Analysis
-
max time kernel
112s -
max time network
93s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2024 06:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0N.exe
Resource
win7-20241023-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
11 signatures
120 seconds
General
-
Target
0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0N.exe
-
Size
96KB
-
MD5
70512cd4c164f88074f5d8cc391674f0
-
SHA1
ced6b47e656a0a3a301d523724777e36eb84cc7b
-
SHA256
0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0
-
SHA512
86d97c3549a4e4a1786d5f8c10fc80939a8ef52df7d1c9f4361f66d19ee9315748783e231500b1551c6b7edbf888d43c282f3a11a2c72e76ea14ebb603fe4148
-
SSDEEP
1536:8jf+I1B2/Ry2AKf14MAJegmDEE5e2LGg7RZObZUUWaegPYAy:2R1BVw1PAJegmVfClUUWaev
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Fpejlmcf.exeOmcjep32.exeOljaccjf.exeLhmmjbkf.exeLlflea32.exeAdcjop32.exeCpmapodj.exeIklgah32.exeKkmioc32.exeIloidijb.exeNhokljge.exePcmlfl32.exeQohpkf32.exeKjhcjq32.exeMonjjgkb.exeBahdob32.exeCaageq32.exeCjgpfk32.exeNabfjpak.exeFipkjb32.exeEkaapi32.exeLajagj32.exeDlieda32.exeMqfpckhm.exeFibojhim.exeGkgeoklj.exeMjjkaabc.exeMgnlkfal.exeDdgibkpc.exeMhoipb32.exeKjepjkhf.exeHblkjo32.exePffgom32.exeCglbhhga.exeAgbkmijg.exeJnfcia32.exeAamknj32.exeLgdidgjg.exeOdmbaj32.exeDdligq32.exeKjlopc32.exeEjbbmnnb.exeJgnqgqan.exeQcclld32.exeBlnoga32.exeJldbpl32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpejlmcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omcjep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oljaccjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhmmjbkf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llflea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcjop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpmapodj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iklgah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmioc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iloidijb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhokljge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmlfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qohpkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhcjq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monjjgkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahdob32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caageq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjgpfk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nabfjpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fipkjb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekaapi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lajagj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlieda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqfpckhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fibojhim.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkgeoklj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjjkaabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnlkfal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddgibkpc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhoipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjepjkhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hblkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pffgom32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cglbhhga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbkmijg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfcia32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fipkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamknj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgdidgjg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmbaj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddligq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjlopc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejbbmnnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgnqgqan.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcclld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jldbpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x0007000000023e09-1630.dat family_bruteratel behavioral2/files/0x0007000000023f5d-2783.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Olckbd32.exeOpogbbig.exeOghppm32.exeOlehhc32.exeOocddono.exeOgklelna.exeOhlimd32.exeOofaiokl.exeOepifi32.exeOljaccjf.exeOohnonij.exeOgpepl32.exeOhqbhdpj.exeOokjdn32.exeOcffempp.exePjpobg32.exePcicklnn.exePjbkgfej.exePoodpmca.exePjehmfch.exePlcdiabk.exePcmlfl32.exePflibgil.exePleaoa32.exePcpikkge.exePjjahe32.exePhlacbfm.exePlhnda32.exeQcbfakec.exeQfpbmfdf.exeQljjjqlc.exeQqffjo32.exeQfbobf32.exeQqhcpo32.exeAgbkmijg.exeAmodep32.exeAgdhbi32.exeAckigjmh.exeAggegh32.exeAihaoqlp.exeAflaie32.exeAqaffn32.exeAglnbhal.exeAimkjp32.exeBcbohigp.exeBmkcqn32.exeBoipmj32.exeBgpgng32.exeBjodjb32.exeBqilgmdg.exeBgbdcgld.exeBpnihiio.exeBgeaifia.exeBjcmebie.exeBmbiamhi.exeBppfmigl.exeBclang32.exeBggnof32.exeBjfjka32.exeCmdfgm32.exeCpbbch32.exeCflkpblf.exeCmfclm32.exeCpeohh32.exepid Process 2612 Olckbd32.exe 4284 Opogbbig.exe 2972 Oghppm32.exe 4740 Olehhc32.exe 4892 Oocddono.exe 4876 Ogklelna.exe 4352 Ohlimd32.exe 4732 Oofaiokl.exe 1976 Oepifi32.exe 3032 Oljaccjf.exe 1896 Oohnonij.exe 2720 Ogpepl32.exe 4488 Ohqbhdpj.exe 4812 Ookjdn32.exe 3952 Ocffempp.exe 4012 Pjpobg32.exe 1236 Pcicklnn.exe 468 Pjbkgfej.exe 1996 Poodpmca.exe 4844 Pjehmfch.exe 3296 Plcdiabk.exe 3324 Pcmlfl32.exe 3148 Pflibgil.exe 4164 Pleaoa32.exe 440 Pcpikkge.exe 4824 Pjjahe32.exe 5028 Phlacbfm.exe 1420 Plhnda32.exe 4236 Qcbfakec.exe 1524 Qfpbmfdf.exe 4952 Qljjjqlc.exe 1056 Qqffjo32.exe 5088 Qfbobf32.exe 1516 Qqhcpo32.exe 4076 Agbkmijg.exe 4912 Amodep32.exe 1176 Agdhbi32.exe 4344 Ackigjmh.exe 4980 Aggegh32.exe 60 Aihaoqlp.exe 3248 Aflaie32.exe 2860 Aqaffn32.exe 1308 Aglnbhal.exe 3216 Aimkjp32.exe 2712 Bcbohigp.exe 1960 Bmkcqn32.exe 2196 Boipmj32.exe 540 Bgpgng32.exe 3024 Bjodjb32.exe 2552 Bqilgmdg.exe 1872 Bgbdcgld.exe 2732 Bpnihiio.exe 1932 Bgeaifia.exe 4692 Bjcmebie.exe 1540 Bmbiamhi.exe 1912 Bppfmigl.exe 2400 Bclang32.exe 3288 Bggnof32.exe 2420 Bjfjka32.exe 2256 Cmdfgm32.exe 1388 Cpbbch32.exe 1864 Cflkpblf.exe 2868 Cmfclm32.exe 2708 Cpeohh32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Ilcldb32.exeAknbkjfh.exeBgbdcgld.exeCfipef32.exeGmfplibd.exeHhknpmma.exeCkpbnb32.exeMfchlbfd.exeOdmbaj32.exeFipbdikp.exePedlgbkh.exeKjlopc32.exePmpolgoi.exeJdmgfedl.exeMkohaj32.exeMfeeabda.exeHaaaaeim.exeLlflea32.exeIjcjmmil.exeBnfihkqm.exeKfnfjehl.exeLomqcjie.exeLbinam32.exeCbeapmll.exeLkeekk32.exeHhimhobl.exeEdjgfcec.exeLgcjdd32.exeMnlnbl32.exeAhqddk32.exeQemhbj32.exeJiiicf32.exeKgninn32.exeNmdgikhi.exeBakgoh32.exeQkjgegae.exeDjcoai32.exeJikoopij.exeOmegjomb.exeCaojpaij.exeDdgibkpc.exeGicgpelg.exeJoekag32.exeHkeaqi32.exeJjopcb32.exeDckdjomg.exePefabkej.exeJeocna32.exeAggegh32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Joahqn32.exe Ilcldb32.exe File created C:\Windows\SysWOW64\Aagkhd32.exe Aknbkjfh.exe File created C:\Windows\SysWOW64\Mkgmoncl.exe File opened for modification C:\Windows\SysWOW64\Bpnihiio.exe Bgbdcgld.exe File created C:\Windows\SysWOW64\Chglab32.exe Cfipef32.exe File created C:\Windows\SysWOW64\Glipgf32.exe Gmfplibd.exe File created C:\Windows\SysWOW64\Jicchk32.dll File created C:\Windows\SysWOW64\Clhgbgki.dll File created C:\Windows\SysWOW64\Nmjfodne.exe File opened for modification C:\Windows\SysWOW64\Pcgdhkem.exe File created C:\Windows\SysWOW64\Hkjjlhle.exe Hhknpmma.exe File created C:\Windows\SysWOW64\Mgdkaadn.dll Ckpbnb32.exe File created C:\Windows\SysWOW64\Gabfbmnl.dll Mfchlbfd.exe File opened for modification C:\Windows\SysWOW64\Oldjcg32.exe Odmbaj32.exe File created C:\Windows\SysWOW64\Ipgiebei.dll Fipbdikp.exe File created C:\Windows\SysWOW64\Hnoigi32.dll Pedlgbkh.exe File created C:\Windows\SysWOW64\Lljklo32.exe Kjlopc32.exe File created C:\Windows\SysWOW64\Lmnbjama.dll Pmpolgoi.exe File opened for modification C:\Windows\SysWOW64\Jgkdbacp.exe Jdmgfedl.exe File created C:\Windows\SysWOW64\Mnmdme32.exe Mkohaj32.exe File created C:\Windows\SysWOW64\Leilnmkp.dll Mfeeabda.exe File created C:\Windows\SysWOW64\Hpceplkl.dll Haaaaeim.exe File opened for modification C:\Windows\SysWOW64\Lndham32.exe Llflea32.exe File created C:\Windows\SysWOW64\Hhcmlj32.dll Ijcjmmil.exe File created C:\Windows\SysWOW64\Bdpaeehj.exe Bnfihkqm.exe File created C:\Windows\SysWOW64\Knenkbio.exe Kfnfjehl.exe File created C:\Windows\SysWOW64\Lgdidgjg.exe Lomqcjie.exe File created C:\Windows\SysWOW64\Jgamgpme.dll Lbinam32.exe File opened for modification C:\Windows\SysWOW64\Cjliajmo.exe Cbeapmll.exe File created C:\Windows\SysWOW64\Lmgabcge.exe Lkeekk32.exe File opened for modification C:\Windows\SysWOW64\Hppeim32.exe Hhimhobl.exe File opened for modification C:\Windows\SysWOW64\Kidben32.exe File opened for modification C:\Windows\SysWOW64\Efhcbodf.exe Edjgfcec.exe File created C:\Windows\SysWOW64\Pnkibcle.dll File created C:\Windows\SysWOW64\Gpejnp32.dll File created C:\Windows\SysWOW64\Lkofdbkj.exe Lgcjdd32.exe File created C:\Windows\SysWOW64\Miaboe32.exe Mnlnbl32.exe File opened for modification C:\Windows\SysWOW64\Akoqpg32.exe Ahqddk32.exe File created C:\Windows\SysWOW64\Ockkandf.dll Qemhbj32.exe File created C:\Windows\SysWOW64\Jlgepanl.exe Jiiicf32.exe File created C:\Windows\SysWOW64\Mdafpj32.dll Kgninn32.exe File created C:\Windows\SysWOW64\Gfkcaoef.dll Nmdgikhi.exe File opened for modification C:\Windows\SysWOW64\Bjhkmbho.exe File created C:\Windows\SysWOW64\Bdickcpo.exe Bakgoh32.exe File created C:\Windows\SysWOW64\Pencqe32.dll File created C:\Windows\SysWOW64\Djpphb32.dll Qkjgegae.exe File created C:\Windows\SysWOW64\Dmalne32.exe Djcoai32.exe File opened for modification C:\Windows\SysWOW64\Jpegkj32.exe Jikoopij.exe File opened for modification C:\Windows\SysWOW64\Cmgqpkip.exe File created C:\Windows\SysWOW64\Kefbdjgm.exe File created C:\Windows\SysWOW64\Begndj32.dll File created C:\Windows\SysWOW64\Oelolmnd.exe Omegjomb.exe File created C:\Windows\SysWOW64\Cdmfllhn.exe Caojpaij.exe File opened for modification C:\Windows\SysWOW64\Dgeenfog.exe Ddgibkpc.exe File created C:\Windows\SysWOW64\Gedhfp32.dll Gicgpelg.exe File created C:\Windows\SysWOW64\Mnknop32.dll Joekag32.exe File created C:\Windows\SysWOW64\Ildolk32.dll File created C:\Windows\SysWOW64\Hjpcoo32.dll Hkeaqi32.exe File created C:\Windows\SysWOW64\Ejlacgdj.dll Jjopcb32.exe File created C:\Windows\SysWOW64\Binnimfj.dll Dckdjomg.exe File opened for modification C:\Windows\SysWOW64\Phdnngdn.exe Pefabkej.exe File created C:\Windows\SysWOW64\Jikoopij.exe Jeocna32.exe File opened for modification C:\Windows\SysWOW64\Dinael32.exe File created C:\Windows\SysWOW64\Enfdlg32.dll Aggegh32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Bpdnjple.exeEjbbmnnb.exeCfnqklgh.exeAhpmjejp.exeKcbfcigf.exeMqimikfj.exeDnmaea32.exeNeafjdkn.exeOaompd32.exeCcgjopal.exeIcdheded.exeBkaobnio.exeNlnkmnah.exeLmmolepp.exeLenicahg.exe0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0N.exeOcffempp.exeBggnof32.exeJdedak32.exeMhilfa32.exeAlcfei32.exeDlkbjqgm.exeAqaffn32.exeJnmijq32.exeOeaoab32.exeAajohjon.exeLmaamn32.exeEpokedmj.exeEnkmfolf.exeOohnonij.exeHjjnae32.exeCiafbg32.exeIciaqc32.exeAekddhcb.exeLegjmh32.exeKilpmh32.exePalbgl32.exeIojbpo32.exeMqafhl32.exeOffnhpfo.exeJgmjmjnb.exeJlolpq32.exeMnjqmpgg.exeLihpif32.exeOemefcap.exeAkffafgg.exeCodhnb32.exeChglab32.exeJdfjld32.exeEmjgim32.exeOhlqcagj.exeBddcenpi.exeEfffmo32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdnjple.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejbbmnnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnqklgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpmjejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcbfcigf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqimikfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmaea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neafjdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaompd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgjopal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdheded.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkaobnio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnkmnah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmolepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocffempp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggnof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdedak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhilfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcfei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkbjqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqaffn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnmijq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaoab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajohjon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmaamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epokedmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkmfolf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oohnonij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjjnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciafbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciaqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekddhcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojbpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqafhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offnhpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjmjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlolpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjqmpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lihpif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemefcap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akffafgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codhnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chglab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohlqcagj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddcenpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efffmo32.exe -
Modifies registry class 64 IoCs
Processes:
Qjfmkk32.exeGndick32.exeDpqodfij.exeCfnqklgh.exeHpiecd32.exeEmpoiimf.exeLkeekk32.exeBkaobnio.exeJlolpq32.exePjehmfch.exeEpjajeqo.exeGgnedlao.exeHnibokbd.exeHalhfe32.exeCmdfgm32.exeGlldgljg.exeDqpfmlce.exeNoeahkfc.exeOidhlb32.exeKgflcifg.exeKnenkbio.exeHkbdki32.exeNeclenfo.exeIlnbicff.exeNadleilm.exeAkpoaj32.exeFhflnpoi.exeKqdaadln.exeGbiockdj.exeMlkepaam.exeMjkblhfo.exeNhmofj32.exeGlipgf32.exeDnpdegjp.exeGpgind32.exeJcdjbk32.exeLgcjdd32.exeCleegp32.exePkogiikb.exeJgkmgk32.exeOabhfg32.exePahpfc32.exeKgninn32.exeNcofplba.exeGlbjggof.exeKnnhjcog.exeEqgmmk32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjfmkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gndick32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpqodfij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfjipgp.dll" Cfnqklgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpiecd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Empoiimf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkeekk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkaobnio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlolpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfenigce.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnakbdid.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhmeii32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjehmfch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epjajeqo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggnedlao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpihhpj.dll" Hnibokbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmmcjnkq.dll" Halhfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmdfgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qabjcina.dll" Glldgljg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqpfmlce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmlqhcc.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jebqacjl.dll" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oidhlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkbjmj32.dll" Kgflcifg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knenkbio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkbdki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neclenfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didmdo32.dll" Ilnbicff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dannpknl.dll" Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdebopdl.dll" Akpoaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhflnpoi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqdaadln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbiockdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlmcm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cobhcgin.dll" Mlkepaam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjkblhfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhmofj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndoell32.dll" Glipgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghcfpl32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnpdegjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpgind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcdjbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgcjdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Noeahkfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cleegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdliee32.dll" Pkogiikb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aafkfgeh.dll" Jgkmgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfchag32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pahpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgninn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncofplba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glbjggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knnhjcog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqgmmk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0N.exeOlckbd32.exeOpogbbig.exeOghppm32.exeOlehhc32.exeOocddono.exeOgklelna.exeOhlimd32.exeOofaiokl.exeOepifi32.exeOljaccjf.exeOohnonij.exeOgpepl32.exeOhqbhdpj.exeOokjdn32.exeOcffempp.exePjpobg32.exePcicklnn.exePjbkgfej.exePoodpmca.exePjehmfch.exePlcdiabk.exedescription pid Process procid_target PID 1792 wrote to memory of 2612 1792 0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0N.exe 83 PID 1792 wrote to memory of 2612 1792 0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0N.exe 83 PID 1792 wrote to memory of 2612 1792 0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0N.exe 83 PID 2612 wrote to memory of 4284 2612 Olckbd32.exe 84 PID 2612 wrote to memory of 4284 2612 Olckbd32.exe 84 PID 2612 wrote to memory of 4284 2612 Olckbd32.exe 84 PID 4284 wrote to memory of 2972 4284 Opogbbig.exe 85 PID 4284 wrote to memory of 2972 4284 Opogbbig.exe 85 PID 4284 wrote to memory of 2972 4284 Opogbbig.exe 85 PID 2972 wrote to memory of 4740 2972 Oghppm32.exe 86 PID 2972 wrote to memory of 4740 2972 Oghppm32.exe 86 PID 2972 wrote to memory of 4740 2972 Oghppm32.exe 86 PID 4740 wrote to memory of 4892 4740 Olehhc32.exe 87 PID 4740 wrote to memory of 4892 4740 Olehhc32.exe 87 PID 4740 wrote to memory of 4892 4740 Olehhc32.exe 87 PID 4892 wrote to memory of 4876 4892 Oocddono.exe 88 PID 4892 wrote to memory of 4876 4892 Oocddono.exe 88 PID 4892 wrote to memory of 4876 4892 Oocddono.exe 88 PID 4876 wrote to memory of 4352 4876 Ogklelna.exe 89 PID 4876 wrote to memory of 4352 4876 Ogklelna.exe 89 PID 4876 wrote to memory of 4352 4876 Ogklelna.exe 89 PID 4352 wrote to memory of 4732 4352 Ohlimd32.exe 90 PID 4352 wrote to memory of 4732 4352 Ohlimd32.exe 90 PID 4352 wrote to memory of 4732 4352 Ohlimd32.exe 90 PID 4732 wrote to memory of 1976 4732 Oofaiokl.exe 91 PID 4732 wrote to memory of 1976 4732 Oofaiokl.exe 91 PID 4732 wrote to memory of 1976 4732 Oofaiokl.exe 91 PID 1976 wrote to memory of 3032 1976 Oepifi32.exe 92 PID 1976 wrote to memory of 3032 1976 Oepifi32.exe 92 PID 1976 wrote to memory of 3032 1976 Oepifi32.exe 92 PID 3032 wrote to memory of 1896 3032 Oljaccjf.exe 93 PID 3032 wrote to memory of 1896 3032 Oljaccjf.exe 93 PID 3032 wrote to memory of 1896 3032 Oljaccjf.exe 93 PID 1896 wrote to memory of 2720 1896 Oohnonij.exe 94 PID 1896 wrote to memory of 2720 1896 Oohnonij.exe 94 PID 1896 wrote to memory of 2720 1896 Oohnonij.exe 94 PID 2720 wrote to memory of 4488 2720 Ogpepl32.exe 95 PID 2720 wrote to memory of 4488 2720 Ogpepl32.exe 95 PID 2720 wrote to memory of 4488 2720 Ogpepl32.exe 95 PID 4488 wrote to memory of 4812 4488 Ohqbhdpj.exe 96 PID 4488 wrote to memory of 4812 4488 Ohqbhdpj.exe 96 PID 4488 wrote to memory of 4812 4488 Ohqbhdpj.exe 96 PID 4812 wrote to memory of 3952 4812 Ookjdn32.exe 97 PID 4812 wrote to memory of 3952 4812 Ookjdn32.exe 97 PID 4812 wrote to memory of 3952 4812 Ookjdn32.exe 97 PID 3952 wrote to memory of 4012 3952 Ocffempp.exe 98 PID 3952 wrote to memory of 4012 3952 Ocffempp.exe 98 PID 3952 wrote to memory of 4012 3952 Ocffempp.exe 98 PID 4012 wrote to memory of 1236 4012 Pjpobg32.exe 99 PID 4012 wrote to memory of 1236 4012 Pjpobg32.exe 99 PID 4012 wrote to memory of 1236 4012 Pjpobg32.exe 99 PID 1236 wrote to memory of 468 1236 Pcicklnn.exe 100 PID 1236 wrote to memory of 468 1236 Pcicklnn.exe 100 PID 1236 wrote to memory of 468 1236 Pcicklnn.exe 100 PID 468 wrote to memory of 1996 468 Pjbkgfej.exe 101 PID 468 wrote to memory of 1996 468 Pjbkgfej.exe 101 PID 468 wrote to memory of 1996 468 Pjbkgfej.exe 101 PID 1996 wrote to memory of 4844 1996 Poodpmca.exe 102 PID 1996 wrote to memory of 4844 1996 Poodpmca.exe 102 PID 1996 wrote to memory of 4844 1996 Poodpmca.exe 102 PID 4844 wrote to memory of 3296 4844 Pjehmfch.exe 103 PID 4844 wrote to memory of 3296 4844 Pjehmfch.exe 103 PID 4844 wrote to memory of 3296 4844 Pjehmfch.exe 103 PID 3296 wrote to memory of 3324 3296 Plcdiabk.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0N.exe"C:\Users\Admin\AppData\Local\Temp\0a24265e206e0297366b28887b56d3c4d5f32134150639e5ee925264600702f0N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Olckbd32.exeC:\Windows\system32\Olckbd32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Opogbbig.exeC:\Windows\system32\Opogbbig.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\SysWOW64\Oghppm32.exeC:\Windows\system32\Oghppm32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4740 -
C:\Windows\SysWOW64\Oocddono.exeC:\Windows\system32\Oocddono.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4876 -
C:\Windows\SysWOW64\Ohlimd32.exeC:\Windows\system32\Ohlimd32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4352 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Oljaccjf.exeC:\Windows\system32\Oljaccjf.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\Ogpepl32.exeC:\Windows\system32\Ogpepl32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Ohqbhdpj.exeC:\Windows\system32\Ohqbhdpj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4488 -
C:\Windows\SysWOW64\Ookjdn32.exeC:\Windows\system32\Ookjdn32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4812 -
C:\Windows\SysWOW64\Ocffempp.exeC:\Windows\system32\Ocffempp.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Pjpobg32.exeC:\Windows\system32\Pjpobg32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\SysWOW64\Pcicklnn.exeC:\Windows\system32\Pcicklnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Pjbkgfej.exeC:\Windows\system32\Pjbkgfej.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\Poodpmca.exeC:\Windows\system32\Poodpmca.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Pjehmfch.exeC:\Windows\system32\Pjehmfch.exe21⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Windows\SysWOW64\Plcdiabk.exeC:\Windows\system32\Plcdiabk.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Windows\SysWOW64\Pcmlfl32.exeC:\Windows\system32\Pcmlfl32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3324 -
C:\Windows\SysWOW64\Pflibgil.exeC:\Windows\system32\Pflibgil.exe24⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Pleaoa32.exeC:\Windows\system32\Pleaoa32.exe25⤵
- Executes dropped EXE
PID:4164 -
C:\Windows\SysWOW64\Pcpikkge.exeC:\Windows\system32\Pcpikkge.exe26⤵
- Executes dropped EXE
PID:440 -
C:\Windows\SysWOW64\Pjjahe32.exeC:\Windows\system32\Pjjahe32.exe27⤵
- Executes dropped EXE
PID:4824 -
C:\Windows\SysWOW64\Phlacbfm.exeC:\Windows\system32\Phlacbfm.exe28⤵
- Executes dropped EXE
PID:5028 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe29⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Qcbfakec.exeC:\Windows\system32\Qcbfakec.exe30⤵
- Executes dropped EXE
PID:4236 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe31⤵
- Executes dropped EXE
PID:1524 -
C:\Windows\SysWOW64\Qljjjqlc.exeC:\Windows\system32\Qljjjqlc.exe32⤵
- Executes dropped EXE
PID:4952 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe33⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Qfbobf32.exeC:\Windows\system32\Qfbobf32.exe34⤵
- Executes dropped EXE
PID:5088 -
C:\Windows\SysWOW64\Qqhcpo32.exeC:\Windows\system32\Qqhcpo32.exe35⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Agbkmijg.exeC:\Windows\system32\Agbkmijg.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4076 -
C:\Windows\SysWOW64\Amodep32.exeC:\Windows\system32\Amodep32.exe37⤵
- Executes dropped EXE
PID:4912 -
C:\Windows\SysWOW64\Agdhbi32.exeC:\Windows\system32\Agdhbi32.exe38⤵
- Executes dropped EXE
PID:1176 -
C:\Windows\SysWOW64\Ackigjmh.exeC:\Windows\system32\Ackigjmh.exe39⤵
- Executes dropped EXE
PID:4344 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4980 -
C:\Windows\SysWOW64\Aihaoqlp.exeC:\Windows\system32\Aihaoqlp.exe41⤵
- Executes dropped EXE
PID:60 -
C:\Windows\SysWOW64\Aflaie32.exeC:\Windows\system32\Aflaie32.exe42⤵
- Executes dropped EXE
PID:3248 -
C:\Windows\SysWOW64\Aqaffn32.exeC:\Windows\system32\Aqaffn32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe44⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Aimkjp32.exeC:\Windows\system32\Aimkjp32.exe45⤵
- Executes dropped EXE
PID:3216 -
C:\Windows\SysWOW64\Bcbohigp.exeC:\Windows\system32\Bcbohigp.exe46⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Bmkcqn32.exeC:\Windows\system32\Bmkcqn32.exe47⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Boipmj32.exeC:\Windows\system32\Boipmj32.exe48⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Bgpgng32.exeC:\Windows\system32\Bgpgng32.exe49⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Bjodjb32.exeC:\Windows\system32\Bjodjb32.exe50⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe51⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Bgbdcgld.exeC:\Windows\system32\Bgbdcgld.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Bpnihiio.exeC:\Windows\system32\Bpnihiio.exe53⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe54⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Bjcmebie.exeC:\Windows\system32\Bjcmebie.exe55⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe56⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Bppfmigl.exeC:\Windows\system32\Bppfmigl.exe57⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe58⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Bggnof32.exeC:\Windows\system32\Bggnof32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3288 -
C:\Windows\SysWOW64\Bjfjka32.exeC:\Windows\system32\Bjfjka32.exe60⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe62⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe63⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe64⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Cpeohh32.exeC:\Windows\system32\Cpeohh32.exe65⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Ccqkigkp.exeC:\Windows\system32\Ccqkigkp.exe66⤵PID:4280
-
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe67⤵PID:1436
-
C:\Windows\SysWOW64\Ccchof32.exeC:\Windows\system32\Ccchof32.exe68⤵PID:2148
-
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe69⤵PID:2464
-
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe70⤵PID:5024
-
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe71⤵PID:3808
-
C:\Windows\SysWOW64\Cfcqpa32.exeC:\Windows\system32\Cfcqpa32.exe72⤵PID:2952
-
C:\Windows\SysWOW64\Caienjfd.exeC:\Windows\system32\Caienjfd.exe73⤵PID:1204
-
C:\Windows\SysWOW64\Dmpfbk32.exeC:\Windows\system32\Dmpfbk32.exe74⤵PID:4880
-
C:\Windows\SysWOW64\Dpnbog32.exeC:\Windows\system32\Dpnbog32.exe75⤵PID:3224
-
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe76⤵PID:1952
-
C:\Windows\SysWOW64\Djdflp32.exeC:\Windows\system32\Djdflp32.exe77⤵PID:2696
-
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe78⤵PID:1588
-
C:\Windows\SysWOW64\Dpqodfij.exeC:\Windows\system32\Dpqodfij.exe79⤵
- Modifies registry class
PID:4848 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe80⤵PID:3728
-
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe81⤵PID:4696
-
C:\Windows\SysWOW64\Dcogje32.exeC:\Windows\system32\Dcogje32.exe82⤵PID:2016
-
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe83⤵PID:4788
-
C:\Windows\SysWOW64\Dpehof32.exeC:\Windows\system32\Dpehof32.exe84⤵PID:2312
-
C:\Windows\SysWOW64\Djklmo32.exeC:\Windows\system32\Djklmo32.exe85⤵PID:4056
-
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe86⤵PID:4356
-
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe87⤵PID:3232
-
C:\Windows\SysWOW64\Eagaoh32.exeC:\Windows\system32\Eagaoh32.exe88⤵PID:1284
-
C:\Windows\SysWOW64\Epjajeqo.exeC:\Windows\system32\Epjajeqo.exe89⤵
- Modifies registry class
PID:3800 -
C:\Windows\SysWOW64\Ehailbaa.exeC:\Windows\system32\Ehailbaa.exe90⤵PID:2008
-
C:\Windows\SysWOW64\Ejpfhnpe.exeC:\Windows\system32\Ejpfhnpe.exe91⤵PID:2164
-
C:\Windows\SysWOW64\Eibfck32.exeC:\Windows\system32\Eibfck32.exe92⤵PID:232
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe93⤵PID:4868
-
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe94⤵PID:2416
-
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe95⤵
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Windows\SysWOW64\Ejbbmnnb.exeC:\Windows\system32\Ejbbmnnb.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1428 -
C:\Windows\SysWOW64\Empoiimf.exeC:\Windows\system32\Empoiimf.exe97⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Epokedmj.exeC:\Windows\system32\Epokedmj.exe98⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Edjgfcec.exeC:\Windows\system32\Edjgfcec.exe99⤵
- Drops file in System32 directory
PID:4424 -
C:\Windows\SysWOW64\Efhcbodf.exeC:\Windows\system32\Efhcbodf.exe100⤵PID:2304
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe101⤵PID:4584
-
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe102⤵PID:5124
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe103⤵PID:5168
-
C:\Windows\SysWOW64\Eiildjag.exeC:\Windows\system32\Eiildjag.exe104⤵PID:5212
-
C:\Windows\SysWOW64\Eaqdegaj.exeC:\Windows\system32\Eaqdegaj.exe105⤵PID:5256
-
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe106⤵PID:5304
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe107⤵PID:5348
-
C:\Windows\SysWOW64\Fdamgb32.exeC:\Windows\system32\Fdamgb32.exe108⤵PID:5392
-
C:\Windows\SysWOW64\Ffpicn32.exeC:\Windows\system32\Ffpicn32.exe109⤵PID:5432
-
C:\Windows\SysWOW64\Fineoi32.exeC:\Windows\system32\Fineoi32.exe110⤵PID:5476
-
C:\Windows\SysWOW64\Fdcjlb32.exeC:\Windows\system32\Fdcjlb32.exe111⤵PID:5520
-
C:\Windows\SysWOW64\Fgbfhmll.exeC:\Windows\system32\Fgbfhmll.exe112⤵PID:5564
-
C:\Windows\SysWOW64\Fipbdikp.exeC:\Windows\system32\Fipbdikp.exe113⤵
- Drops file in System32 directory
PID:5608 -
C:\Windows\SysWOW64\Fhabbp32.exeC:\Windows\system32\Fhabbp32.exe114⤵PID:5652
-
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5696 -
C:\Windows\SysWOW64\Fmnkkg32.exeC:\Windows\system32\Fmnkkg32.exe116⤵PID:5740
-
C:\Windows\SysWOW64\Fhdohp32.exeC:\Windows\system32\Fhdohp32.exe117⤵PID:5784
-
C:\Windows\SysWOW64\Fielph32.exeC:\Windows\system32\Fielph32.exe118⤵PID:5828
-
C:\Windows\SysWOW64\Falcae32.exeC:\Windows\system32\Falcae32.exe119⤵PID:5872
-
C:\Windows\SysWOW64\Fhflnpoi.exeC:\Windows\system32\Fhflnpoi.exe120⤵
- Modifies registry class
PID:5920 -
C:\Windows\SysWOW64\Gigheh32.exeC:\Windows\system32\Gigheh32.exe121⤵PID:5964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-