoj.exe 1492 Bmhideol.exe 1480 Blkioa32.exe 1968 Bbdallnd.exe 3000 Bfpnmj32.exe 2876 Biojif32.exe 1156 Blmfea32.exe 2176 Bnkbam32.exe 1980 Biafnecn.exe 2052 Bhdgjb32.exe 2792 Bonoflae.exe 1376 Balkchpi.exe 1076 Bdkgocpm.exe 1724 Blaopqpo.exe -
Loads dropped DLL 64 IoCs
Processes:
21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exeOalfhf32.exeOdjbdb32.exeOghopm32.exeOnbgmg32.exeOqacic32.exeOhhkjp32.exeOgkkfmml.exeOnecbg32.exeOqcpob32.exeOcalkn32.exeOgmhkmki.exePkidlk32.exePngphgbf.exePqemdbaj.exePfbelipa.exePjnamh32.exePokieo32.exePfdabino.exePmojocel.exePcibkm32.exePfgngh32.exePiekcd32.exePmagdbci.exePckoam32.exePdlkiepd.exePkfceo32.exeQbplbi32.exeQflhbhgg.exeQijdocfj.exeQngmgjeb.exeQeaedd32.exepid Process 2192 21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exe 2192 21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exe 2816 Oalfhf32.exe 2816 Oalfhf32.exe 3020 Odjbdb32.exe 3020 Odjbdb32.exe 2588 Oghopm32.exe 2588 Oghopm32.exe 2368 Onbgmg32.exe 2368 Onbgmg32.exe 696 Oqacic32.exe 696 Oqacic32.exe 2916 Ohhkjp32.exe 2916 Ohhkjp32.exe 2088 Ogkkfmml.exe 2088 Ogkkfmml.exe 1680 Onecbg32.exe 1680 Onecbg32.exe 2976 Oqcpob32.exe 2976 Oqcpob32.exe 2316 Ocalkn32.exe 2316 Ocalkn32.exe 2340 Ogmhkmki.exe 2340 Ogmhkmki.exe 1160 Pkidlk32.exe 1160 Pkidlk32.exe 1764 Pngphgbf.exe 1764 Pngphgbf.exe 1580 Pqemdbaj.exe 1580 Pqemdbaj.exe 2548 Pfbelipa.exe 2548 Pfbelipa.exe 2056 Pjnamh32.exe 2056 Pjnamh32.exe 1148 Pokieo32.exe 1148 Pokieo32.exe 1532 Pfdabino.exe 1532 Pfdabino.exe 2160 Pmojocel.exe 2160 Pmojocel.exe 2364 Pcibkm32.exe 2364 Pcibkm32.exe 1712 Pfgngh32.exe 1712 Pfgngh32.exe 316 Piekcd32.exe 316 Piekcd32.exe 1312 Pmagdbci.exe 1312 Pmagdbci.exe 2272 Pckoam32.exe 2272 Pckoam32.exe 2132 Pdlkiepd.exe 2132 Pdlkiepd.exe 2184 Pkfceo32.exe 2184 Pkfceo32.exe 2764 Qbplbi32.exe 2764 Qbplbi32.exe 2312 Qflhbhgg.exe 2312 Qflhbhgg.exe 592 Qijdocfj.exe 592 Qijdocfj.exe 2636 Qngmgjeb.exe 2636 Qngmgjeb.exe 1920 Qeaedd32.exe 1920 Qeaedd32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Aibcba32.exeDinklffl.exeImnbbi32.exeIpokcdjn.exeCpdgbm32.exeAgfgqo32.exeFnndan32.exeJfhjbobc.exeEcfldoph.exeGaqomeke.exeFdhlnhhc.exeGacbmk32.exeKqdhhm32.exeHndlem32.exeClmbddgp.exeJlhhndno.exeMfglep32.exeBoidnh32.exeCiohqa32.exeCdecha32.exeFcmben32.exeFdbhge32.exeCpkmcldj.exeOnecbg32.exeIncbgnmc.exeBccjdnbi.exeMjnjjbbh.exeAcqnnndl.exeAccnekon.exeLfpeeqig.exeAqhhanig.exeGdhkfd32.exeOghopm32.exeQobbofgn.exeJeadap32.exeHfedqagp.exeIogoec32.exeDohgomgf.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Amnocpdk.exe Aibcba32.exe File opened for modification C:\Windows\SysWOW64\Dhplhc32.exe Dinklffl.exe File created C:\Windows\SysWOW64\Ailhedbj.dll Imnbbi32.exe File opened for modification C:\Windows\SysWOW64\Ibmgpoia.exe Ipokcdjn.exe File created C:\Windows\SysWOW64\Hbefdnjd.dll Cpdgbm32.exe File opened for modification C:\Windows\SysWOW64\Hfhfhbce.exe File opened for modification C:\Windows\SysWOW64\Aigchgkh.exe Agfgqo32.exe File created C:\Windows\SysWOW64\Fdhlnhhc.exe Fnndan32.exe File created C:\Windows\SysWOW64\Bjdgpmfa.dll Jfhjbobc.exe File opened for modification C:\Windows\SysWOW64\Efdhpjok.exe Ecfldoph.exe File opened for modification C:\Windows\SysWOW64\Gpcoib32.exe Gaqomeke.exe File created C:\Windows\SysWOW64\Pboepn32.dll Fdhlnhhc.exe File created C:\Windows\SysWOW64\Lpmfjcln.dll Gacbmk32.exe File created C:\Windows\SysWOW64\Phploedo.dll Kqdhhm32.exe File opened for modification C:\Windows\SysWOW64\Hmglajcd.exe Hndlem32.exe File created C:\Windows\SysWOW64\Jpbbmeon.dll File opened for modification C:\Windows\SysWOW64\Ofqmcj32.exe File opened for modification C:\Windows\SysWOW64\Qqmfpqmc.dll File created C:\Windows\SysWOW64\Adpiba32.dll File opened for modification C:\Windows\SysWOW64\Cphndc32.exe Clmbddgp.exe File created C:\Windows\SysWOW64\Egpbbn32.dll Jlhhndno.exe File created C:\Windows\SysWOW64\Mbdpeq32.dll Mfglep32.exe File created C:\Windows\SysWOW64\Kidhce32.dll Boidnh32.exe File created C:\Windows\SysWOW64\Bjnalhgb.dll Ciohqa32.exe File created C:\Windows\SysWOW64\Hofpgamj.dll File opened for modification C:\Windows\SysWOW64\Hghillnd.exe File created C:\Windows\SysWOW64\Kmimcbja.exe File opened for modification C:\Windows\SysWOW64\Chqoipkk.exe Cdecha32.exe File opened for modification C:\Windows\SysWOW64\Fbpbpkpj.exe Fcmben32.exe File created C:\Windows\SysWOW64\Ghejcg32.dll File created C:\Windows\SysWOW64\Kqkmghhf.dll File created C:\Windows\SysWOW64\Modcdaml.dll Fdbhge32.exe File opened for modification C:\Windows\SysWOW64\Cbiiog32.exe Cpkmcldj.exe File created C:\Windows\SysWOW64\Bjmeiq32.exe File created C:\Windows\SysWOW64\Imienpig.dll File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe File created C:\Windows\SysWOW64\Jbbpnl32.dll Onecbg32.exe File created C:\Windows\SysWOW64\Ipbocjlg.exe Incbgnmc.exe File opened for modification C:\Windows\SysWOW64\Bfagpiam.exe Bccjdnbi.exe File created C:\Windows\SysWOW64\Nmlgfnal.exe Mjnjjbbh.exe File created C:\Windows\SysWOW64\Mifnodlj.dll File created C:\Windows\SysWOW64\Ikldqile.exe File opened for modification C:\Windows\SysWOW64\Agljom32.exe Acqnnndl.exe File created C:\Windows\SysWOW64\Mkhngh32.dll File created C:\Windows\SysWOW64\Abfnpg32.exe Accnekon.exe File opened for modification C:\Windows\SysWOW64\Ljkaeo32.exe Lfpeeqig.exe File created C:\Windows\SysWOW64\Adcdbl32.exe Aqhhanig.exe File opened for modification C:\Windows\SysWOW64\Gmpcgace.exe Gdhkfd32.exe File created C:\Windows\SysWOW64\Nhfpnk32.dll File created C:\Windows\SysWOW64\Qnghel32.exe File created C:\Windows\SysWOW64\Onbgmg32.exe Oghopm32.exe File created C:\Windows\SysWOW64\Mqdkdffe.dll Qobbofgn.exe File created C:\Windows\SysWOW64\Bbnlpnob.dll File opened for modification C:\Windows\SysWOW64\Ekdchf32.exe File created C:\Windows\SysWOW64\Canipj32.dll File created C:\Windows\SysWOW64\Jnhlbn32.exe Jeadap32.exe File created C:\Windows\SysWOW64\Jhdlad32.exe File created C:\Windows\SysWOW64\Cpqmndme.dll File created C:\Windows\SysWOW64\Adnpkjde.exe File created C:\Windows\SysWOW64\Onepbd32.dll File created C:\Windows\SysWOW64\Kablnadm.exe File created C:\Windows\SysWOW64\Hgqabcec.dll Hfedqagp.exe File opened for modification C:\Windows\SysWOW64\Iaelanmg.exe Iogoec32.exe File created C:\Windows\SysWOW64\Dcccpl32.exe Dohgomgf.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 5160 7020 1974 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fmjgcipg.exeKgpmjf32.exeDaipqhdg.exeBecpap32.exeKhkpijma.exeGgfnopfg.exeBehilopf.exePlaimk32.exeOhhkjp32.exeClooiddm.exeJjomgo32.exeFkmqdpce.exeElhnof32.exeBhdgjb32.exeOgekpg32.exeFhikme32.exeJaeafklf.exeJhafhe32.exeKhcomhbi.exeLcomce32.exeHpkldg32.exeIipiljgf.exeGfmgelil.exeHibjbgbh.exeDicnkdnf.exeFgdnnl32.exeNoemqe32.exeOlpgconp.exeOioggmmc.exeOpplolac.exeMndmoaog.exeMjjdacik.exeBbdallnd.exeJcjnfdbp.exeEjpdai32.exeFgcejm32.exeNoljjglk.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjgcipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgpmjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daipqhdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Becpap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkpijma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfnopfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behilopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaimk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhkjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clooiddm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjomgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmqdpce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elhnof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdgjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogekpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhikme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeafklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhafhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcomhbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcomce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpkldg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipiljgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfmgelil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibjbgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicnkdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noemqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpgconp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oioggmmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opplolac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mndmoaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjdacik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdallnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjnfdbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpdai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcejm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noljjglk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Pnjfae32.exeNajpll32.exeGmpcgace.exeOklnff32.exeCaidaeak.exeKddmdk32.exeOhidmoaa.exeOonldcih.exeAqonbm32.exeGdhkfd32.exeFkecij32.exePfbelipa.exePljcllqe.exeKdpcikdi.exeCepfgdnj.exeCheido32.exeFkejcq32.exeAmaelomh.exeJjjclobg.exeJpfhoi32.exeKbokgpgg.exeIbmgpoia.exeMfdopp32.exeNoogpfjh.exeOcohkh32.exeElipgofb.exeDngabk32.exeHbleeb32.exeKgbipf32.exeCkahkk32.exeKlehgh32.exeAaheie32.exeAnneqafn.exeCmlong32.exeNmfqgbmm.exeOpnpimdf.exeKhlili32.exeKllnhg32.exeDhkiid32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmoogf32.dll" Najpll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmpcgace.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklnff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caidaeak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgcekola.dll" Kddmdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibejjo32.dll" Oonldcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijmkqhaf.dll" Aqonbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdhkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcnfppba.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkecij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfbelipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pljcllqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blangfdh.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpcikdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cepfgdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cheido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkejcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjjclobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bikppe32.dll" Jpfhoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbokgpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmgpoia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najopl32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpppdfa.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noogpfjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqenoohi.dll" Ocohkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elipgofb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmdgf32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdoahk32.dll" Dngabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbleeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgbipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckahkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klehgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaheie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpjdmlgk.dll" Kgbipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anneqafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgokeion.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olkjnqpo.dll" Cmlong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmfqgbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opnpimdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khlili32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kllnhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfnidhlj.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpojnle.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkoielgg.dll" Dhkiid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffpfeq32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exeOalfhf32.exeOdjbdb32.exeOghopm32.exeOnbgmg32.exeOqacic32.exeOhhkjp32.exeOgkkfmml.exeOnecbg32.exeOqcpob32.exeOcalkn32.exeOgmhkmki.exePkidlk32.exePngphgbf.exePqemdbaj.exePfbelipa.exedescription pid Process procid_target PID 2192 wrote to memory of 2816 2192 21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exe 30 PID 2192 wrote to memory of 2816 2192 21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exe 30 PID 2192 wrote to memory of 2816 2192 21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exe 30 PID 2192 wrote to memory of 2816 2192 21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exe 30 PID 2816 wrote to memory of 3020 2816 Oalfhf32.exe 31 PID 2816 wrote to memory of 3020 2816 Oalfhf32.exe 31 PID 2816 wrote to memory of 3020 2816 Oalfhf32.exe 31 PID 2816 wrote to memory of 3020 2816 Oalfhf32.exe 31 PID 3020 wrote to memory of 2588 3020 Odjbdb32.exe 32 PID 3020 wrote to memory of 2588 3020 Odjbdb32.exe 32 PID 3020 wrote to memory of 2588 3020 Odjbdb32.exe 32 PID 3020 wrote to memory of 2588 3020 Odjbdb32.exe 32 PID 2588 wrote to memory of 2368 2588 Oghopm32.exe 33 PID 2588 wrote to memory of 2368 2588 Oghopm32.exe 33 PID 2588 wrote to memory of 2368 2588 Oghopm32.exe 33 PID 2588 wrote to memory of 2368 2588 Oghopm32.exe 33 PID 2368 wrote to memory of 696 2368 Onbgmg32.exe 34 PID 2368 wrote to memory of 696 2368 Onbgmg32.exe 34 PID 2368 wrote to memory of 696 2368 Onbgmg32.exe 34 PID 2368 wrote to memory of 696 2368 Onbgmg32.exe 34 PID 696 wrote to memory of 2916 696 Oqacic32.exe 35 PID 696 wrote to memory of 2916 696 Oqacic32.exe 35 PID 696 wrote to memory of 2916 696 Oqacic32.exe 35 PID 696 wrote to memory of 2916 696 Oqacic32.exe 35 PID 2916 wrote to memory of 2088 2916 Ohhkjp32.exe 36 PID 2916 wrote to memory of 2088 2916 Ohhkjp32.exe 36 PID 2916 wrote to memory of 2088 2916 Ohhkjp32.exe 36 PID 2916 wrote to memory of 2088 2916 Ohhkjp32.exe 36 PID 2088 wrote to memory of 1680 2088 Ogkkfmml.exe 37 PID 2088 wrote to memory of 1680 2088 Ogkkfmml.exe 37 PID 2088 wrote to memory of 1680 2088 Ogkkfmml.exe 37 PID 2088 wrote to memory of 1680 2088 Ogkkfmml.exe 37 PID 1680 wrote to memory of 2976 1680 Onecbg32.exe 38 PID 1680 wrote to memory of 2976 1680 Onecbg32.exe 38 PID 1680 wrote to memory of 2976 1680 Onecbg32.exe 38 PID 1680 wrote to memory of 2976 1680 Onecbg32.exe 38 PID 2976 wrote to memory of 2316 2976 Oqcpob32.exe 39 PID 2976 wrote to memory of 2316 2976 Oqcpob32.exe 39 PID 2976 wrote to memory of 2316 2976 Oqcpob32.exe 39 PID 2976 wrote to memory of 2316 2976 Oqcpob32.exe 39 PID 2316 wrote to memory of 2340 2316 Ocalkn32.exe 40 PID 2316 wrote to memory of 2340 2316 Ocalkn32.exe 40 PID 2316 wrote to memory of 2340 2316 Ocalkn32.exe 40 PID 2316 wrote to memory of 2340 2316 Ocalkn32.exe 40 PID 2340 wrote to memory of 1160 2340 Ogmhkmki.exe 41 PID 2340 wrote to memory of 1160 2340 Ogmhkmki.exe 41 PID 2340 wrote to memory of 1160 2340 Ogmhkmki.exe 41 PID 2340 wrote to memory of 1160 2340 Ogmhkmki.exe 41 PID 1160 wrote to memory of 1764 1160 Pkidlk32.exe 42 PID 1160 wrote to memory of 1764 1160 Pkidlk32.exe 42 PID 1160 wrote to memory of 1764 1160 Pkidlk32.exe 42 PID 1160 wrote to memory of 1764 1160 Pkidlk32.exe 42 PID 1764 wrote to memory of 1580 1764 Pngphgbf.exe 43 PID 1764 wrote to memory of 1580 1764 Pngphgbf.exe 43 PID 1764 wrote to memory of 1580 1764 Pngphgbf.exe 43 PID 1764 wrote to memory of 1580 1764 Pngphgbf.exe 43 PID 1580 wrote to memory of 2548 1580 Pqemdbaj.exe 44 PID 1580 wrote to memory of 2548 1580 Pqemdbaj.exe 44 PID 1580 wrote to memory of 2548 1580 Pqemdbaj.exe 44 PID 1580 wrote to memory of 2548 1580 Pqemdbaj.exe 44 PID 2548 wrote to memory of 2056 2548 Pfbelipa.exe 45 PID 2548 wrote to memory of 2056 2548 Pfbelipa.exe 45 PID 2548 wrote to memory of 2056 2548 Pfbelipa.exe 45 PID 2548 wrote to memory of 2056 2548 Pfbelipa.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exe"C:\Users\Admin\AppData\Local\Temp\21bddef3427136aee8a5b9ff264136bc1ffaf5def4624a0f7ecd3cfff4a74594N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Oqcpob32.exeC:\Windows\system32\Oqcpob32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1312 -
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe33⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Abeemhkh.exeC:\Windows\system32\Abeemhkh.exe34⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:468 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe36⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Anlfbi32.exeC:\Windows\system32\Anlfbi32.exe37⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe38⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe39⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe40⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe41⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe42⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1940 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe44⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe45⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe46⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe47⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe48⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe49⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe50⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe51⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Aeqabgoj.exeC:\Windows\system32\Aeqabgoj.exe52⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe53⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe54⤵
- Executes dropped EXE
PID:1480 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe57⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Bnkbam32.exeC:\Windows\system32\Bnkbam32.exe59⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe60⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe62⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe63⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe64⤵
- Executes dropped EXE
PID:1076 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe65⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe66⤵PID:1784
-
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe67⤵PID:996
-
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe68⤵PID:1588
-
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe69⤵PID:2788
-
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe70⤵PID:804
-
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe71⤵PID:2604
-
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe72⤵PID:792
-
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2568 -
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe74⤵PID:2360
-
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe75⤵PID:2868
-
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe76⤵PID:2936
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe77⤵PID:1628
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe78⤵PID:1508
-
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe79⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe80⤵PID:444
-
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe81⤵PID:1328
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe82⤵PID:1524
-
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe83⤵
- Modifies registry class
PID:2012 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe84⤵PID:1732
-
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe85⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe86⤵PID:2708
-
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe87⤵PID:2752
-
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe88⤵PID:2640
-
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe89⤵PID:1672
-
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe90⤵PID:2140
-
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe91⤵PID:1424
-
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe92⤵PID:1064
-
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe93⤵PID:2252
-
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:308 -
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe95⤵PID:2552
-
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe96⤵PID:288
-
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe97⤵PID:1716
-
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe98⤵
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe99⤵PID:1556
-
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe100⤵
- Modifies registry class
PID:1260 -
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe101⤵PID:536
-
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe102⤵PID:3064
-
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe103⤵PID:372
-
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe104⤵PID:3040
-
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe105⤵PID:2572
-
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe106⤵PID:2984
-
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe107⤵PID:1288
-
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe108⤵PID:2212
-
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe109⤵PID:1912
-
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe110⤵PID:944
-
C:\Windows\SysWOW64\Dciceaoe.exeC:\Windows\system32\Dciceaoe.exe111⤵PID:2612
-
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe112⤵PID:2724
-
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe113⤵PID:380
-
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe114⤵PID:1048
-
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe115⤵PID:2956
-
C:\Windows\SysWOW64\Efjlgmlf.exeC:\Windows\system32\Efjlgmlf.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe117⤵PID:2960
-
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe118⤵PID:2032
-
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe119⤵PID:1536
-
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1392 -
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe121⤵PID:2236
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-