Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30-11-2024 01:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exe
-
Size
96KB
-
MD5
4b642346c54ca977a307f57d1b7875c0
-
SHA1
1cc897dc61886dfadcd0d69bc974268d10a66def
-
SHA256
4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19df
-
SHA512
2054758cbd7364a3c94c9771ebca5e2164d6a879b89f64506e3d1bf98cff8e3a332a37d6cbc7178dd63df9be591a4447f8f9676ecb5684d800ab543e1187e786
-
SSDEEP
1536:YfF/7I06We2ULR+YwOuFm4Wf2L57RZObZUUWaegPYAt:YfF7IJ2UmZN5ClUUWaei
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Eaheeecg.exeFnfcel32.exeHalbai32.exeNlhjhi32.exeQododfek.exeIeigfk32.exePhcpgm32.exeIfjlcmmj.exeKglehp32.exeJcgapdeb.exeMeffhnal.exeHllmcc32.exeEhkhaqpk.exeAgpcihcf.exeQcachc32.exeDikogf32.exeMmadbjkk.exeBfqpecma.exeLnjcomcf.exeMbhlek32.exeBniajoic.exeJnfomn32.exeMjcoqdoc.exeEnfgfh32.exeFmegncpp.exeGcbabpcf.exeAgolnbok.exeMjcaimgg.exeDbifnj32.exeMfdopp32.exeBgdibkam.exeHfegij32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaheeecg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnfcel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Halbai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qododfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieigfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcpgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjlcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcgapdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meffhnal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hllmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehkhaqpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dikogf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmadbjkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqpecma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhlek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bniajoic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcoqdoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enfgfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmegncpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjcaimgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbifnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfdopp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdibkam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfegij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 8 IoCs
Processes:
resource yara_rule behavioral1/files/0x0003000000020c27-5829.dat family_bruteratel behavioral1/files/0x00030000000215e1-9909.dat family_bruteratel behavioral1/files/0x00030000000218e8-11660.dat family_bruteratel behavioral1/files/0x0003000000021a16-12214.dat family_bruteratel behavioral1/files/0x00020000000230ab-14558.dat family_bruteratel behavioral1/files/0x000300000002395f-16631.dat family_bruteratel behavioral1/files/0x0002000000023ce9-18945.dat family_bruteratel behavioral1/files/0x0002000000024493-23579.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Gblifo32.exeGejebk32.exeGifaciae.exeGldmoepi.exeGbnflo32.exeGhkndf32.exeGbqbaofc.exeGeoonjeg.exeGjlgfaco.exeHeakcjcd.exeHfbhkb32.exeHmmphlpp.exeHdfhdfgl.exeHhbdee32.exeHjqqap32.exeHajinjff.exeHbleeb32.exeHifmbmda.exeHppfog32.exeHbnbkbja.exeHihjhl32.exeHlffdh32.exeHoebpc32.exeHflkaq32.exeHijgml32.exeIhmgiiff.exeIbckfa32.exeIeagbm32.exeIhpdoh32.exeIknpkd32.exeIbehla32.exeIdfdcijh.exeIhbqdh32.exeIoliqbjn.exeImoilo32.exeIefamlak.exeIhdmihpn.exeIkbifcpb.exeIonefb32.exeIamabm32.exeIdknoi32.exeIgijkd32.exeIihfgp32.exeIncbgnmc.exeIpbocjlg.exeJcpkpe32.exeJglgpdcc.exeJnfomn32.exeJpdkii32.exeJcbhee32.exeJgncfcaa.exeJeadap32.exeJnhlbn32.exeJgqpkc32.exeJjomgo32.exeJhamckel.exeJpiedieo.exeJcgapdeb.exeJfemlpdf.exeJhdihkcj.exeJlpeij32.exeJonbee32.exeJblnaq32.exeJhffnk32.exepid Process 2380 Gblifo32.exe 2804 Gejebk32.exe 2900 Gifaciae.exe 2628 Gldmoepi.exe 2716 Gbnflo32.exe 2284 Ghkndf32.exe 2844 Gbqbaofc.exe 1920 Geoonjeg.exe 1680 Gjlgfaco.exe 2880 Heakcjcd.exe 2056 Hfbhkb32.exe 1784 Hmmphlpp.exe 2004 Hdfhdfgl.exe 476 Hhbdee32.exe 3048 Hjqqap32.exe 1628 Hajinjff.exe 1088 Hbleeb32.exe 1932 Hifmbmda.exe 1756 Hppfog32.exe 1776 Hbnbkbja.exe 848 Hihjhl32.exe 1632 Hlffdh32.exe 2416 Hoebpc32.exe 1836 Hflkaq32.exe 1724 Hijgml32.exe 2708 Ihmgiiff.exe 2828 Ibckfa32.exe 2748 Ieagbm32.exe 2608 Ihpdoh32.exe 2600 Iknpkd32.exe 2652 Ibehla32.exe 2572 Idfdcijh.exe 2112 Ihbqdh32.exe 1984 Ioliqbjn.exe 1788 Imoilo32.exe 492 Iefamlak.exe 768 Ihdmihpn.exe 780 Ikbifcpb.exe 2500 Ionefb32.exe 2296 Iamabm32.exe 916 Idknoi32.exe 2204 Igijkd32.exe 1392 Iihfgp32.exe 2428 Incbgnmc.exe 1568 Ipbocjlg.exe 616 Jcpkpe32.exe 704 Jglgpdcc.exe 1948 Jnfomn32.exe 1704 Jpdkii32.exe 2728 Jcbhee32.exe 2200 Jgncfcaa.exe 1996 Jeadap32.exe 2676 Jnhlbn32.exe 2108 Jgqpkc32.exe 2864 Jjomgo32.exe 396 Jhamckel.exe 2016 Jpiedieo.exe 1244 Jcgapdeb.exe 1508 Jfemlpdf.exe 2220 Jhdihkcj.exe 576 Jlpeij32.exe 1260 Jonbee32.exe 1376 Jblnaq32.exe 1928 Jhffnk32.exe -
Loads dropped DLL 64 IoCs
Processes:
4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exeGblifo32.exeGejebk32.exeGifaciae.exeGldmoepi.exeGbnflo32.exeGhkndf32.exeGbqbaofc.exeGeoonjeg.exeGjlgfaco.exeHeakcjcd.exeHfbhkb32.exeHmmphlpp.exeHdfhdfgl.exeHhbdee32.exeHjqqap32.exeHajinjff.exeHbleeb32.exeHifmbmda.exeHppfog32.exeHbnbkbja.exeHihjhl32.exeHlffdh32.exeHoebpc32.exeHflkaq32.exeHijgml32.exeIhmgiiff.exeIbckfa32.exeIeagbm32.exeIhpdoh32.exeIknpkd32.exeIbehla32.exepid Process 2212 4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exe 2212 4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exe 2380 Gblifo32.exe 2380 Gblifo32.exe 2804 Gejebk32.exe 2804 Gejebk32.exe 2900 Gifaciae.exe 2900 Gifaciae.exe 2628 Gldmoepi.exe 2628 Gldmoepi.exe 2716 Gbnflo32.exe 2716 Gbnflo32.exe 2284 Ghkndf32.exe 2284 Ghkndf32.exe 2844 Gbqbaofc.exe 2844 Gbqbaofc.exe 1920 Geoonjeg.exe 1920 Geoonjeg.exe 1680 Gjlgfaco.exe 1680 Gjlgfaco.exe 2880 Heakcjcd.exe 2880 Heakcjcd.exe 2056 Hfbhkb32.exe 2056 Hfbhkb32.exe 1784 Hmmphlpp.exe 1784 Hmmphlpp.exe 2004 Hdfhdfgl.exe 2004 Hdfhdfgl.exe 476 Hhbdee32.exe 476 Hhbdee32.exe 3048 Hjqqap32.exe 3048 Hjqqap32.exe 1628 Hajinjff.exe 1628 Hajinjff.exe 1088 Hbleeb32.exe 1088 Hbleeb32.exe 1932 Hifmbmda.exe 1932 Hifmbmda.exe 1756 Hppfog32.exe 1756 Hppfog32.exe 1776 Hbnbkbja.exe 1776 Hbnbkbja.exe 848 Hihjhl32.exe 848 Hihjhl32.exe 1632 Hlffdh32.exe 1632 Hlffdh32.exe 2416 Hoebpc32.exe 2416 Hoebpc32.exe 1836 Hflkaq32.exe 1836 Hflkaq32.exe 1724 Hijgml32.exe 1724 Hijgml32.exe 2708 Ihmgiiff.exe 2708 Ihmgiiff.exe 2828 Ibckfa32.exe 2828 Ibckfa32.exe 2748 Ieagbm32.exe 2748 Ieagbm32.exe 2608 Ihpdoh32.exe 2608 Ihpdoh32.exe 2600 Iknpkd32.exe 2600 Iknpkd32.exe 2652 Ibehla32.exe 2652 Ibehla32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Bidlgdlk.exeHllmcc32.exeQkffng32.exeHflkaq32.exeBcjqdmla.exeFpmbfbgo.exeMjhjdm32.exePkcpei32.exeJmdepg32.exeMfaefd32.exeLgoboc32.exeAijbfo32.exeNbflno32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Geqlnjcf.exe File created C:\Windows\SysWOW64\Ppkmjlca.exe File opened for modification C:\Windows\SysWOW64\Qblfkgqb.exe File opened for modification C:\Windows\SysWOW64\Bmjekahk.exe File created C:\Windows\SysWOW64\Glehgdkn.dll File created C:\Windows\SysWOW64\Dcjjhc32.dll File opened for modification C:\Windows\SysWOW64\Kaholp32.exe File created C:\Windows\SysWOW64\Blchcpko.exe Bidlgdlk.exe File created C:\Windows\SysWOW64\Hnkion32.exe Hllmcc32.exe File created C:\Windows\SysWOW64\Qnebjc32.exe Qkffng32.exe File opened for modification C:\Windows\SysWOW64\Jfdhmk32.exe File created C:\Windows\SysWOW64\Abdbflnf.exe File created C:\Windows\SysWOW64\Kbenacdm.exe File created C:\Windows\SysWOW64\Loimal32.dll File opened for modification C:\Windows\SysWOW64\Mlafkb32.exe File created C:\Windows\SysWOW64\Boifga32.exe File created C:\Windows\SysWOW64\Cmmcpi32.exe File opened for modification C:\Windows\SysWOW64\Koflgf32.exe File opened for modification C:\Windows\SysWOW64\Noojdc32.exe File created C:\Windows\SysWOW64\Pjbjjc32.exe File opened for modification C:\Windows\SysWOW64\Kindeddf.exe File opened for modification C:\Windows\SysWOW64\Oalkih32.exe File created C:\Windows\SysWOW64\Onqkclni.exe File opened for modification C:\Windows\SysWOW64\Kfidqb32.exe File created C:\Windows\SysWOW64\Monhjgkj.exe File opened for modification C:\Windows\SysWOW64\Noagjc32.exe File created C:\Windows\SysWOW64\Eglhaeef.dll File opened for modification C:\Windows\SysWOW64\Ccpeld32.exe File created C:\Windows\SysWOW64\Ielqinkm.dll File created C:\Windows\SysWOW64\Nbihoo32.dll File opened for modification C:\Windows\SysWOW64\Gdjcjf32.exe File opened for modification C:\Windows\SysWOW64\Bhndnpnp.exe File opened for modification C:\Windows\SysWOW64\Efhcej32.exe File opened for modification C:\Windows\SysWOW64\Hijgml32.exe Hflkaq32.exe File created C:\Windows\SysWOW64\Kijkje32.exe File opened for modification C:\Windows\SysWOW64\Ckmpkpbl.exe File opened for modification C:\Windows\SysWOW64\Hpcpdfhj.exe File created C:\Windows\SysWOW64\Ekcqmj32.dll File opened for modification C:\Windows\SysWOW64\Libjncnc.exe File created C:\Windows\SysWOW64\Ajfoacnc.dll File created C:\Windows\SysWOW64\Fkllaj32.dll Bcjqdmla.exe File created C:\Windows\SysWOW64\Gegfanil.dll Fpmbfbgo.exe File created C:\Windows\SysWOW64\Gpjmnh32.exe File opened for modification C:\Windows\SysWOW64\Kjepaa32.exe File created C:\Windows\SysWOW64\Hiqaih32.dll File opened for modification C:\Windows\SysWOW64\Mmgfqh32.exe Mjhjdm32.exe File opened for modification C:\Windows\SysWOW64\Jmfcop32.exe File created C:\Windows\SysWOW64\Emgeoj32.dll Pkcpei32.exe File created C:\Windows\SysWOW64\Hkdemk32.exe File created C:\Windows\SysWOW64\Dbgdgm32.exe File created C:\Windows\SysWOW64\Gdjcjf32.exe File opened for modification C:\Windows\SysWOW64\Jpbalb32.exe Jmdepg32.exe File created C:\Windows\SysWOW64\Fgmkef32.dll File created C:\Windows\SysWOW64\Jlnfak32.dll File opened for modification C:\Windows\SysWOW64\Pnfnajed.exe File created C:\Windows\SysWOW64\Klfjpa32.exe File created C:\Windows\SysWOW64\Ojpaeq32.exe File created C:\Windows\SysWOW64\Mioabp32.exe Mfaefd32.exe File created C:\Windows\SysWOW64\Liobdl32.dll Lgoboc32.exe File created C:\Windows\SysWOW64\Akiobk32.exe Aijbfo32.exe File created C:\Windows\SysWOW64\Efoifiep.exe File created C:\Windows\SysWOW64\Hkjnenbp.exe File created C:\Windows\SysWOW64\Jbbobb32.dll Nbflno32.exe File created C:\Windows\SysWOW64\Mqjefamk.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fdbhge32.exeJbpdeogo.exePpfomk32.exeCpdgbm32.exeKjahej32.exeHmmphlpp.exeKbigpn32.exeGqahqd32.exeKdbbgdjj.exeGcjbna32.exeBflbigdb.exeHemqpf32.exeAkcomepg.exeIjehdl32.exeAndgop32.exeLlnaoh32.exePgegok32.exePlmpblnb.exeJfliim32.exeHhbdee32.exeOgqaehak.exeOjmpooah.exeQfonkfqd.exeBcegin32.exeNdkhngdd.exeFqalaa32.exeNmcmgm32.exeQhmcmk32.exeAgpcihcf.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbhge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpdeogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppfomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjahej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmmphlpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbigpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqahqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflbigdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemqpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcomepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijehdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andgop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llnaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgegok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmpblnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfliim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbdee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogqaehak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmpooah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfonkfqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcegin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkhngdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcmgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhmcmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpcihcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language -
Modifies registry class 64 IoCs
Processes:
Nmqpam32.exeHmmphlpp.exeElnqmd32.exePoeipifl.exeCmfkfa32.exeKkileele.exeJepmgj32.exeHpphhp32.exeGqahqd32.exeIbehla32.exeJcgapdeb.exeAfdgfelo.exeNgneph32.exePalepb32.exeOekhacbn.exeKnkgpi32.exeNhgkil32.exeKfbfkmeh.exeAgbpnh32.exeBcpgdhpp.exeNdqkleln.exePincfpoo.exeAmnocpdk.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfndl32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hclemh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmmphlpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elnqmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poeipifl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodhamlk.dll" Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghefgc32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmqec32.dll" Kkileele.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aopjkjhh.dll" Jepmgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpphhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mokhho32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqahqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibehla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcgapdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlqiie32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afdgfelo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqoebm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjoolbcg.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idcnlffk.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngneph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Foehfmaf.dll" Palepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnghnbki.dll" Oekhacbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knkgpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhgkil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feafacjb.dll" Kfbfkmeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhhkjkc.dll" Agbpnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkajkp32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcpgdhpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akafaiao.dll" Ndqkleln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pincfpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcohdeco.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlpckqje.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Midccf32.dll" Amnocpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exeGblifo32.exeGejebk32.exeGifaciae.exeGldmoepi.exeGbnflo32.exeGhkndf32.exeGbqbaofc.exeGeoonjeg.exeGjlgfaco.exeHeakcjcd.exeHfbhkb32.exeHmmphlpp.exeHdfhdfgl.exeHhbdee32.exeHjqqap32.exedescription pid Process procid_target PID 2212 wrote to memory of 2380 2212 4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exe 30 PID 2212 wrote to memory of 2380 2212 4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exe 30 PID 2212 wrote to memory of 2380 2212 4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exe 30 PID 2212 wrote to memory of 2380 2212 4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exe 30 PID 2380 wrote to memory of 2804 2380 Gblifo32.exe 31 PID 2380 wrote to memory of 2804 2380 Gblifo32.exe 31 PID 2380 wrote to memory of 2804 2380 Gblifo32.exe 31 PID 2380 wrote to memory of 2804 2380 Gblifo32.exe 31 PID 2804 wrote to memory of 2900 2804 Gejebk32.exe 32 PID 2804 wrote to memory of 2900 2804 Gejebk32.exe 32 PID 2804 wrote to memory of 2900 2804 Gejebk32.exe 32 PID 2804 wrote to memory of 2900 2804 Gejebk32.exe 32 PID 2900 wrote to memory of 2628 2900 Gifaciae.exe 33 PID 2900 wrote to memory of 2628 2900 Gifaciae.exe 33 PID 2900 wrote to memory of 2628 2900 Gifaciae.exe 33 PID 2900 wrote to memory of 2628 2900 Gifaciae.exe 33 PID 2628 wrote to memory of 2716 2628 Gldmoepi.exe 34 PID 2628 wrote to memory of 2716 2628 Gldmoepi.exe 34 PID 2628 wrote to memory of 2716 2628 Gldmoepi.exe 34 PID 2628 wrote to memory of 2716 2628 Gldmoepi.exe 34 PID 2716 wrote to memory of 2284 2716 Gbnflo32.exe 35 PID 2716 wrote to memory of 2284 2716 Gbnflo32.exe 35 PID 2716 wrote to memory of 2284 2716 Gbnflo32.exe 35 PID 2716 wrote to memory of 2284 2716 Gbnflo32.exe 35 PID 2284 wrote to memory of 2844 2284 Ghkndf32.exe 36 PID 2284 wrote to memory of 2844 2284 Ghkndf32.exe 36 PID 2284 wrote to memory of 2844 2284 Ghkndf32.exe 36 PID 2284 wrote to memory of 2844 2284 Ghkndf32.exe 36 PID 2844 wrote to memory of 1920 2844 Gbqbaofc.exe 37 PID 2844 wrote to memory of 1920 2844 Gbqbaofc.exe 37 PID 2844 wrote to memory of 1920 2844 Gbqbaofc.exe 37 PID 2844 wrote to memory of 1920 2844 Gbqbaofc.exe 37 PID 1920 wrote to memory of 1680 1920 Geoonjeg.exe 38 PID 1920 wrote to memory of 1680 1920 Geoonjeg.exe 38 PID 1920 wrote to memory of 1680 1920 Geoonjeg.exe 38 PID 1920 wrote to memory of 1680 1920 Geoonjeg.exe 38 PID 1680 wrote to memory of 2880 1680 Gjlgfaco.exe 39 PID 1680 wrote to memory of 2880 1680 Gjlgfaco.exe 39 PID 1680 wrote to memory of 2880 1680 Gjlgfaco.exe 39 PID 1680 wrote to memory of 2880 1680 Gjlgfaco.exe 39 PID 2880 wrote to memory of 2056 2880 Heakcjcd.exe 40 PID 2880 wrote to memory of 2056 2880 Heakcjcd.exe 40 PID 2880 wrote to memory of 2056 2880 Heakcjcd.exe 40 PID 2880 wrote to memory of 2056 2880 Heakcjcd.exe 40 PID 2056 wrote to memory of 1784 2056 Hfbhkb32.exe 41 PID 2056 wrote to memory of 1784 2056 Hfbhkb32.exe 41 PID 2056 wrote to memory of 1784 2056 Hfbhkb32.exe 41 PID 2056 wrote to memory of 1784 2056 Hfbhkb32.exe 41 PID 1784 wrote to memory of 2004 1784 Hmmphlpp.exe 42 PID 1784 wrote to memory of 2004 1784 Hmmphlpp.exe 42 PID 1784 wrote to memory of 2004 1784 Hmmphlpp.exe 42 PID 1784 wrote to memory of 2004 1784 Hmmphlpp.exe 42 PID 2004 wrote to memory of 476 2004 Hdfhdfgl.exe 43 PID 2004 wrote to memory of 476 2004 Hdfhdfgl.exe 43 PID 2004 wrote to memory of 476 2004 Hdfhdfgl.exe 43 PID 2004 wrote to memory of 476 2004 Hdfhdfgl.exe 43 PID 476 wrote to memory of 3048 476 Hhbdee32.exe 44 PID 476 wrote to memory of 3048 476 Hhbdee32.exe 44 PID 476 wrote to memory of 3048 476 Hhbdee32.exe 44 PID 476 wrote to memory of 3048 476 Hhbdee32.exe 44 PID 3048 wrote to memory of 1628 3048 Hjqqap32.exe 45 PID 3048 wrote to memory of 1628 3048 Hjqqap32.exe 45 PID 3048 wrote to memory of 1628 3048 Hjqqap32.exe 45 PID 3048 wrote to memory of 1628 3048 Hjqqap32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exe"C:\Users\Admin\AppData\Local\Temp\4c09a1795224a3b92bc8b491f8b31d1a38e5105984f24a0abe335ebb0d9d19dfN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Gifaciae.exeC:\Windows\system32\Gifaciae.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Hfbhkb32.exeC:\Windows\system32\Hfbhkb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Hifmbmda.exeC:\Windows\system32\Hifmbmda.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Hppfog32.exeC:\Windows\system32\Hppfog32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Ibehla32.exeC:\Windows\system32\Ibehla32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe33⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe34⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe35⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe36⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe37⤵
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\Ihdmihpn.exeC:\Windows\system32\Ihdmihpn.exe38⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe39⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe40⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe41⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe42⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe43⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe44⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Incbgnmc.exeC:\Windows\system32\Incbgnmc.exe45⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe46⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Jcpkpe32.exeC:\Windows\system32\Jcpkpe32.exe47⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe48⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Jnfomn32.exeC:\Windows\system32\Jnfomn32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe50⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe51⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe52⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe53⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe54⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe55⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe56⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Jhamckel.exeC:\Windows\system32\Jhamckel.exe57⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe58⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe60⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe61⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Jlpeij32.exeC:\Windows\system32\Jlpeij32.exe62⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe63⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe64⤵
- Executes dropped EXE
PID:1376 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe65⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe66⤵PID:292
-
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe67⤵PID:2544
-
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe68⤵PID:2756
-
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe69⤵PID:1596
-
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe70⤵PID:2740
-
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe71⤵PID:2424
-
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe72⤵
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe73⤵PID:2328
-
C:\Windows\SysWOW64\Kbcdbp32.exeC:\Windows\system32\Kbcdbp32.exe74⤵PID:3012
-
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe75⤵PID:2036
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe76⤵PID:1168
-
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe77⤵PID:1916
-
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe78⤵PID:2460
-
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe79⤵PID:992
-
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe80⤵PID:1364
-
C:\Windows\SysWOW64\Kmobhmnn.exeC:\Windows\system32\Kmobhmnn.exe81⤵PID:2508
-
C:\Windows\SysWOW64\Konndhmb.exeC:\Windows\system32\Konndhmb.exe82⤵PID:932
-
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe83⤵PID:2176
-
C:\Windows\SysWOW64\Ljcbaamh.exeC:\Windows\system32\Ljcbaamh.exe84⤵PID:2404
-
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe85⤵PID:3044
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe86⤵PID:2648
-
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe87⤵PID:2392
-
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe88⤵PID:2884
-
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe89⤵PID:1052
-
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe90⤵PID:1068
-
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe91⤵PID:2512
-
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe92⤵PID:2504
-
C:\Windows\SysWOW64\Lkihdioa.exeC:\Windows\system32\Lkihdioa.exe93⤵PID:2144
-
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe94⤵PID:1256
-
C:\Windows\SysWOW64\Lklejh32.exeC:\Windows\system32\Lklejh32.exe95⤵PID:2304
-
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe96⤵PID:1048
-
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe97⤵
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Ljabkeaf.exeC:\Windows\system32\Ljabkeaf.exe98⤵PID:2568
-
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe99⤵PID:2916
-
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1956 -
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe101⤵PID:2536
-
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe102⤵PID:2992
-
C:\Windows\SysWOW64\Mjcoqdoc.exeC:\Windows\system32\Mjcoqdoc.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe104⤵PID:2952
-
C:\Windows\SysWOW64\Meicnm32.exeC:\Windows\system32\Meicnm32.exe105⤵PID:1980
-
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe106⤵PID:2232
-
C:\Windows\SysWOW64\Mfjoeeeh.exeC:\Windows\system32\Mfjoeeeh.exe107⤵PID:956
-
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe108⤵PID:2260
-
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe109⤵PID:1796
-
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe110⤵PID:1484
-
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe111⤵PID:2744
-
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe112⤵PID:2616
-
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe113⤵PID:2316
-
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe114⤵PID:1804
-
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe115⤵PID:1036
-
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe116⤵PID:2980
-
C:\Windows\SysWOW64\Mfaefd32.exeC:\Windows\system32\Mfaefd32.exe117⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Mioabp32.exeC:\Windows\system32\Mioabp32.exe118⤵PID:2244
-
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe119⤵PID:2228
-
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe120⤵PID:2620
-
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe121⤵PID:2856
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-