Analysis
-
max time kernel
100s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-12-2024 14:51
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2N.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2N.exe
-
Size
163KB
-
MD5
bf1e58d97936b3a72da08d0afbd1c030
-
SHA1
9e93f2bf2be97928976e6b164da2f253939b2633
-
SHA256
4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2
-
SHA512
9072513a768377bfd5fdbabd2cdbf6651c75c48e78d2f844be53748415be0cca775ca6f7ea4e98fbfac161fb54fb4e13d53c212405032bc8ea0c355d873d71e3
-
SSDEEP
1536:Pv5SBS9UVob9LoV5jIYGmlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:3Pb9L6j3TltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimmjffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blfapfpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgqlafap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknafhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lplbjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfgebjnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncmcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcdkef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edlafebn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iladfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdogedmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpklkgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkjpggkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nggggoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppinkcnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmccqbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhejhao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapohbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjbkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljldnhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpkmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpcokdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncpdbohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acnlgajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhddk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehiioaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfanmogq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmpaom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcdlhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbeedh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcpimq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpajbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlafkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aobpfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jacfidem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adipfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqjefamk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djocbqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcojam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Addfkeid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnefhpma.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 2 IoCs
resource yara_rule behavioral1/files/0x000400000001cf6c-1207.dat family_bruteratel behavioral1/files/0x00050000000201f2-3673.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2552 Heliepmn.exe 2952 Hcojam32.exe 2664 Ikfbbjdj.exe 2672 Iacjjacb.exe 860 Ijkocg32.exe 2208 Icdcllpc.exe 996 Ijnkifgp.exe 2028 Imlhebfc.exe 552 Ifdlng32.exe 868 Iladfn32.exe 1576 Iejiodbl.exe 1696 Imaapa32.exe 1000 Jbnjhh32.exe 2200 Jelfdc32.exe 1752 Jpajbl32.exe 2412 Jacfidem.exe 2800 Jjkkbjln.exe 964 Jbbccgmp.exe 852 Jeqopcld.exe 1268 Jhoklnkg.exe 1784 Jhahanie.exe 2948 Jpmmfp32.exe 1688 Jfgebjnm.exe 2288 Jieaofmp.exe 896 Kmqmod32.exe 2588 Kfibhjlj.exe 2596 Kmcjedcg.exe 2560 Kdmban32.exe 2472 Kgkonj32.exe 1788 Klhgfq32.exe 824 Keqkofno.exe 1884 Khohkamc.exe 2012 Kpfplo32.exe 1428 Kcdlhj32.exe 1928 Kechdf32.exe 1240 Kkpqlm32.exe 2364 Kcginj32.exe 1864 Ldheebad.exe 1888 Llomfpag.exe 2180 Lnqjnhge.exe 444 Laleof32.exe 1868 Ldjbkb32.exe 620 Lgingm32.exe 912 Lncfcgeb.exe 1728 Lanbdf32.exe 2512 Lgkkmm32.exe 1984 Ljigih32.exe 2236 Lcblan32.exe 644 Ljldnhid.exe 2104 Lpflkb32.exe 2828 Lgpdglhn.exe 2608 Lnjldf32.exe 2468 Llmmpcfe.exe 2360 Mcfemmna.exe 1612 Mgbaml32.exe 1996 Mjqmig32.exe 1852 Mqjefamk.exe 2896 Mciabmlo.exe 2264 Mblbnj32.exe 2188 Mjcjog32.exe 1556 Mlafkb32.exe 1664 Mcknhm32.exe 2504 Mbnocipg.exe 1652 Mfjkdh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2792 4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2N.exe 2792 4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2N.exe 2552 Heliepmn.exe 2552 Heliepmn.exe 2952 Hcojam32.exe 2952 Hcojam32.exe 2664 Ikfbbjdj.exe 2664 Ikfbbjdj.exe 2672 Iacjjacb.exe 2672 Iacjjacb.exe 860 Ijkocg32.exe 860 Ijkocg32.exe 2208 Icdcllpc.exe 2208 Icdcllpc.exe 996 Ijnkifgp.exe 996 Ijnkifgp.exe 2028 Imlhebfc.exe 2028 Imlhebfc.exe 552 Ifdlng32.exe 552 Ifdlng32.exe 868 Iladfn32.exe 868 Iladfn32.exe 1576 Iejiodbl.exe 1576 Iejiodbl.exe 1696 Imaapa32.exe 1696 Imaapa32.exe 1000 Jbnjhh32.exe 1000 Jbnjhh32.exe 2200 Jelfdc32.exe 2200 Jelfdc32.exe 1752 Jpajbl32.exe 1752 Jpajbl32.exe 2412 Jacfidem.exe 2412 Jacfidem.exe 2800 Jjkkbjln.exe 2800 Jjkkbjln.exe 964 Jbbccgmp.exe 964 Jbbccgmp.exe 852 Jeqopcld.exe 852 Jeqopcld.exe 1268 Jhoklnkg.exe 1268 Jhoklnkg.exe 1784 Jhahanie.exe 1784 Jhahanie.exe 2948 Jpmmfp32.exe 2948 Jpmmfp32.exe 1688 Jfgebjnm.exe 1688 Jfgebjnm.exe 2288 Jieaofmp.exe 2288 Jieaofmp.exe 896 Kmqmod32.exe 896 Kmqmod32.exe 2588 Kfibhjlj.exe 2588 Kfibhjlj.exe 2596 Kmcjedcg.exe 2596 Kmcjedcg.exe 2560 Kdmban32.exe 2560 Kdmban32.exe 2472 Kgkonj32.exe 2472 Kgkonj32.exe 1788 Klhgfq32.exe 1788 Klhgfq32.exe 824 Keqkofno.exe 824 Keqkofno.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bgcmiq32.dll Iediin32.exe File created C:\Windows\SysWOW64\Jbfilffm.exe Jpgmpk32.exe File created C:\Windows\SysWOW64\Ahknna32.dll Jpmmfp32.exe File created C:\Windows\SysWOW64\Lnjldf32.exe Lgpdglhn.exe File created C:\Windows\SysWOW64\Dmlqdp32.dll Mdadjd32.exe File created C:\Windows\SysWOW64\Lmjcge32.dll Epnhpglg.exe File created C:\Windows\SysWOW64\Iffhohhi.dll Fdiqpigl.exe File opened for modification C:\Windows\SysWOW64\Gkgoff32.exe Gglbfg32.exe File opened for modification C:\Windows\SysWOW64\Hmmdin32.exe Hnkdnqhm.exe File created C:\Windows\SysWOW64\Cpnifncd.dll Jhoklnkg.exe File created C:\Windows\SysWOW64\Kqmidcdi.dll Khohkamc.exe File created C:\Windows\SysWOW64\Nppofado.exe Nmabjfek.exe File created C:\Windows\SysWOW64\Ckeqga32.exe Ccnifd32.exe File created C:\Windows\SysWOW64\Gocbagqd.dll Efedga32.exe File opened for modification C:\Windows\SysWOW64\Fahhnn32.exe Eknpadcn.exe File created C:\Windows\SysWOW64\Ngdjaofc.exe Ndfnecgp.exe File opened for modification C:\Windows\SysWOW64\Fdpgph32.exe Fpdkpiik.exe File opened for modification C:\Windows\SysWOW64\Inhdgdmk.exe Ikjhki32.exe File created C:\Windows\SysWOW64\Nklcci32.dll Bfcodkcb.exe File opened for modification C:\Windows\SysWOW64\Eikfdl32.exe Efljhq32.exe File opened for modification C:\Windows\SysWOW64\Kkpqlm32.exe Kechdf32.exe File opened for modification C:\Windows\SysWOW64\Njnmbk32.exe Ngpqfp32.exe File created C:\Windows\SysWOW64\Paocnkph.exe Pblcbn32.exe File opened for modification C:\Windows\SysWOW64\Anljck32.exe Aknngo32.exe File created C:\Windows\SysWOW64\Anadojlo.exe Aejlnmkm.exe File created C:\Windows\SysWOW64\Dhbccb32.dll Boifga32.exe File opened for modification C:\Windows\SysWOW64\Hddmjk32.exe Hmmdin32.exe File created C:\Windows\SysWOW64\Faphfl32.dll Iknafhjb.exe File created C:\Windows\SysWOW64\Qobdgo32.exe Qldhkc32.exe File created C:\Windows\SysWOW64\Aonalffc.dll Iocgfhhc.exe File created C:\Windows\SysWOW64\Libjncnc.exe Kkojbf32.exe File created C:\Windows\SysWOW64\Maadfi32.dll Imaapa32.exe File created C:\Windows\SysWOW64\Odkgec32.exe Oehgjfhi.exe File created C:\Windows\SysWOW64\Cfehhn32.exe Cbjlhpkb.exe File created C:\Windows\SysWOW64\Ddaglffo.dll Dlgjldnm.exe File created C:\Windows\SysWOW64\Djlfma32.exe Dlifadkk.exe File created C:\Windows\SysWOW64\Kmkihbho.exe Kipmhc32.exe File created C:\Windows\SysWOW64\Kfkigdmm.dll Plmbkd32.exe File created C:\Windows\SysWOW64\Qldhkc32.exe Qiflohqk.exe File created C:\Windows\SysWOW64\Icifjk32.exe Iegeonpc.exe File opened for modification C:\Windows\SysWOW64\Boemlbpk.exe Blfapfpg.exe File created C:\Windows\SysWOW64\Efljhq32.exe Ebqngb32.exe File created C:\Windows\SysWOW64\Gehiioaj.exe Gcjmmdbf.exe File created C:\Windows\SysWOW64\Kfibhjlj.exe Kmqmod32.exe File opened for modification C:\Windows\SysWOW64\Pblcbn32.exe Ppmgfb32.exe File created C:\Windows\SysWOW64\Abkeba32.dll Alddjg32.exe File created C:\Windows\SysWOW64\Glbaei32.exe Ghgfekpn.exe File opened for modification C:\Windows\SysWOW64\Jedehaea.exe Jfaeme32.exe File created C:\Windows\SysWOW64\Blkjkflb.exe Bhonjg32.exe File opened for modification C:\Windows\SysWOW64\Fkefbcmf.exe Fhgifgnb.exe File created C:\Windows\SysWOW64\Gacdld32.dll Fcqjfeja.exe File opened for modification C:\Windows\SysWOW64\Gkebafoa.exe Glbaei32.exe File opened for modification C:\Windows\SysWOW64\Kambcbhb.exe Jnofgg32.exe File opened for modification C:\Windows\SysWOW64\Mqjefamk.exe Mjqmig32.exe File opened for modification C:\Windows\SysWOW64\Icifjk32.exe Iegeonpc.exe File created C:\Windows\SysWOW64\Fbieeo32.dll Klhgfq32.exe File opened for modification C:\Windows\SysWOW64\Lgpdglhn.exe Lpflkb32.exe File opened for modification C:\Windows\SysWOW64\Odkgec32.exe Oehgjfhi.exe File created C:\Windows\SysWOW64\Pjleclph.exe Pfpibn32.exe File created C:\Windows\SysWOW64\Qiekgbjc.dll Dgiaefgg.exe File created C:\Windows\SysWOW64\Mgmdapml.exe Mdogedmh.exe File created C:\Windows\SysWOW64\Aodcbn32.dll Ndcapd32.exe File created C:\Windows\SysWOW64\Aeqbijmn.dll Nflchkii.exe File created C:\Windows\SysWOW64\Dnefhpma.exe Dlgjldnm.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baefnmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmkcil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpckece.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpajbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmccqbpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfemmna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alddjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppigchi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjogcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadcipbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajhddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjaikoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqolji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbnphngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjaohol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbdabog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhgfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgingm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqaiph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobomnoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihfnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadica32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpfjomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdjaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbkfdba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpcokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paocnkph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfapfpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhdnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldheebad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnocipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjqmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aacmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehnfpifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajqbakc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijbco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llmmpcfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdogedmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhonjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlilqbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkdmfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhenjmbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkpqlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giolnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgciff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmppehkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpcehcj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfoeb32.dll" Pfpibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjcge32.dll" Epnhpglg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnfkba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkojbf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbigmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paocnkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apkgpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canhhi32.dll" Kipmhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbpghl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bogjaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmjgpkif.dll" Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cceogcfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpqjma.dll" Glpepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqpkfe32.dll" Hdbpekam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpqkajf.dll" Dppigchi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hadcipbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll" Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcnahoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnqlmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfenf32.dll" Mfjkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhkbcb32.dll" Nqjaeeog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njbfnjeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akpkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abkeba32.dll" Alddjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqfbjhgf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eknpadcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eickphoo.dll" Gcjmmdbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khjgel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdeaelok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olbogqoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaogognm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bapefloq.dll" Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccnifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgmpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdiqpigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcadppco.dll" Kocpbfei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heliepmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phklaacg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmojeo32.dll" Jpepkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfohgepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opilhdhd.dll" Plbkfdba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lclknm32.dll" Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edlafebn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgjdnbkd.dll" Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keioca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keqkofno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcblan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nldhfnkd.dll" Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgfah32.dll" Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baefnmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifemminl.dll" Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djihcnji.dll" Cjjnhnbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egncgo32.dll" Olbogqoe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2792 wrote to memory of 2552 2792 4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2N.exe 30 PID 2792 wrote to memory of 2552 2792 4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2N.exe 30 PID 2792 wrote to memory of 2552 2792 4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2N.exe 30 PID 2792 wrote to memory of 2552 2792 4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2N.exe 30 PID 2552 wrote to memory of 2952 2552 Heliepmn.exe 31 PID 2552 wrote to memory of 2952 2552 Heliepmn.exe 31 PID 2552 wrote to memory of 2952 2552 Heliepmn.exe 31 PID 2552 wrote to memory of 2952 2552 Heliepmn.exe 31 PID 2952 wrote to memory of 2664 2952 Hcojam32.exe 32 PID 2952 wrote to memory of 2664 2952 Hcojam32.exe 32 PID 2952 wrote to memory of 2664 2952 Hcojam32.exe 32 PID 2952 wrote to memory of 2664 2952 Hcojam32.exe 32 PID 2664 wrote to memory of 2672 2664 Ikfbbjdj.exe 33 PID 2664 wrote to memory of 2672 2664 Ikfbbjdj.exe 33 PID 2664 wrote to memory of 2672 2664 Ikfbbjdj.exe 33 PID 2664 wrote to memory of 2672 2664 Ikfbbjdj.exe 33 PID 2672 wrote to memory of 860 2672 Iacjjacb.exe 34 PID 2672 wrote to memory of 860 2672 Iacjjacb.exe 34 PID 2672 wrote to memory of 860 2672 Iacjjacb.exe 34 PID 2672 wrote to memory of 860 2672 Iacjjacb.exe 34 PID 860 wrote to memory of 2208 860 Ijkocg32.exe 35 PID 860 wrote to memory of 2208 860 Ijkocg32.exe 35 PID 860 wrote to memory of 2208 860 Ijkocg32.exe 35 PID 860 wrote to memory of 2208 860 Ijkocg32.exe 35 PID 2208 wrote to memory of 996 2208 Icdcllpc.exe 36 PID 2208 wrote to memory of 996 2208 Icdcllpc.exe 36 PID 2208 wrote to memory of 996 2208 Icdcllpc.exe 36 PID 2208 wrote to memory of 996 2208 Icdcllpc.exe 36 PID 996 wrote to memory of 2028 996 Ijnkifgp.exe 37 PID 996 wrote to memory of 2028 996 Ijnkifgp.exe 37 PID 996 wrote to memory of 2028 996 Ijnkifgp.exe 37 PID 996 wrote to memory of 2028 996 Ijnkifgp.exe 37 PID 2028 wrote to memory of 552 2028 Imlhebfc.exe 38 PID 2028 wrote to memory of 552 2028 Imlhebfc.exe 38 PID 2028 wrote to memory of 552 2028 Imlhebfc.exe 38 PID 2028 wrote to memory of 552 2028 Imlhebfc.exe 38 PID 552 wrote to memory of 868 552 Ifdlng32.exe 39 PID 552 wrote to memory of 868 552 Ifdlng32.exe 39 PID 552 wrote to memory of 868 552 Ifdlng32.exe 39 PID 552 wrote to memory of 868 552 Ifdlng32.exe 39 PID 868 wrote to memory of 1576 868 Iladfn32.exe 40 PID 868 wrote to memory of 1576 868 Iladfn32.exe 40 PID 868 wrote to memory of 1576 868 Iladfn32.exe 40 PID 868 wrote to memory of 1576 868 Iladfn32.exe 40 PID 1576 wrote to memory of 1696 1576 Iejiodbl.exe 41 PID 1576 wrote to memory of 1696 1576 Iejiodbl.exe 41 PID 1576 wrote to memory of 1696 1576 Iejiodbl.exe 41 PID 1576 wrote to memory of 1696 1576 Iejiodbl.exe 41 PID 1696 wrote to memory of 1000 1696 Imaapa32.exe 42 PID 1696 wrote to memory of 1000 1696 Imaapa32.exe 42 PID 1696 wrote to memory of 1000 1696 Imaapa32.exe 42 PID 1696 wrote to memory of 1000 1696 Imaapa32.exe 42 PID 1000 wrote to memory of 2200 1000 Jbnjhh32.exe 43 PID 1000 wrote to memory of 2200 1000 Jbnjhh32.exe 43 PID 1000 wrote to memory of 2200 1000 Jbnjhh32.exe 43 PID 1000 wrote to memory of 2200 1000 Jbnjhh32.exe 43 PID 2200 wrote to memory of 1752 2200 Jelfdc32.exe 44 PID 2200 wrote to memory of 1752 2200 Jelfdc32.exe 44 PID 2200 wrote to memory of 1752 2200 Jelfdc32.exe 44 PID 2200 wrote to memory of 1752 2200 Jelfdc32.exe 44 PID 1752 wrote to memory of 2412 1752 Jpajbl32.exe 45 PID 1752 wrote to memory of 2412 1752 Jpajbl32.exe 45 PID 1752 wrote to memory of 2412 1752 Jpajbl32.exe 45 PID 1752 wrote to memory of 2412 1752 Jpajbl32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2N.exe"C:\Users\Admin\AppData\Local\Temp\4034bf1a6cd9ce03b4955ea9023cdfff1e3dde806ce5ab84b5d7fb59403653d2N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Iejiodbl.exeC:\Windows\system32\Iejiodbl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1268 -
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2288 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:896 -
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Klhgfq32.exeC:\Windows\system32\Klhgfq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1788 -
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe34⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Kechdf32.exeC:\Windows\system32\Kechdf32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1928 -
C:\Windows\SysWOW64\Kkpqlm32.exeC:\Windows\system32\Kkpqlm32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1240 -
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe38⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe40⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe41⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Laleof32.exeC:\Windows\system32\Laleof32.exe42⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Ldjbkb32.exeC:\Windows\system32\Ldjbkb32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Lgingm32.exeC:\Windows\system32\Lgingm32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:620 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe45⤵
- Executes dropped EXE
PID:912 -
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Lgkkmm32.exeC:\Windows\system32\Lgkkmm32.exe47⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Ljigih32.exeC:\Windows\system32\Ljigih32.exe48⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Lcblan32.exeC:\Windows\system32\Lcblan32.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Ljldnhid.exeC:\Windows\system32\Ljldnhid.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:644 -
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2104 -
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe53⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2468 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Mgbaml32.exeC:\Windows\system32\Mgbaml32.exe56⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Mjqmig32.exeC:\Windows\system32\Mjqmig32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe59⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe60⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe61⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Mlafkb32.exeC:\Windows\system32\Mlafkb32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Mcknhm32.exeC:\Windows\system32\Mcknhm32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Mfjkdh32.exeC:\Windows\system32\Mfjkdh32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Mdmkoepk.exeC:\Windows\system32\Mdmkoepk.exe66⤵PID:1964
-
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Mobomnoq.exeC:\Windows\system32\Mobomnoq.exe68⤵
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe69⤵PID:1720
-
C:\Windows\SysWOW64\Mdogedmh.exeC:\Windows\system32\Mdogedmh.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Mgmdapml.exeC:\Windows\system32\Mgmdapml.exe71⤵PID:2600
-
C:\Windows\SysWOW64\Mkipao32.exeC:\Windows\system32\Mkipao32.exe72⤵PID:2052
-
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe73⤵PID:2396
-
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe74⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Ngpqfp32.exeC:\Windows\system32\Ngpqfp32.exe75⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe76⤵PID:1560
-
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Ndcapd32.exeC:\Windows\system32\Ndcapd32.exe78⤵
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe79⤵PID:2380
-
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe80⤵PID:2356
-
C:\Windows\SysWOW64\Nqjaeeog.exeC:\Windows\system32\Nqjaeeog.exe81⤵
- Modifies registry class
PID:1192 -
C:\Windows\SysWOW64\Ndfnecgp.exeC:\Windows\system32\Ndfnecgp.exe82⤵
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe83⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe84⤵
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Nmabjfek.exeC:\Windows\system32\Nmabjfek.exe85⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe86⤵PID:2636
-
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1676 -
C:\Windows\SysWOW64\Njeccjcd.exeC:\Windows\system32\Njeccjcd.exe88⤵PID:2416
-
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe89⤵PID:1472
-
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe90⤵PID:1008
-
C:\Windows\SysWOW64\Nbpghl32.exeC:\Windows\system32\Nbpghl32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Nflchkii.exeC:\Windows\system32\Nflchkii.exe92⤵
- Drops file in System32 directory
PID:2172 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe93⤵PID:2128
-
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe94⤵
- System Location Discovery: System Language Discovery
PID:1944 -
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:348 -
C:\Windows\SysWOW64\Oimmjffj.exeC:\Windows\system32\Oimmjffj.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe97⤵PID:2156
-
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe98⤵PID:2256
-
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe99⤵PID:3012
-
C:\Windows\SysWOW64\Oioipf32.exeC:\Windows\system32\Oioipf32.exe100⤵PID:2212
-
C:\Windows\SysWOW64\Opialpld.exeC:\Windows\system32\Opialpld.exe101⤵PID:2016
-
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe102⤵PID:772
-
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe103⤵PID:1568
-
C:\Windows\SysWOW64\Ohdfqbio.exeC:\Windows\system32\Ohdfqbio.exe104⤵PID:2032
-
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe105⤵PID:1900
-
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe106⤵
- Drops file in System32 directory
PID:952 -
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe107⤵PID:716
-
C:\Windows\SysWOW64\Olbogqoe.exeC:\Windows\system32\Olbogqoe.exe108⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe109⤵PID:2488
-
C:\Windows\SysWOW64\Oaogognm.exeC:\Windows\system32\Oaogognm.exe110⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Odmckcmq.exeC:\Windows\system32\Odmckcmq.exe111⤵PID:2464
-
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe112⤵PID:2836
-
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe113⤵PID:1668
-
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe114⤵PID:2764
-
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe115⤵PID:1520
-
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe116⤵PID:796
-
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe117⤵
- Modifies registry class
PID:1748 -
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe118⤵PID:1716
-
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:480 -
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe120⤵PID:2092
-
C:\Windows\SysWOW64\Pdbmfb32.exeC:\Windows\system32\Pdbmfb32.exe121⤵PID:1732
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-