Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-12-2024 03:19
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe
-
Size
96KB
-
MD5
5734383ded5d1fabddbc92744dc17b80
-
SHA1
301ad91c55d54f78507cac547b63f53c859d693c
-
SHA256
a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1
-
SHA512
6c4338eac77850cd3370f4fe6031e6b0ab9e759499303910cb4ab3b56470d61d575dd63aca86b182430c7da0275586660cadb4d527c88ad6ea13a46989e086b0
-
SSDEEP
1536:wYqvE4yWhMqXeCm42QXKk/jN46ocDX2L5Z7RZObZUUWaegPYAG:Z34yWhPXed4hXKk7epQ8rClUUWae9
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acohnhab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Holldk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmkmjoec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loaokjjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efppqoil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhaanh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjnenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkibehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcmnja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnnkec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miiofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjjkfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdcfoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hilgfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joekimld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkmljcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Diqmcgca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaeqmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfmijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojeakfnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hememgdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jngilalk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdfmpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpokjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lekghdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bimphc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkenikc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfgjdlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imogcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elibpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbnjgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhkcnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmiolk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehaolpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmhhae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfhgggim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbqcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lepclldc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpoibp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokjkbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojdjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghgfekpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomcpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjkfqlpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhfjpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odcimipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmnofp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbmdhfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajfgnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooggpiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddbmcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebcmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnqkjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imogcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofobgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabplobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clclhmin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebicee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgnokgcc.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 5 IoCs
resource yara_rule behavioral1/files/0x000500000001adcf-602.dat family_bruteratel behavioral1/files/0x000400000001d9af-2001.dat family_bruteratel behavioral1/files/0x000400000001d9f3-2079.dat family_bruteratel behavioral1/files/0x000400000001e214-3340.dat family_bruteratel behavioral1/files/0x0003000000020fc4-7321.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2696 Elibpg32.exe 2688 Eimcjl32.exe 2740 Fahhnn32.exe 2792 Fhbpkh32.exe 1776 Fefqdl32.exe 1624 Fggmldfp.exe 2060 Famaimfe.exe 752 Fhgifgnb.exe 1164 Fcqjfeja.exe 2856 Fmfocnjg.exe 380 Fimoiopk.exe 2052 Gcedad32.exe 2328 Glnhjjml.exe 3064 Gcgqgd32.exe 3044 Glpepj32.exe 1600 Gcjmmdbf.exe 848 Ghgfekpn.exe 1740 Goqnae32.exe 1336 Gekfnoog.exe 2032 Gkgoff32.exe 2520 Gqdgom32.exe 1872 Hgnokgcc.exe 2892 Hqgddm32.exe 864 Hcepqh32.exe 1044 Hmmdin32.exe 2640 Hcgmfgfd.exe 2756 Hqkmplen.exe 1576 Hfhfhbce.exe 2716 Hclfag32.exe 1236 Hmdkjmip.exe 2596 Ieponofk.exe 1812 Ikjhki32.exe 2200 Iinhdmma.exe 2456 Iogpag32.exe 2868 Iknafhjb.exe 572 Inmmbc32.exe 1920 Inojhc32.exe 2176 Ieibdnnp.exe 1288 Jnagmc32.exe 2388 Jpbcek32.exe 840 Jikhnaao.exe 3020 Jbclgf32.exe 2996 Jimdcqom.exe 1852 Jllqplnp.exe 2084 Jmkmjoec.exe 2352 Jnmiag32.exe 2408 Jibnop32.exe 2116 Jplfkjbd.exe 2636 Jnofgg32.exe 908 Keioca32.exe 2900 Kjeglh32.exe 2768 Kekkiq32.exe 2752 Klecfkff.exe 2828 Kmfpmc32.exe 2572 Kenhopmf.exe 668 Koflgf32.exe 1456 Kpgionie.exe 292 Kageia32.exe 1260 Kbhbai32.exe 1924 Kkojbf32.exe 1904 Lmmfnb32.exe 3060 Lplbjm32.exe 880 Lgfjggll.exe 1972 Lidgcclp.exe -
Loads dropped DLL 64 IoCs
pid Process 2364 a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe 2364 a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe 2696 Elibpg32.exe 2696 Elibpg32.exe 2688 Eimcjl32.exe 2688 Eimcjl32.exe 2740 Fahhnn32.exe 2740 Fahhnn32.exe 2792 Fhbpkh32.exe 2792 Fhbpkh32.exe 1776 Fefqdl32.exe 1776 Fefqdl32.exe 1624 Fggmldfp.exe 1624 Fggmldfp.exe 2060 Famaimfe.exe 2060 Famaimfe.exe 752 Fhgifgnb.exe 752 Fhgifgnb.exe 1164 Fcqjfeja.exe 1164 Fcqjfeja.exe 2856 Fmfocnjg.exe 2856 Fmfocnjg.exe 380 Fimoiopk.exe 380 Fimoiopk.exe 2052 Gcedad32.exe 2052 Gcedad32.exe 2328 Glnhjjml.exe 2328 Glnhjjml.exe 3064 Gcgqgd32.exe 3064 Gcgqgd32.exe 3044 Glpepj32.exe 3044 Glpepj32.exe 1600 Gcjmmdbf.exe 1600 Gcjmmdbf.exe 848 Ghgfekpn.exe 848 Ghgfekpn.exe 1740 Goqnae32.exe 1740 Goqnae32.exe 1336 Gekfnoog.exe 1336 Gekfnoog.exe 2032 Gkgoff32.exe 2032 Gkgoff32.exe 2520 Gqdgom32.exe 2520 Gqdgom32.exe 1872 Hgnokgcc.exe 1872 Hgnokgcc.exe 2892 Hqgddm32.exe 2892 Hqgddm32.exe 864 Hcepqh32.exe 864 Hcepqh32.exe 1044 Hmmdin32.exe 1044 Hmmdin32.exe 2640 Hcgmfgfd.exe 2640 Hcgmfgfd.exe 2756 Hqkmplen.exe 2756 Hqkmplen.exe 1576 Hfhfhbce.exe 1576 Hfhfhbce.exe 2716 Hclfag32.exe 2716 Hclfag32.exe 1236 Hmdkjmip.exe 1236 Hmdkjmip.exe 2596 Ieponofk.exe 2596 Ieponofk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Iaaoqf32.exe Iijfoh32.exe File opened for modification C:\Windows\SysWOW64\Geloanjg.exe Gdjcjf32.exe File created C:\Windows\SysWOW64\Hlhddh32.exe Genlgnhd.exe File created C:\Windows\SysWOW64\Hecebm32.exe Hoimecmb.exe File created C:\Windows\SysWOW64\Fplkghjl.dll Hokjkbkp.exe File created C:\Windows\SysWOW64\Kfnnlboi.exe Kpdeoh32.exe File opened for modification C:\Windows\SysWOW64\Nloachkf.exe Nipefmkb.exe File created C:\Windows\SysWOW64\Onfabgch.exe Okhefl32.exe File created C:\Windows\SysWOW64\Cljamifd.dll Cnflae32.exe File created C:\Windows\SysWOW64\Lmphha32.dll Gminbfoh.exe File opened for modification C:\Windows\SysWOW64\Jinfli32.exe Jjkfqlpf.exe File opened for modification C:\Windows\SysWOW64\Ogmkne32.exe Opccallb.exe File opened for modification C:\Windows\SysWOW64\Ankedf32.exe Ainmlomf.exe File created C:\Windows\SysWOW64\Qanmcdlm.exe Qjddgj32.exe File opened for modification C:\Windows\SysWOW64\Akfnkmei.exe Adleoc32.exe File created C:\Windows\SysWOW64\Fjnignob.exe Ephdjeol.exe File opened for modification C:\Windows\SysWOW64\Kbenacdm.exe Khojcj32.exe File created C:\Windows\SysWOW64\Ikocoa32.exe Ihpgce32.exe File opened for modification C:\Windows\SysWOW64\Lepclldc.exe Lofkoamf.exe File created C:\Windows\SysWOW64\Jlmhimhb.dll Bpmkbl32.exe File created C:\Windows\SysWOW64\Eqcjaa32.exe Enenef32.exe File opened for modification C:\Windows\SysWOW64\Iopeoknn.exe Hkejnl32.exe File created C:\Windows\SysWOW64\Oleepo32.exe Oekmceaf.exe File created C:\Windows\SysWOW64\Epokjceb.dll Bllcnega.exe File created C:\Windows\SysWOW64\Lkifkdjm.exe Lbbnjgik.exe File opened for modification C:\Windows\SysWOW64\Nchipb32.exe Nloachkf.exe File created C:\Windows\SysWOW64\Anpmohcl.dll Pkmmigjo.exe File created C:\Windows\SysWOW64\Kipdmjne.dll Bdodmlcm.exe File opened for modification C:\Windows\SysWOW64\Nhmbdl32.exe Macjgadf.exe File created C:\Windows\SysWOW64\Nkgmej32.dll Laidgi32.exe File created C:\Windows\SysWOW64\Hmmobd32.dll Lpckce32.exe File created C:\Windows\SysWOW64\Jfhbig32.dll Ijlaloaf.exe File created C:\Windows\SysWOW64\Ncgfge32.dll Leegbnan.exe File created C:\Windows\SysWOW64\Alakfjbc.dll Bkcfjk32.exe File created C:\Windows\SysWOW64\Gefolhja.exe Gbhcpmkm.exe File opened for modification C:\Windows\SysWOW64\Lgfjggll.exe Lplbjm32.exe File opened for modification C:\Windows\SysWOW64\Cgdqpq32.exe Cdedde32.exe File created C:\Windows\SysWOW64\Bjfpdf32.exe Ahhchk32.exe File created C:\Windows\SysWOW64\Gmcikd32.exe Gfiaojkq.exe File created C:\Windows\SysWOW64\Libmacbm.dll Idokma32.exe File opened for modification C:\Windows\SysWOW64\Mlpngd32.exe Miaaki32.exe File created C:\Windows\SysWOW64\Hkmjjn32.exe Hhnnnbaj.exe File opened for modification C:\Windows\SysWOW64\Lhlbbg32.exe Lenffl32.exe File created C:\Windows\SysWOW64\Efppqoil.exe Ecadddjh.exe File created C:\Windows\SysWOW64\Ohmkac32.dll Floeof32.exe File created C:\Windows\SysWOW64\Plhodp32.dll Fapgblob.exe File created C:\Windows\SysWOW64\Hajdhd32.dll Pmkdhq32.exe File created C:\Windows\SysWOW64\Hmcqik32.dll Adgein32.exe File created C:\Windows\SysWOW64\Dnjkcc32.dll Hememgdi.exe File created C:\Windows\SysWOW64\Hflndjin.exe Gdmbhnjj.exe File created C:\Windows\SysWOW64\Hkobdolo.dll Aompambg.exe File created C:\Windows\SysWOW64\Cjmmffgn.exe Cccdjl32.exe File created C:\Windows\SysWOW64\Ofgbkacb.exe Ochenfdn.exe File created C:\Windows\SysWOW64\Qjpnmmqd.dll Hpfoboml.exe File created C:\Windows\SysWOW64\Qnekmihd.dll Ipkema32.exe File opened for modification C:\Windows\SysWOW64\Lhklha32.exe Lpddgd32.exe File created C:\Windows\SysWOW64\Kipknhkd.dll Pbomli32.exe File created C:\Windows\SysWOW64\Dmebcgbb.exe Djgfgkbo.exe File opened for modification C:\Windows\SysWOW64\Efffpjmk.exe Eddjhb32.exe File created C:\Windows\SysWOW64\Ifbkgj32.exe Iohbjpkb.exe File created C:\Windows\SysWOW64\Hidgoh32.dll Eelgcg32.exe File created C:\Windows\SysWOW64\Mbpmdgef.dll Aifjgdkj.exe File created C:\Windows\SysWOW64\Jmccgf32.dll Obhpad32.exe File created C:\Windows\SysWOW64\Kolhdbjh.exe Kmnlhg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8356 8316 WerFault.exe 952 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnodgbed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adblnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbomli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilchhgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafbghhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhalngad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnlikic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maocekoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfbpaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiofnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baealp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiakkcma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmogpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aldfcpjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdinnqon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnehado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfddkmch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keioca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdjalea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokjkbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjmidcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmgao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmefad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Felcbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macjgadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilomj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faijggao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgdhcmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmiolk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhominh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmbhnjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqobnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajipkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Endklmlq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mldeik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbmom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmmcjjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcppkbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memlki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqjfeja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmdhfog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojeakfnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkilgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhdfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lekghdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiafp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajfgnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhdnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Engjkeab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgibdjln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjgei32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjjnmd32.dll" Gajjhkgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqffgapf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipkema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Admljpij.dll" Nogmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgfmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnfop32.dll" Akfnkmei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baneak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lldpji32.dll" Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkbbalfd.dll" Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqmice32.dll" Icabeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ollqllod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmhdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fimoiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmbgd32.dll" Chocodch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgnelll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iemanlnj.dll" Jcoanb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Palbgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Depfiffk.dll" Kbqgolpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lemdncoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpfnckhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcleiclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdodo32.dll" Acohnhab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlmphp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lehfafgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Capgei32.dll" Lmhdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiaql32.dll" Hmmdin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnhanebc.dll" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojpeec.dll" Anbmbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqhgonnp.dll" Flhhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogbldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glijnmdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajokhp32.dll" a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaqejn32.dll" Flqkjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okfimp32.dll" Qanolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcbmmbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diqmcgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goigjpaa.dll" Pnnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aengebaf.dll" Hlpchfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaekljjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmcgmkil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbjfcnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfbpaeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noclah32.dll" Pncjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdiahco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mndhnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpgionie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lalhgogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkcmjpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhdmc32.dll" Ciepkajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebgahgaj.dll" Fhkagonc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gekfnoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iekcqo32.dll" Lpddgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpddgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eacmfp32.dll" Iciaim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgjgol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fakglf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 2696 2364 a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe 30 PID 2364 wrote to memory of 2696 2364 a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe 30 PID 2364 wrote to memory of 2696 2364 a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe 30 PID 2364 wrote to memory of 2696 2364 a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe 30 PID 2696 wrote to memory of 2688 2696 Elibpg32.exe 31 PID 2696 wrote to memory of 2688 2696 Elibpg32.exe 31 PID 2696 wrote to memory of 2688 2696 Elibpg32.exe 31 PID 2696 wrote to memory of 2688 2696 Elibpg32.exe 31 PID 2688 wrote to memory of 2740 2688 Eimcjl32.exe 32 PID 2688 wrote to memory of 2740 2688 Eimcjl32.exe 32 PID 2688 wrote to memory of 2740 2688 Eimcjl32.exe 32 PID 2688 wrote to memory of 2740 2688 Eimcjl32.exe 32 PID 2740 wrote to memory of 2792 2740 Fahhnn32.exe 33 PID 2740 wrote to memory of 2792 2740 Fahhnn32.exe 33 PID 2740 wrote to memory of 2792 2740 Fahhnn32.exe 33 PID 2740 wrote to memory of 2792 2740 Fahhnn32.exe 33 PID 2792 wrote to memory of 1776 2792 Fhbpkh32.exe 34 PID 2792 wrote to memory of 1776 2792 Fhbpkh32.exe 34 PID 2792 wrote to memory of 1776 2792 Fhbpkh32.exe 34 PID 2792 wrote to memory of 1776 2792 Fhbpkh32.exe 34 PID 1776 wrote to memory of 1624 1776 Fefqdl32.exe 35 PID 1776 wrote to memory of 1624 1776 Fefqdl32.exe 35 PID 1776 wrote to memory of 1624 1776 Fefqdl32.exe 35 PID 1776 wrote to memory of 1624 1776 Fefqdl32.exe 35 PID 1624 wrote to memory of 2060 1624 Fggmldfp.exe 36 PID 1624 wrote to memory of 2060 1624 Fggmldfp.exe 36 PID 1624 wrote to memory of 2060 1624 Fggmldfp.exe 36 PID 1624 wrote to memory of 2060 1624 Fggmldfp.exe 36 PID 2060 wrote to memory of 752 2060 Famaimfe.exe 37 PID 2060 wrote to memory of 752 2060 Famaimfe.exe 37 PID 2060 wrote to memory of 752 2060 Famaimfe.exe 37 PID 2060 wrote to memory of 752 2060 Famaimfe.exe 37 PID 752 wrote to memory of 1164 752 Fhgifgnb.exe 38 PID 752 wrote to memory of 1164 752 Fhgifgnb.exe 38 PID 752 wrote to memory of 1164 752 Fhgifgnb.exe 38 PID 752 wrote to memory of 1164 752 Fhgifgnb.exe 38 PID 1164 wrote to memory of 2856 1164 Fcqjfeja.exe 39 PID 1164 wrote to memory of 2856 1164 Fcqjfeja.exe 39 PID 1164 wrote to memory of 2856 1164 Fcqjfeja.exe 39 PID 1164 wrote to memory of 2856 1164 Fcqjfeja.exe 39 PID 2856 wrote to memory of 380 2856 Fmfocnjg.exe 40 PID 2856 wrote to memory of 380 2856 Fmfocnjg.exe 40 PID 2856 wrote to memory of 380 2856 Fmfocnjg.exe 40 PID 2856 wrote to memory of 380 2856 Fmfocnjg.exe 40 PID 380 wrote to memory of 2052 380 Fimoiopk.exe 41 PID 380 wrote to memory of 2052 380 Fimoiopk.exe 41 PID 380 wrote to memory of 2052 380 Fimoiopk.exe 41 PID 380 wrote to memory of 2052 380 Fimoiopk.exe 41 PID 2052 wrote to memory of 2328 2052 Gcedad32.exe 42 PID 2052 wrote to memory of 2328 2052 Gcedad32.exe 42 PID 2052 wrote to memory of 2328 2052 Gcedad32.exe 42 PID 2052 wrote to memory of 2328 2052 Gcedad32.exe 42 PID 2328 wrote to memory of 3064 2328 Glnhjjml.exe 43 PID 2328 wrote to memory of 3064 2328 Glnhjjml.exe 43 PID 2328 wrote to memory of 3064 2328 Glnhjjml.exe 43 PID 2328 wrote to memory of 3064 2328 Glnhjjml.exe 43 PID 3064 wrote to memory of 3044 3064 Gcgqgd32.exe 44 PID 3064 wrote to memory of 3044 3064 Gcgqgd32.exe 44 PID 3064 wrote to memory of 3044 3064 Gcgqgd32.exe 44 PID 3064 wrote to memory of 3044 3064 Gcgqgd32.exe 44 PID 3044 wrote to memory of 1600 3044 Glpepj32.exe 45 PID 3044 wrote to memory of 1600 3044 Glpepj32.exe 45 PID 3044 wrote to memory of 1600 3044 Glpepj32.exe 45 PID 3044 wrote to memory of 1600 3044 Glpepj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe"C:\Users\Admin\AppData\Local\Temp\a80697b287393887f26822a6fb8d96fd75b556865b8543680d4275741b589ba1N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Fhbpkh32.exeC:\Windows\system32\Fhbpkh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Fefqdl32.exeC:\Windows\system32\Fefqdl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Famaimfe.exeC:\Windows\system32\Famaimfe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Fhgifgnb.exeC:\Windows\system32\Fhgifgnb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\Fcqjfeja.exeC:\Windows\system32\Fcqjfeja.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\SysWOW64\Fmfocnjg.exeC:\Windows\system32\Fmfocnjg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Fimoiopk.exeC:\Windows\system32\Fimoiopk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:380 -
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Glnhjjml.exeC:\Windows\system32\Glnhjjml.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Gcgqgd32.exeC:\Windows\system32\Gcgqgd32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Glpepj32.exeC:\Windows\system32\Glpepj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Gcjmmdbf.exeC:\Windows\system32\Gcjmmdbf.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ghgfekpn.exeC:\Windows\system32\Ghgfekpn.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Goqnae32.exeC:\Windows\system32\Goqnae32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Gekfnoog.exeC:\Windows\system32\Gekfnoog.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Gkgoff32.exeC:\Windows\system32\Gkgoff32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Gqdgom32.exeC:\Windows\system32\Gqdgom32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Hgnokgcc.exeC:\Windows\system32\Hgnokgcc.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Hcepqh32.exeC:\Windows\system32\Hcepqh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Hmmdin32.exeC:\Windows\system32\Hmmdin32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Hcgmfgfd.exeC:\Windows\system32\Hcgmfgfd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Hqkmplen.exeC:\Windows\system32\Hqkmplen.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Hfhfhbce.exeC:\Windows\system32\Hfhfhbce.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Hclfag32.exeC:\Windows\system32\Hclfag32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Hmdkjmip.exeC:\Windows\system32\Hmdkjmip.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Ieponofk.exeC:\Windows\system32\Ieponofk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Ikjhki32.exeC:\Windows\system32\Ikjhki32.exe33⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Iinhdmma.exeC:\Windows\system32\Iinhdmma.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Iogpag32.exeC:\Windows\system32\Iogpag32.exe35⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Iknafhjb.exeC:\Windows\system32\Iknafhjb.exe36⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Inmmbc32.exeC:\Windows\system32\Inmmbc32.exe37⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Inojhc32.exeC:\Windows\system32\Inojhc32.exe38⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Ieibdnnp.exeC:\Windows\system32\Ieibdnnp.exe39⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Jnagmc32.exeC:\Windows\system32\Jnagmc32.exe40⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Jpbcek32.exeC:\Windows\system32\Jpbcek32.exe41⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Jikhnaao.exeC:\Windows\system32\Jikhnaao.exe42⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Jbclgf32.exeC:\Windows\system32\Jbclgf32.exe43⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Jimdcqom.exeC:\Windows\system32\Jimdcqom.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe45⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Jmkmjoec.exeC:\Windows\system32\Jmkmjoec.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Jnmiag32.exeC:\Windows\system32\Jnmiag32.exe47⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Jibnop32.exeC:\Windows\system32\Jibnop32.exe48⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Jplfkjbd.exeC:\Windows\system32\Jplfkjbd.exe49⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Jnofgg32.exeC:\Windows\system32\Jnofgg32.exe50⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Keioca32.exeC:\Windows\system32\Keioca32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Kjeglh32.exeC:\Windows\system32\Kjeglh32.exe52⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Kekkiq32.exeC:\Windows\system32\Kekkiq32.exe53⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Klecfkff.exeC:\Windows\system32\Klecfkff.exe54⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Kmfpmc32.exeC:\Windows\system32\Kmfpmc32.exe55⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Kenhopmf.exeC:\Windows\system32\Kenhopmf.exe56⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Koflgf32.exeC:\Windows\system32\Koflgf32.exe57⤵
- Executes dropped EXE
PID:668 -
C:\Windows\SysWOW64\Kpgionie.exeC:\Windows\system32\Kpgionie.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Kageia32.exeC:\Windows\system32\Kageia32.exe59⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe60⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Kkojbf32.exeC:\Windows\system32\Kkojbf32.exe61⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe62⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Lplbjm32.exeC:\Windows\system32\Lplbjm32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Lgfjggll.exeC:\Windows\system32\Lgfjggll.exe64⤵
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe65⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Lpqlemaj.exeC:\Windows\system32\Lpqlemaj.exe68⤵PID:1952
-
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe69⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe70⤵PID:772
-
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe71⤵PID:2476
-
C:\Windows\SysWOW64\Lljipmdl.exeC:\Windows\system32\Lljipmdl.exe72⤵PID:2004
-
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe73⤵PID:1572
-
C:\Windows\SysWOW64\Lafahdcc.exeC:\Windows\system32\Lafahdcc.exe74⤵PID:2680
-
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe75⤵PID:2728
-
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe76⤵PID:2604
-
C:\Windows\SysWOW64\Mgegfk32.exeC:\Windows\system32\Mgegfk32.exe77⤵PID:1752
-
C:\Windows\SysWOW64\Makkcc32.exeC:\Windows\system32\Makkcc32.exe78⤵PID:1768
-
C:\Windows\SysWOW64\Mclgklel.exeC:\Windows\system32\Mclgklel.exe79⤵PID:2984
-
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe80⤵PID:2840
-
C:\Windows\SysWOW64\Mpphdpcf.exeC:\Windows\system32\Mpphdpcf.exe81⤵PID:320
-
C:\Windows\SysWOW64\Mfmqmgbm.exeC:\Windows\system32\Mfmqmgbm.exe82⤵PID:2348
-
C:\Windows\SysWOW64\Mndhnd32.exeC:\Windows\system32\Mndhnd32.exe83⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Moeeelhn.exeC:\Windows\system32\Moeeelhn.exe84⤵PID:2248
-
C:\Windows\SysWOW64\Mjkibehc.exeC:\Windows\system32\Mjkibehc.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2896 -
C:\Windows\SysWOW64\Nqeapo32.exeC:\Windows\system32\Nqeapo32.exe86⤵PID:1648
-
C:\Windows\SysWOW64\Nccnlk32.exeC:\Windows\system32\Nccnlk32.exe87⤵PID:1544
-
C:\Windows\SysWOW64\Nfbjhf32.exeC:\Windows\system32\Nfbjhf32.exe88⤵PID:2500
-
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe89⤵PID:1736
-
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe90⤵PID:1588
-
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe91⤵PID:2692
-
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe92⤵PID:2632
-
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe93⤵PID:1272
-
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe94⤵PID:2400
-
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe95⤵PID:2260
-
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe97⤵PID:444
-
C:\Windows\SysWOW64\Nkehql32.exeC:\Windows\system32\Nkehql32.exe98⤵PID:2952
-
C:\Windows\SysWOW64\Nndemg32.exeC:\Windows\system32\Nndemg32.exe99⤵PID:2968
-
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe100⤵PID:940
-
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe101⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Onfabgch.exeC:\Windows\system32\Onfabgch.exe102⤵PID:2096
-
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe103⤵PID:2128
-
C:\Windows\SysWOW64\Ojmbgh32.exeC:\Windows\system32\Ojmbgh32.exe104⤵PID:872
-
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe105⤵PID:1568
-
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe106⤵PID:2808
-
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe107⤵PID:1772
-
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe108⤵PID:2008
-
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe109⤵PID:1160
-
C:\Windows\SysWOW64\Omphocck.exeC:\Windows\system32\Omphocck.exe110⤵PID:1132
-
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe111⤵PID:1808
-
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe112⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe113⤵PID:2284
-
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe115⤵PID:556
-
C:\Windows\SysWOW64\Plhaeofp.exeC:\Windows\system32\Plhaeofp.exe116⤵PID:2776
-
C:\Windows\SysWOW64\Pbajbi32.exeC:\Windows\system32\Pbajbi32.exe117⤵PID:2588
-
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe118⤵PID:3008
-
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe119⤵PID:1316
-
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe120⤵PID:1616
-
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe121⤵PID:1964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-