Analysis
-
max time kernel
95s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2024 20:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fdfe20086563227fb39b1cb1aa534b5717f8c7e3bd8911c9e2c325d3d5f80390N.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
fdfe20086563227fb39b1cb1aa534b5717f8c7e3bd8911c9e2c325d3d5f80390N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
fdfe20086563227fb39b1cb1aa534b5717f8c7e3bd8911c9e2c325d3d5f80390N.exe
-
Size
96KB
-
MD5
670756affd9a325df3b3128646001190
-
SHA1
8a93efb99cd8b0c9e8ec94e7c7bf6f274fe4baf8
-
SHA256
fdfe20086563227fb39b1cb1aa534b5717f8c7e3bd8911c9e2c325d3d5f80390
-
SHA512
958a020856caad9babac7e92a00b2c000ec20108b38cb3fb5f94cfae25dd0a2f0d0893fe708e4f9983099d3ac9a67a6bc785555c4cc77f456cce745359e8aec5
-
SSDEEP
1536:K+SuYJYinetl9U8V2LX7RZObZUUWaegPYAt:9SuBEKu8GXClUUWaei
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Efhlhh32.exeIcknfcol.exeAhbjoe32.exeFpgpgfmh.exeFgdbnmji.exeLnnbqnjn.exeJklphekp.exeBomkcm32.exeCaienjfd.exeIqipio32.exeLbgalmej.exeNenbjo32.exeBdbnjdfg.exeDigehphc.exeCpglnhad.exeFknbil32.exeDdjejl32.exeQlggjk32.exeDihlbf32.exeIdcepgmg.exePdhbmh32.exeHhgloc32.exeFhmigagd.exeFdepgkgj.exeBnhenj32.exeBifmqo32.exeNahgoe32.exeLmdemd32.exeGpelhd32.exeJgbjbp32.exeCohkokgj.exeGhpocngo.exeIjogmdqm.exeMnfnlf32.exeJekqmhia.exeEachem32.exeOlgemcli.exeKbbokdlk.exeIllfdc32.exeFpeafcfa.exeIqbbpm32.exeBhldpj32.exeIpjedh32.exeGmimai32.exeAmaqjp32.exeDapkni32.exeNbqmiinl.exeGgahedjn.exePeahgl32.exeNgomin32.exeBiadeoce.exeCdecgbfa.exedescription ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhlhh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahbjoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdbnmji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnnbqnjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jklphekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bomkcm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caienjfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqipio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgalmej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenbjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdbnjdfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Digehphc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpglnhad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fknbil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjejl32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlggjk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idcepgmg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdhbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhgloc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmigagd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdepgkgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnhenj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bifmqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahgoe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmdemd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpelhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbjbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cohkokgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpocngo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijogmdqm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnfnlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekqmhia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eachem32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olgemcli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbokdlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Illfdc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpeafcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqbbpm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhldpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmimai32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amaqjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dapkni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbqmiinl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggahedjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peahgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngomin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biadeoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdecgbfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000700000002431a-5265.dat family_bruteratel behavioral2/files/0x00070000000244c4-6787.dat family_bruteratel -
Executes dropped EXE 64 IoCs
Processes:
Bjddphlq.exeBmbplc32.exeBclhhnca.exeBfkedibe.exeBnbmefbg.exeBapiabak.exeBcoenmao.exeChjaol32.exeCjinkg32.exeCndikf32.exeCabfga32.exeCdabcm32.exeCfpnph32.exeCnffqf32.exeCeqnmpfo.exeChokikeb.exeCjmgfgdf.exeCagobalc.exeCdfkolkf.exeCjpckf32.exeCmnpgb32.exeCeehho32.exeCffdpghg.exeCnnlaehj.exeCalhnpgn.exeDdjejl32.exeDjdmffnn.exeDmcibama.exeDejacond.exeDfknkg32.exeDobfld32.exeDelnin32.exeDhkjej32.exeDodbbdbb.exeDmgbnq32.exeDeokon32.exeDkkcge32.exeDaekdooc.exeDeagdn32.exeDgbdlf32.exeDoilmc32.exeEecdjmfi.exeEgdqae32.exeEajeon32.exeEefaomcg.exeEdhakj32.exeEkbihd32.exeEehnem32.exeEkefmc32.exeEaonjngh.exeEglgbdep.exeEmeoooml.exeEkiohclf.exeEoekia32.exeEachem32.exeFhmpagkp.exeFnjhjn32.exeFddqghpd.exeFdfmlhna.exeFefjfked.exeFhdfbfdh.exeFkcboack.exeFamjkl32.exeFhgbhfbe.exepid Process 1540 Bjddphlq.exe 1668 Bmbplc32.exe 3592 Bclhhnca.exe 3836 Bfkedibe.exe 2416 Bnbmefbg.exe 3624 Bapiabak.exe 520 Bcoenmao.exe 2560 Chjaol32.exe 2988 Cjinkg32.exe 2068 Cndikf32.exe 848 Cabfga32.exe 116 Cdabcm32.exe 2848 Cfpnph32.exe 2728 Cnffqf32.exe 2056 Ceqnmpfo.exe 4864 Chokikeb.exe 2944 Cjmgfgdf.exe 1132 Cagobalc.exe 400 Cdfkolkf.exe 4640 Cjpckf32.exe 368 Cmnpgb32.exe 1864 Ceehho32.exe 3884 Cffdpghg.exe 5096 Cnnlaehj.exe 2856 Calhnpgn.exe 4536 Ddjejl32.exe 3780 Djdmffnn.exe 4920 Dmcibama.exe 4936 Dejacond.exe 3124 Dfknkg32.exe 4908 Dobfld32.exe 4296 Delnin32.exe 2600 Dhkjej32.exe 3516 Dodbbdbb.exe 3908 Dmgbnq32.exe 3256 Deokon32.exe 1996 Dkkcge32.exe 628 Daekdooc.exe 4168 Deagdn32.exe 2436 Dgbdlf32.exe 2984 Doilmc32.exe 4380 Eecdjmfi.exe 5032 Egdqae32.exe 3076 Eajeon32.exe 1156 Eefaomcg.exe 3156 Edhakj32.exe 4396 Ekbihd32.exe 4544 Eehnem32.exe 5100 Ekefmc32.exe 4604 Eaonjngh.exe 3236 Eglgbdep.exe 3436 Emeoooml.exe 4644 Ekiohclf.exe 4880 Eoekia32.exe 3392 Eachem32.exe 3972 Fhmpagkp.exe 720 Fnjhjn32.exe 4692 Fddqghpd.exe 3096 Fdfmlhna.exe 2948 Fefjfked.exe 3112 Fhdfbfdh.exe 2328 Fkcboack.exe 636 Famjkl32.exe 1272 Fhgbhfbe.exe -
Drops file in System32 directory 64 IoCs
Processes:
Iplkpa32.exeEkbihd32.exeCjnffjkl.exeOdoogi32.exePopbpqjh.exeHpchib32.exeDoilmc32.exeOboijgbl.exeIdkkpf32.exeCjinkg32.exeGdafnpqh.exeOemefcap.exeAfgacokc.exeJphkkpbp.exeHekgfj32.exeKkjlic32.exeDckdjomg.exeEleepoob.exeLjclki32.exeCnfaohbj.exeBpnihiio.exeFhmigagd.exeJehhaaci.exeOgpepl32.exeEdhakj32.exeEhfcfb32.exeFfclcgfn.exeJpdhkf32.exeNeffpj32.exeOhqbhdpj.exeHienlpel.exeKomhll32.exeHhgloc32.exeMecjif32.exeOondnini.exeOmegjomb.exeAoofle32.exeKjhloj32.exeJiaglp32.exeMlnipg32.exeCmflbf32.exeHdhedh32.exeBapiabak.exeIllfdc32.exeOiihahme.exeQoifflkg.exeDooaoj32.exeBdickcpo.exeKeakgpko.exeMlpeff32.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\Ickglm32.exe Iplkpa32.exe File created C:\Windows\SysWOW64\Ilgonc32.dll File created C:\Windows\SysWOW64\Bipfed32.dll Ekbihd32.exe File created C:\Windows\SysWOW64\Dccledea.dll Cjnffjkl.exe File opened for modification C:\Windows\SysWOW64\Ohkkhhmh.exe Odoogi32.exe File opened for modification C:\Windows\SysWOW64\Pejkmk32.exe Popbpqjh.exe File opened for modification C:\Windows\SysWOW64\Iepaaico.exe Hpchib32.exe File created C:\Windows\SysWOW64\Jkccmkel.dll Doilmc32.exe File opened for modification C:\Windows\SysWOW64\Oemefcap.exe Oboijgbl.exe File created C:\Windows\SysWOW64\Jhdnigno.dll Idkkpf32.exe File created C:\Windows\SysWOW64\Oghghb32.exe File created C:\Windows\SysWOW64\Lqhdbm32.exe File created C:\Windows\SysWOW64\Cndikf32.exe Cjinkg32.exe File created C:\Windows\SysWOW64\Nlcagc32.dll Gdafnpqh.exe File created C:\Windows\SysWOW64\Mfedck32.dll Oemefcap.exe File opened for modification C:\Windows\SysWOW64\Alqjpi32.exe Afgacokc.exe File created C:\Windows\SysWOW64\Jcfggkac.exe Jphkkpbp.exe File created C:\Windows\SysWOW64\Hmbphg32.exe Hekgfj32.exe File opened for modification C:\Windows\SysWOW64\Oaplqh32.exe File opened for modification C:\Windows\SysWOW64\Bhblllfo.exe File created C:\Windows\SysWOW64\Jkganhnq.dll Kkjlic32.exe File created C:\Windows\SysWOW64\Dfjpfj32.exe Dckdjomg.exe File opened for modification C:\Windows\SysWOW64\Eclmamod.exe Eleepoob.exe File created C:\Windows\SysWOW64\Lnohlgep.exe Ljclki32.exe File created C:\Windows\SysWOW64\Bdlhkf32.dll Cnfaohbj.exe File created C:\Windows\SysWOW64\Looknpmn.dll Bpnihiio.exe File created C:\Windows\SysWOW64\Llelopkl.dll Fhmigagd.exe File created C:\Windows\SysWOW64\Ndnljbeg.dll File created C:\Windows\SysWOW64\Mjaabq32.exe File created C:\Windows\SysWOW64\Paeelgnj.exe File created C:\Windows\SysWOW64\Jkaqnk32.exe Jehhaaci.exe File created C:\Windows\SysWOW64\Ojnblg32.exe Ogpepl32.exe File created C:\Windows\SysWOW64\Flhkmbmp.dll File created C:\Windows\SysWOW64\Phonha32.exe File created C:\Windows\SysWOW64\Ljojplln.dll Edhakj32.exe File opened for modification C:\Windows\SysWOW64\Eigonjcj.exe Ehfcfb32.exe File opened for modification C:\Windows\SysWOW64\Fjohde32.exe Ffclcgfn.exe File created C:\Windows\SysWOW64\Olhldm32.dll Jpdhkf32.exe File opened for modification C:\Windows\SysWOW64\Lqojclne.exe File opened for modification C:\Windows\SysWOW64\Jkaqnk32.exe Jehhaaci.exe File created C:\Windows\SysWOW64\Dihnap32.dll Neffpj32.exe File created C:\Windows\SysWOW64\Ookjdn32.exe Ohqbhdpj.exe File created C:\Windows\SysWOW64\Hlcjhkdp.exe Hienlpel.exe File opened for modification C:\Windows\SysWOW64\Kgdpni32.exe Komhll32.exe File created C:\Windows\SysWOW64\Lcafnn32.dll Hhgloc32.exe File created C:\Windows\SysWOW64\Bionkjfo.dll Mecjif32.exe File opened for modification C:\Windows\SysWOW64\Objpoh32.exe Oondnini.exe File opened for modification C:\Windows\SysWOW64\Hlcjhkdp.exe Hienlpel.exe File created C:\Windows\SysWOW64\Gbdqegoi.dll Omegjomb.exe File opened for modification C:\Windows\SysWOW64\Aanbhp32.exe Aoofle32.exe File created C:\Windows\SysWOW64\Nfcconde.dll Kjhloj32.exe File opened for modification C:\Windows\SysWOW64\Dafppp32.exe File created C:\Windows\SysWOW64\Ddbogpnj.dll Jiaglp32.exe File created C:\Windows\SysWOW64\Molelb32.exe Mlnipg32.exe File created C:\Windows\SysWOW64\Acpklg32.dll Cmflbf32.exe File opened for modification C:\Windows\SysWOW64\Hgfapd32.exe Hdhedh32.exe File opened for modification C:\Windows\SysWOW64\Bcoenmao.exe Bapiabak.exe File created C:\Windows\SysWOW64\Dafmjm32.dll Illfdc32.exe File created C:\Windows\SysWOW64\Lghnikdd.dll Oiihahme.exe File created C:\Windows\SysWOW64\Ooiolbic.dll Qoifflkg.exe File created C:\Windows\SysWOW64\Egljbmnm.dll Dooaoj32.exe File created C:\Windows\SysWOW64\Gfqnichl.dll Bdickcpo.exe File created C:\Windows\SysWOW64\Khpgckkb.exe Keakgpko.exe File created C:\Windows\SysWOW64\Mbjnbqhp.exe Mlpeff32.exe -
Program crash 1 IoCs
Processes:
pid pid_target Process procid_target 6592 7636 1290 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Fkeodaai.exeNeppokal.exeNbqmiinl.exeIlmmni32.exeLmmolepp.exeFamjkl32.exeOekpkigo.exeKiggbhda.exeLbpdblmo.exeOhnohn32.exeAhchda32.exeJnelok32.exeKqbdldnq.exeLnnikdnj.exeMcecjmkl.exeLjclki32.exeFiodpl32.exeBapiabak.exeFdfmlhna.exeJjopcb32.exeKkjlic32.exeCjecpkcg.exeHlcjhkdp.exeMehcdfch.exeLenicahg.exeKomhll32.exeLldfjh32.exeLfjjga32.exeBmmpfn32.exeEiokinbk.exeKjjiej32.exeEfeihb32.exeKhpgckkb.exeNlleaeff.exeNcjginjn.exePjjahe32.exeNahgoe32.exeHkfglb32.exeKeonap32.exeFfaong32.exeEkdnei32.exeEbnfbcbc.exeNpchgdcd.exeEdjgfcec.exeBedgjgkg.exeFeoodn32.exeGmimai32.exeGojiiafp.exeObcceg32.exeCnkkjh32.exeCikglnkj.exeHgfapd32.exeBnbmefbg.exeEmeoooml.exeIbkpcg32.exeKbghfc32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkeodaai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neppokal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqmiinl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmmni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmolepp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Famjkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekpkigo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiggbhda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbpdblmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnohn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahchda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnelok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqbdldnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnnikdnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcecjmkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljclki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiodpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bapiabak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdfmlhna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjopcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjlic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjecpkcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlcjhkdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehcdfch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lenicahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Komhll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmmpfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiokinbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjjiej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efeihb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpgckkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlleaeff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncjginjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjjahe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nahgoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfglb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keonap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaong32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdnei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnfbcbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npchgdcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edjgfcec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedgjgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feoodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmimai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gojiiafp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcceg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikglnkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnbmefbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emeoooml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkpcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbghfc32.exe -
Modifies registry class 64 IoCs
Processes:
Ijogmdqm.exeEnkdaepb.exeAhpmjejp.exeCglgjeci.exeDabhdinj.exeDgejpd32.exeLjdceo32.exeEfjbcakl.exeCabfga32.exeLgkpdcmi.exeHdehni32.exeEecdjmfi.exeJnifigpa.exeOgpepl32.exeGpkchqdj.exeAehgnied.exeCfnjpfcl.exeAjdjin32.exeHlglidlo.exeKeakgpko.exeIgqkqiai.exeQkmdkgob.exeKglmio32.exeCkfphc32.exeBkjiao32.exeMockmala.exeLbngllob.exeAkhcfe32.exeFfaong32.exePhodcg32.exeIdjlpc32.exeOeoblb32.exeCndikf32.exeNiniei32.exeOhkbbn32.exeHkicaahi.exeIkcdlmgf.exeNlfelogp.exeFbajbi32.exeLnohlgep.exeAmjillkj.exeNpchgdcd.exeBmmpfn32.exeJcbdgb32.exeKldmckic.exeMolelb32.exeQfpbmfdf.exeJdgafjpn.exeOhcegi32.exeBfkedibe.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijogmdqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enkdaepb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpmjejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehhjm32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cglgjeci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmofee32.dll" Dabhdinj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jghdlf32.dll" Dgejpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljdceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjbcakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cabfga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgkpdcmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdehni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nphihiif.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eecdjmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibkfhc32.dll" Jnifigpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogpepl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpkchqdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aehgnied.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfnjpfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkjmfeo.dll" Ajdjin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqhfnd32.dll" Hlglidlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmekjp32.dll" Keakgpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igqkqiai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkmdkgob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kglmio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckfphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkjiao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mockmala.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpkgebb.dll" Lbngllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbfpo32.dll" Akhcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmcjb32.dll" Ffaong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdflmg32.dll" Phodcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncfpbegh.dll" Idjlpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akhcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeoblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cndikf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnicah32.dll" Niniei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpildobq.dll" Ohkbbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkicaahi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikcdlmgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlfelogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbajbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnohlgep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cglblmfn.dll" Amjillkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npchgdcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oipoad32.dll" Bmmpfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kldmckic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Molelb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eopjfnlo.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nflnbh32.dll" Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfegkoem.dll" Qfpbmfdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdgafjpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccmbmpbk.dll" Ohcegi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbkkam32.dll" Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkedibe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eecdjmfi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
fdfe20086563227fb39b1cb1aa534b5717f8c7e3bd8911c9e2c325d3d5f80390N.exeBjddphlq.exeBmbplc32.exeBclhhnca.exeBfkedibe.exeBnbmefbg.exeBapiabak.exeBcoenmao.exeChjaol32.exeCjinkg32.exeCndikf32.exeCabfga32.exeCdabcm32.exeCfpnph32.exeCnffqf32.exeCeqnmpfo.exeChokikeb.exeCjmgfgdf.exeCagobalc.exeCdfkolkf.exeCjpckf32.exeCmnpgb32.exedescription pid Process procid_target PID 1684 wrote to memory of 1540 1684 fdfe20086563227fb39b1cb1aa534b5717f8c7e3bd8911c9e2c325d3d5f80390N.exe 84 PID 1684 wrote to memory of 1540 1684 fdfe20086563227fb39b1cb1aa534b5717f8c7e3bd8911c9e2c325d3d5f80390N.exe 84 PID 1684 wrote to memory of 1540 1684 fdfe20086563227fb39b1cb1aa534b5717f8c7e3bd8911c9e2c325d3d5f80390N.exe 84 PID 1540 wrote to memory of 1668 1540 Bjddphlq.exe 85 PID 1540 wrote to memory of 1668 1540 Bjddphlq.exe 85 PID 1540 wrote to memory of 1668 1540 Bjddphlq.exe 85 PID 1668 wrote to memory of 3592 1668 Bmbplc32.exe 86 PID 1668 wrote to memory of 3592 1668 Bmbplc32.exe 86 PID 1668 wrote to memory of 3592 1668 Bmbplc32.exe 86 PID 3592 wrote to memory of 3836 3592 Bclhhnca.exe 87 PID 3592 wrote to memory of 3836 3592 Bclhhnca.exe 87 PID 3592 wrote to memory of 3836 3592 Bclhhnca.exe 87 PID 3836 wrote to memory of 2416 3836 Bfkedibe.exe 88 PID 3836 wrote to memory of 2416 3836 Bfkedibe.exe 88 PID 3836 wrote to memory of 2416 3836 Bfkedibe.exe 88 PID 2416 wrote to memory of 3624 2416 Bnbmefbg.exe 89 PID 2416 wrote to memory of 3624 2416 Bnbmefbg.exe 89 PID 2416 wrote to memory of 3624 2416 Bnbmefbg.exe 89 PID 3624 wrote to memory of 520 3624 Bapiabak.exe 90 PID 3624 wrote to memory of 520 3624 Bapiabak.exe 90 PID 3624 wrote to memory of 520 3624 Bapiabak.exe 90 PID 520 wrote to memory of 2560 520 Bcoenmao.exe 91 PID 520 wrote to memory of 2560 520 Bcoenmao.exe 91 PID 520 wrote to memory of 2560 520 Bcoenmao.exe 91 PID 2560 wrote to memory of 2988 2560 Chjaol32.exe 92 PID 2560 wrote to memory of 2988 2560 Chjaol32.exe 92 PID 2560 wrote to memory of 2988 2560 Chjaol32.exe 92 PID 2988 wrote to memory of 2068 2988 Cjinkg32.exe 93 PID 2988 wrote to memory of 2068 2988 Cjinkg32.exe 93 PID 2988 wrote to memory of 2068 2988 Cjinkg32.exe 93 PID 2068 wrote to memory of 848 2068 Cndikf32.exe 94 PID 2068 wrote to memory of 848 2068 Cndikf32.exe 94 PID 2068 wrote to memory of 848 2068 Cndikf32.exe 94 PID 848 wrote to memory of 116 848 Cabfga32.exe 95 PID 848 wrote to memory of 116 848 Cabfga32.exe 95 PID 848 wrote to memory of 116 848 Cabfga32.exe 95 PID 116 wrote to memory of 2848 116 Cdabcm32.exe 96 PID 116 wrote to memory of 2848 116 Cdabcm32.exe 96 PID 116 wrote to memory of 2848 116 Cdabcm32.exe 96 PID 2848 wrote to memory of 2728 2848 Cfpnph32.exe 97 PID 2848 wrote to memory of 2728 2848 Cfpnph32.exe 97 PID 2848 wrote to memory of 2728 2848 Cfpnph32.exe 97 PID 2728 wrote to memory of 2056 2728 Cnffqf32.exe 98 PID 2728 wrote to memory of 2056 2728 Cnffqf32.exe 98 PID 2728 wrote to memory of 2056 2728 Cnffqf32.exe 98 PID 2056 wrote to memory of 4864 2056 Ceqnmpfo.exe 99 PID 2056 wrote to memory of 4864 2056 Ceqnmpfo.exe 99 PID 2056 wrote to memory of 4864 2056 Ceqnmpfo.exe 99 PID 4864 wrote to memory of 2944 4864 Chokikeb.exe 100 PID 4864 wrote to memory of 2944 4864 Chokikeb.exe 100 PID 4864 wrote to memory of 2944 4864 Chokikeb.exe 100 PID 2944 wrote to memory of 1132 2944 Cjmgfgdf.exe 101 PID 2944 wrote to memory of 1132 2944 Cjmgfgdf.exe 101 PID 2944 wrote to memory of 1132 2944 Cjmgfgdf.exe 101 PID 1132 wrote to memory of 400 1132 Cagobalc.exe 102 PID 1132 wrote to memory of 400 1132 Cagobalc.exe 102 PID 1132 wrote to memory of 400 1132 Cagobalc.exe 102 PID 400 wrote to memory of 4640 400 Cdfkolkf.exe 103 PID 400 wrote to memory of 4640 400 Cdfkolkf.exe 103 PID 400 wrote to memory of 4640 400 Cdfkolkf.exe 103 PID 4640 wrote to memory of 368 4640 Cjpckf32.exe 104 PID 4640 wrote to memory of 368 4640 Cjpckf32.exe 104 PID 4640 wrote to memory of 368 4640 Cjpckf32.exe 104 PID 368 wrote to memory of 1864 368 Cmnpgb32.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\fdfe20086563227fb39b1cb1aa534b5717f8c7e3bd8911c9e2c325d3d5f80390N.exe"C:\Users\Admin\AppData\Local\Temp\fdfe20086563227fb39b1cb1aa534b5717f8c7e3bd8911c9e2c325d3d5f80390N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Bjddphlq.exeC:\Windows\system32\Bjddphlq.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\Bmbplc32.exeC:\Windows\system32\Bmbplc32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\SysWOW64\Bclhhnca.exeC:\Windows\system32\Bclhhnca.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\SysWOW64\Bfkedibe.exeC:\Windows\system32\Bfkedibe.exe5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\SysWOW64\Bnbmefbg.exeC:\Windows\system32\Bnbmefbg.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Bapiabak.exeC:\Windows\system32\Bapiabak.exe7⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Windows\SysWOW64\Bcoenmao.exeC:\Windows\system32\Bcoenmao.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\Chjaol32.exeC:\Windows\system32\Chjaol32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Cjinkg32.exeC:\Windows\system32\Cjinkg32.exe10⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Cndikf32.exeC:\Windows\system32\Cndikf32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Cabfga32.exeC:\Windows\system32\Cabfga32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:848 -
C:\Windows\SysWOW64\Cdabcm32.exeC:\Windows\system32\Cdabcm32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\SysWOW64\Cfpnph32.exeC:\Windows\system32\Cfpnph32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Cnffqf32.exeC:\Windows\system32\Cnffqf32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Ceqnmpfo.exeC:\Windows\system32\Ceqnmpfo.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Chokikeb.exeC:\Windows\system32\Chokikeb.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\Cjmgfgdf.exeC:\Windows\system32\Cjmgfgdf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Cagobalc.exeC:\Windows\system32\Cagobalc.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Cdfkolkf.exeC:\Windows\system32\Cdfkolkf.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Windows\SysWOW64\Cjpckf32.exeC:\Windows\system32\Cjpckf32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4640 -
C:\Windows\SysWOW64\Cmnpgb32.exeC:\Windows\system32\Cmnpgb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Ceehho32.exeC:\Windows\system32\Ceehho32.exe23⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Cffdpghg.exeC:\Windows\system32\Cffdpghg.exe24⤵
- Executes dropped EXE
PID:3884 -
C:\Windows\SysWOW64\Cnnlaehj.exeC:\Windows\system32\Cnnlaehj.exe25⤵
- Executes dropped EXE
PID:5096 -
C:\Windows\SysWOW64\Calhnpgn.exeC:\Windows\system32\Calhnpgn.exe26⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Ddjejl32.exeC:\Windows\system32\Ddjejl32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4536 -
C:\Windows\SysWOW64\Djdmffnn.exeC:\Windows\system32\Djdmffnn.exe28⤵
- Executes dropped EXE
PID:3780 -
C:\Windows\SysWOW64\Dmcibama.exeC:\Windows\system32\Dmcibama.exe29⤵
- Executes dropped EXE
PID:4920 -
C:\Windows\SysWOW64\Dejacond.exeC:\Windows\system32\Dejacond.exe30⤵
- Executes dropped EXE
PID:4936 -
C:\Windows\SysWOW64\Dfknkg32.exeC:\Windows\system32\Dfknkg32.exe31⤵
- Executes dropped EXE
PID:3124 -
C:\Windows\SysWOW64\Dobfld32.exeC:\Windows\system32\Dobfld32.exe32⤵
- Executes dropped EXE
PID:4908 -
C:\Windows\SysWOW64\Delnin32.exeC:\Windows\system32\Delnin32.exe33⤵
- Executes dropped EXE
PID:4296 -
C:\Windows\SysWOW64\Dhkjej32.exeC:\Windows\system32\Dhkjej32.exe34⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Dodbbdbb.exeC:\Windows\system32\Dodbbdbb.exe35⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Dmgbnq32.exeC:\Windows\system32\Dmgbnq32.exe36⤵
- Executes dropped EXE
PID:3908 -
C:\Windows\SysWOW64\Deokon32.exeC:\Windows\system32\Deokon32.exe37⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Dkkcge32.exeC:\Windows\system32\Dkkcge32.exe38⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Daekdooc.exeC:\Windows\system32\Daekdooc.exe39⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Deagdn32.exeC:\Windows\system32\Deagdn32.exe40⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Dgbdlf32.exeC:\Windows\system32\Dgbdlf32.exe41⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Doilmc32.exeC:\Windows\system32\Doilmc32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Eecdjmfi.exeC:\Windows\system32\Eecdjmfi.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:4380 -
C:\Windows\SysWOW64\Egdqae32.exeC:\Windows\system32\Egdqae32.exe44⤵
- Executes dropped EXE
PID:5032 -
C:\Windows\SysWOW64\Eajeon32.exeC:\Windows\system32\Eajeon32.exe45⤵
- Executes dropped EXE
PID:3076 -
C:\Windows\SysWOW64\Eefaomcg.exeC:\Windows\system32\Eefaomcg.exe46⤵
- Executes dropped EXE
PID:1156 -
C:\Windows\SysWOW64\Edhakj32.exeC:\Windows\system32\Edhakj32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3156 -
C:\Windows\SysWOW64\Ekbihd32.exeC:\Windows\system32\Ekbihd32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4396 -
C:\Windows\SysWOW64\Eehnem32.exeC:\Windows\system32\Eehnem32.exe49⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\Ekefmc32.exeC:\Windows\system32\Ekefmc32.exe50⤵
- Executes dropped EXE
PID:5100 -
C:\Windows\SysWOW64\Eaonjngh.exeC:\Windows\system32\Eaonjngh.exe51⤵
- Executes dropped EXE
PID:4604 -
C:\Windows\SysWOW64\Eglgbdep.exeC:\Windows\system32\Eglgbdep.exe52⤵
- Executes dropped EXE
PID:3236 -
C:\Windows\SysWOW64\Emeoooml.exeC:\Windows\system32\Emeoooml.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3436 -
C:\Windows\SysWOW64\Ekiohclf.exeC:\Windows\system32\Ekiohclf.exe54⤵
- Executes dropped EXE
PID:4644 -
C:\Windows\SysWOW64\Eoekia32.exeC:\Windows\system32\Eoekia32.exe55⤵
- Executes dropped EXE
PID:4880 -
C:\Windows\SysWOW64\Eachem32.exeC:\Windows\system32\Eachem32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3392 -
C:\Windows\SysWOW64\Fhmpagkp.exeC:\Windows\system32\Fhmpagkp.exe57⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Fnjhjn32.exeC:\Windows\system32\Fnjhjn32.exe58⤵
- Executes dropped EXE
PID:720 -
C:\Windows\SysWOW64\Fddqghpd.exeC:\Windows\system32\Fddqghpd.exe59⤵
- Executes dropped EXE
PID:4692 -
C:\Windows\SysWOW64\Fojedapj.exeC:\Windows\system32\Fojedapj.exe60⤵PID:3900
-
C:\Windows\SysWOW64\Fdfmlhna.exeC:\Windows\system32\Fdfmlhna.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3096 -
C:\Windows\SysWOW64\Fefjfked.exeC:\Windows\system32\Fefjfked.exe62⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Fhdfbfdh.exeC:\Windows\system32\Fhdfbfdh.exe63⤵
- Executes dropped EXE
PID:3112 -
C:\Windows\SysWOW64\Fkcboack.exeC:\Windows\system32\Fkcboack.exe64⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Famjkl32.exeC:\Windows\system32\Famjkl32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:636 -
C:\Windows\SysWOW64\Fhgbhfbe.exeC:\Windows\system32\Fhgbhfbe.exe66⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Fkeodaai.exeC:\Windows\system32\Fkeodaai.exe67⤵
- System Location Discovery: System Language Discovery
PID:4468 -
C:\Windows\SysWOW64\Gekcaj32.exeC:\Windows\system32\Gekcaj32.exe68⤵PID:2136
-
C:\Windows\SysWOW64\Ghipne32.exeC:\Windows\system32\Ghipne32.exe69⤵PID:744
-
C:\Windows\SysWOW64\Gkglja32.exeC:\Windows\system32\Gkglja32.exe70⤵PID:3444
-
C:\Windows\SysWOW64\Gnfhfl32.exeC:\Windows\system32\Gnfhfl32.exe71⤵PID:1600
-
C:\Windows\SysWOW64\Gdppbfff.exeC:\Windows\system32\Gdppbfff.exe72⤵PID:4356
-
C:\Windows\SysWOW64\Ghklce32.exeC:\Windows\system32\Ghklce32.exe73⤵PID:2808
-
C:\Windows\SysWOW64\Goedpofl.exeC:\Windows\system32\Goedpofl.exe74⤵PID:2816
-
C:\Windows\SysWOW64\Gdbmhf32.exeC:\Windows\system32\Gdbmhf32.exe75⤵PID:4856
-
C:\Windows\SysWOW64\Ghniielm.exeC:\Windows\system32\Ghniielm.exe76⤵PID:4588
-
C:\Windows\SysWOW64\Gkleeplq.exeC:\Windows\system32\Gkleeplq.exe77⤵PID:1900
-
C:\Windows\SysWOW64\Gnkaalkd.exeC:\Windows\system32\Gnkaalkd.exe78⤵PID:3180
-
C:\Windows\SysWOW64\Ghpendjj.exeC:\Windows\system32\Ghpendjj.exe79⤵PID:1636
-
C:\Windows\SysWOW64\Gkobjpin.exeC:\Windows\system32\Gkobjpin.exe80⤵PID:2144
-
C:\Windows\SysWOW64\Gahjgj32.exeC:\Windows\system32\Gahjgj32.exe81⤵PID:2180
-
C:\Windows\SysWOW64\Gdgfce32.exeC:\Windows\system32\Gdgfce32.exe82⤵PID:3916
-
C:\Windows\SysWOW64\Gkaopp32.exeC:\Windows\system32\Gkaopp32.exe83⤵PID:1764
-
C:\Windows\SysWOW64\Hffcmh32.exeC:\Windows\system32\Hffcmh32.exe84⤵PID:1892
-
C:\Windows\SysWOW64\Hoogfnnb.exeC:\Windows\system32\Hoogfnnb.exe85⤵PID:4848
-
C:\Windows\SysWOW64\Hfipbh32.exeC:\Windows\system32\Hfipbh32.exe86⤵PID:1524
-
C:\Windows\SysWOW64\Hhgloc32.exeC:\Windows\system32\Hhgloc32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Hdnldd32.exeC:\Windows\system32\Hdnldd32.exe88⤵PID:2692
-
C:\Windows\SysWOW64\Hbbmmi32.exeC:\Windows\system32\Hbbmmi32.exe89⤵PID:2908
-
C:\Windows\SysWOW64\Hgoeep32.exeC:\Windows\system32\Hgoeep32.exe90⤵PID:1172
-
C:\Windows\SysWOW64\Hninbj32.exeC:\Windows\system32\Hninbj32.exe91⤵PID:3596
-
C:\Windows\SysWOW64\Hbdjchgn.exeC:\Windows\system32\Hbdjchgn.exe92⤵PID:456
-
C:\Windows\SysWOW64\Hkmnln32.exeC:\Windows\system32\Hkmnln32.exe93⤵PID:1088
-
C:\Windows\SysWOW64\Iohjlmeg.exeC:\Windows\system32\Iohjlmeg.exe94⤵PID:4284
-
C:\Windows\SysWOW64\Ifbbig32.exeC:\Windows\system32\Ifbbig32.exe95⤵PID:4772
-
C:\Windows\SysWOW64\Igcoqocb.exeC:\Windows\system32\Igcoqocb.exe96⤵PID:3792
-
C:\Windows\SysWOW64\Ikokan32.exeC:\Windows\system32\Ikokan32.exe97⤵PID:772
-
C:\Windows\SysWOW64\Ibicnh32.exeC:\Windows\system32\Ibicnh32.exe98⤵PID:1836
-
C:\Windows\SysWOW64\Idgojc32.exeC:\Windows\system32\Idgojc32.exe99⤵PID:2280
-
C:\Windows\SysWOW64\Igfkfo32.exeC:\Windows\system32\Igfkfo32.exe100⤵PID:1268
-
C:\Windows\SysWOW64\Iomcgl32.exeC:\Windows\system32\Iomcgl32.exe101⤵PID:1208
-
C:\Windows\SysWOW64\Ibkpcg32.exeC:\Windows\system32\Ibkpcg32.exe102⤵
- System Location Discovery: System Language Discovery
PID:4456 -
C:\Windows\SysWOW64\Idjlpc32.exeC:\Windows\system32\Idjlpc32.exe103⤵
- Modifies registry class
PID:4128 -
C:\Windows\SysWOW64\Ikcdlmgf.exeC:\Windows\system32\Ikcdlmgf.exe104⤵
- Modifies registry class
PID:212 -
C:\Windows\SysWOW64\Ibnligoc.exeC:\Windows\system32\Ibnligoc.exe105⤵PID:4572
-
C:\Windows\SysWOW64\Ifihif32.exeC:\Windows\system32\Ifihif32.exe106⤵PID:3808
-
C:\Windows\SysWOW64\Iigdfa32.exeC:\Windows\system32\Iigdfa32.exe107⤵PID:2152
-
C:\Windows\SysWOW64\Ioambknl.exeC:\Windows\system32\Ioambknl.exe108⤵PID:2244
-
C:\Windows\SysWOW64\Ibpiogmp.exeC:\Windows\system32\Ibpiogmp.exe109⤵PID:4824
-
C:\Windows\SysWOW64\Ienekbld.exeC:\Windows\system32\Ienekbld.exe110⤵PID:2568
-
C:\Windows\SysWOW64\Iijaka32.exeC:\Windows\system32\Iijaka32.exe111⤵PID:4580
-
C:\Windows\SysWOW64\Jkhngl32.exeC:\Windows\system32\Jkhngl32.exe112⤵PID:4384
-
C:\Windows\SysWOW64\Jngjch32.exeC:\Windows\system32\Jngjch32.exe113⤵PID:3588
-
C:\Windows\SysWOW64\Jfnbdecg.exeC:\Windows\system32\Jfnbdecg.exe114⤵PID:4336
-
C:\Windows\SysWOW64\Jgonlm32.exeC:\Windows\system32\Jgonlm32.exe115⤵PID:936
-
C:\Windows\SysWOW64\Jkkjmlan.exeC:\Windows\system32\Jkkjmlan.exe116⤵PID:2256
-
C:\Windows\SysWOW64\Jnifigpa.exeC:\Windows\system32\Jnifigpa.exe117⤵
- Modifies registry class
PID:4092 -
C:\Windows\SysWOW64\Jfpojead.exeC:\Windows\system32\Jfpojead.exe118⤵PID:5132
-
C:\Windows\SysWOW64\Jiokfpph.exeC:\Windows\system32\Jiokfpph.exe119⤵PID:5176
-
C:\Windows\SysWOW64\Jkmgblok.exeC:\Windows\system32\Jkmgblok.exe120⤵PID:5216
-
C:\Windows\SysWOW64\Jfbkpd32.exeC:\Windows\system32\Jfbkpd32.exe121⤵PID:5260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-