Analysis
-
max time kernel
21s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 15:03
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
General
-
Target
a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe
-
Size
163KB
-
MD5
77162264658803a04311e6edd68ccee4
-
SHA1
db832b5919b8fe7c6914f11bffc12e7686e6d66b
-
SHA256
a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6
-
SHA512
acda555a12ae9072b5585be89e40bb7c9dbe1f9cf77faf39b88fc0bb7e53ce09d7679937fbc3b849612d66f5563218cd057505fb4634d6ce2b004a0437283d9f
-
SSDEEP
1536:Ph8ktg7Y67Q/FfwDU9IACvXa9e6lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUQ:p8ktg8NVE/XazltOrWKDBr+yJbQ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neiaeiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlefhcnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjklenpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hebnlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggndi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adifpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doecog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahbekjcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmmmfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dphmloih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkeecogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjlebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bckjhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncaojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kocmim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boidnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdhkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklgbadb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahpifj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbfnngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmadbjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abegfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aopahjll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgpjhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihniaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Loefnpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqfemqod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phlclgfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmpbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkifdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdeqfhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfoch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eijdkcgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdjgoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhknaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpoolael.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidfdofi.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 2 IoCs
resource yara_rule behavioral1/files/0x000500000001c8eb-796.dat family_bruteratel behavioral1/files/0x000400000001d01a-1312.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2912 Lbicoamh.exe 2844 Micklk32.exe 2792 Mejlalji.exe 2652 Mmadbjkk.exe 2656 Mbnljqic.exe 3024 Mgjebg32.exe 2644 Macilmnk.exe 2528 Mgmahg32.exe 2252 Mbbfep32.exe 2356 Mccbmh32.exe 1928 Nmlgfnal.exe 2292 Ncfoch32.exe 1248 Nnkcpq32.exe 1920 Najpll32.exe 2824 Nfghdcfj.exe 2732 Nallalep.exe 2148 Nigafnck.exe 2044 Npaich32.exe 1536 Nbpeoc32.exe 2236 Nmejllia.exe 1648 Nbbbdcgi.exe 936 Neqnqofm.exe 2888 Ooicid32.exe 2976 Oioggmmc.exe 2088 Obgkpb32.exe 2052 Odhhgkib.exe 2428 Olophhjd.exe 2700 Omqlpp32.exe 2760 Oehdan32.exe 2752 Ohfqmi32.exe 2772 Okdmjdol.exe 2452 Ohhmcinf.exe 2440 Oaqbln32.exe 1868 Pcbncfjd.exe 2324 Pkifdd32.exe 2288 Pmgbao32.exe 1432 Pljcllqe.exe 2264 Pgpgjepk.exe 1200 Pincfpoo.exe 2684 Pphkbj32.exe 2928 Pgbdodnh.exe 952 Phcpgm32.exe 840 Plolgk32.exe 2380 Palepb32.exe 1176 Pjcmap32.exe 1208 Popeif32.exe 3052 Pldebkhj.exe 764 Qkffng32.exe 2388 Qobbofgn.exe 1548 Qfljkp32.exe 2196 Qdojgmfe.exe 2804 Qkibcg32.exe 2524 Qngopb32.exe 2552 Qdaglmcb.exe 1120 Qhmcmk32.exe 552 Akkoig32.exe 2284 Anjlebjc.exe 1844 Abegfa32.exe 2596 Aqhhanig.exe 380 Adcdbl32.exe 2692 Agbpnh32.exe 1608 Aknlofim.exe 996 Ajqljc32.exe 908 Amohfo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2112 a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe 2112 a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe 2912 Lbicoamh.exe 2912 Lbicoamh.exe 2844 Micklk32.exe 2844 Micklk32.exe 2792 Mejlalji.exe 2792 Mejlalji.exe 2652 Mmadbjkk.exe 2652 Mmadbjkk.exe 2656 Mbnljqic.exe 2656 Mbnljqic.exe 3024 Mgjebg32.exe 3024 Mgjebg32.exe 2644 Macilmnk.exe 2644 Macilmnk.exe 2528 Mgmahg32.exe 2528 Mgmahg32.exe 2252 Mbbfep32.exe 2252 Mbbfep32.exe 2356 Mccbmh32.exe 2356 Mccbmh32.exe 1928 Nmlgfnal.exe 1928 Nmlgfnal.exe 2292 Ncfoch32.exe 2292 Ncfoch32.exe 1248 Nnkcpq32.exe 1248 Nnkcpq32.exe 1920 Najpll32.exe 1920 Najpll32.exe 2824 Nfghdcfj.exe 2824 Nfghdcfj.exe 2732 Nallalep.exe 2732 Nallalep.exe 2148 Nigafnck.exe 2148 Nigafnck.exe 2044 Npaich32.exe 2044 Npaich32.exe 1536 Nbpeoc32.exe 1536 Nbpeoc32.exe 2236 Nmejllia.exe 2236 Nmejllia.exe 1648 Nbbbdcgi.exe 1648 Nbbbdcgi.exe 936 Neqnqofm.exe 936 Neqnqofm.exe 2888 Ooicid32.exe 2888 Ooicid32.exe 2976 Oioggmmc.exe 2976 Oioggmmc.exe 2088 Obgkpb32.exe 2088 Obgkpb32.exe 2052 Odhhgkib.exe 2052 Odhhgkib.exe 2428 Olophhjd.exe 2428 Olophhjd.exe 2700 Omqlpp32.exe 2700 Omqlpp32.exe 2760 Oehdan32.exe 2760 Oehdan32.exe 2752 Ohfqmi32.exe 2752 Ohfqmi32.exe 2772 Okdmjdol.exe 2772 Okdmjdol.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ajqljc32.exe Aknlofim.exe File created C:\Windows\SysWOW64\Bflbigdb.exe Bcmfmlen.exe File created C:\Windows\SysWOW64\Dpkibo32.exe Dmmmfc32.exe File opened for modification C:\Windows\SysWOW64\Ecnoijbd.exe Eppcmncq.exe File created C:\Windows\SysWOW64\Kmimme32.dll Goiehm32.exe File created C:\Windows\SysWOW64\Iidgma32.dll Hgbfnngi.exe File created C:\Windows\SysWOW64\Kheoph32.dll Nipdkieg.exe File created C:\Windows\SysWOW64\Lflhon32.dll Oaghki32.exe File created C:\Windows\SysWOW64\Pljlbf32.exe Phnpagdp.exe File created C:\Windows\SysWOW64\Mfakaoam.dll Bcjcme32.exe File created C:\Windows\SysWOW64\Egpkbn32.dll Jpdnbbah.exe File created C:\Windows\SysWOW64\Dkkcoogp.dll Nigafnck.exe File created C:\Windows\SysWOW64\Ohjeop32.dll Aqhhanig.exe File opened for modification C:\Windows\SysWOW64\Clpabm32.exe Ceeieced.exe File created C:\Windows\SysWOW64\Pkjjaebl.dll Ffodjh32.exe File created C:\Windows\SysWOW64\Cpehmcmg.dll Jedcpi32.exe File created C:\Windows\SysWOW64\Nlefhcnc.exe Nhjjgd32.exe File created C:\Windows\SysWOW64\Ibejjo32.dll Olophhjd.exe File opened for modification C:\Windows\SysWOW64\Ecploipa.exe Eoepnk32.exe File created C:\Windows\SysWOW64\Fgdnnl32.exe Edfbaabj.exe File created C:\Windows\SysWOW64\Coglpp32.dll Gqdefddb.exe File created C:\Windows\SysWOW64\Nhgnaehm.exe Neiaeiii.exe File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe Bjbndpmd.exe File created C:\Windows\SysWOW64\Efeckm32.dll Cchbgi32.exe File opened for modification C:\Windows\SysWOW64\Qfljkp32.exe Qobbofgn.exe File created C:\Windows\SysWOW64\Abigipko.dll Clpabm32.exe File created C:\Windows\SysWOW64\Oimeai32.dll Daacecfc.exe File created C:\Windows\SysWOW64\Eeohkeoe.exe Ecploipa.exe File created C:\Windows\SysWOW64\Eogmcjef.exe Eklqcl32.exe File created C:\Windows\SysWOW64\Gjgcdgcc.dll Goplilpf.exe File opened for modification C:\Windows\SysWOW64\Pebpkk32.exe Pafdjmkq.exe File opened for modification C:\Windows\SysWOW64\Dpapaj32.exe Danpemej.exe File created C:\Windows\SysWOW64\Qdojgmfe.exe Qfljkp32.exe File opened for modification C:\Windows\SysWOW64\Dgeaoinb.exe Ddfebnoo.exe File created C:\Windows\SysWOW64\Hpnkbpdd.exe Hakkgc32.exe File opened for modification C:\Windows\SysWOW64\Oaghki32.exe Oippjl32.exe File opened for modification C:\Windows\SysWOW64\Macilmnk.exe Mgjebg32.exe File created C:\Windows\SysWOW64\Kainfp32.dll Amfognic.exe File created C:\Windows\SysWOW64\Idppjg32.dll Dpkibo32.exe File created C:\Windows\SysWOW64\Fdiogq32.exe Fpmbfbgo.exe File created C:\Windows\SysWOW64\Loefnpnn.exe Lkjjma32.exe File opened for modification C:\Windows\SysWOW64\Aoagccfn.exe Agjobffl.exe File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe Cepipm32.exe File created C:\Windows\SysWOW64\Bljbql32.dll Pjcmap32.exe File created C:\Windows\SysWOW64\Eklqcl32.exe Eijdkcgn.exe File created C:\Windows\SysWOW64\Gifclb32.exe Gfhgpg32.exe File created C:\Windows\SysWOW64\Hfcjdkpg.exe Hgpjhn32.exe File created C:\Windows\SysWOW64\Fdgibphb.dll Ijclol32.exe File created C:\Windows\SysWOW64\Mobfgdcl.exe Mmdjkhdh.exe File opened for modification C:\Windows\SysWOW64\Okdmjdol.exe Ohfqmi32.exe File created C:\Windows\SysWOW64\Lcmfeo32.dll Biaign32.exe File created C:\Windows\SysWOW64\Gnpincmg.dll Ihdpbq32.exe File opened for modification C:\Windows\SysWOW64\Locjhqpa.exe Lkgngb32.exe File opened for modification C:\Windows\SysWOW64\Objaha32.exe Oplelf32.exe File opened for modification C:\Windows\SysWOW64\Fcbecl32.exe Fogibnha.exe File created C:\Windows\SysWOW64\Fdkehipd.dll Fcbecl32.exe File created C:\Windows\SysWOW64\Ljddjj32.exe Lfhhjklc.exe File opened for modification C:\Windows\SysWOW64\Lhfefgkg.exe Ljddjj32.exe File opened for modification C:\Windows\SysWOW64\Ofcqcp32.exe Odedge32.exe File created C:\Windows\SysWOW64\Bhapci32.dll Phlclgfc.exe File created C:\Windows\SysWOW64\Kcjjof32.dll Elfcbo32.exe File created C:\Windows\SysWOW64\Fcbecl32.exe Fogibnha.exe File created C:\Windows\SysWOW64\Elebllmi.dll Bgblmk32.exe File opened for modification C:\Windows\SysWOW64\Ibejdjln.exe Ijnbcmkk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5564 5580 WerFault.exe 541 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjlnpmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeeeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcjdkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnild32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaghki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbbdcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amcbankf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieajkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbfep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnimiblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmadbjkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdiondb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobfgdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlqmmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Najpll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfphcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkgahoel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hboddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiehm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgigil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnpagdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaelomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackmih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnkhmdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaompi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqlfaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjamgmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demofaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieomef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipdkieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpeoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeaepd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Micklk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblfdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aciqcifh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deollamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhhjklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgoelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nigafnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljcllqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbmcibjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfliim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidfdofi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbncfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hldlga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oidiekdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepcelel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odhhgkib.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kainfp32.dll" Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejhndnn.dll" Bkklhjnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gonocmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkdhkd32.dll" Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" Bbmcibjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbpeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afoddn32.dll" Oaqbln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlfgce32.dll" Nfahomfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmbgfkje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bffbdadk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fncpef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqfaldbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpifj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmlael32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjjpjgjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hneeilgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmlgfnal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmejllia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikepamg.dll" Anneqafn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boidnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmojkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caifjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egpfmb32.dll" Kdpfadlm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llechb32.dll" Lfkeokjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lflhon32.dll" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfmhch32.dll" Adfqgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phkckneq.dll" Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjibgc32.dll" Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cceell32.dll" Qcachc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paiaplin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Manghajd.dll" Qngopb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbohehoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacnfacn.dll" Ihglhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcnfobob.dll" Lklgbadb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll" Pcljmdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbojmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deollamj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiapeffl.dll" Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fqliblhd.dll" Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlbfien.dll" Anjlebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieomef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhgccebd.dll" Kocmim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbhhdnlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcljmdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pphkbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bammlq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dldkmlhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iahkpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgfkmgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdhfppnm.dll" Dejbqb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 2912 2112 a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe 30 PID 2112 wrote to memory of 2912 2112 a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe 30 PID 2112 wrote to memory of 2912 2112 a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe 30 PID 2112 wrote to memory of 2912 2112 a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe 30 PID 2912 wrote to memory of 2844 2912 Lbicoamh.exe 31 PID 2912 wrote to memory of 2844 2912 Lbicoamh.exe 31 PID 2912 wrote to memory of 2844 2912 Lbicoamh.exe 31 PID 2912 wrote to memory of 2844 2912 Lbicoamh.exe 31 PID 2844 wrote to memory of 2792 2844 Micklk32.exe 32 PID 2844 wrote to memory of 2792 2844 Micklk32.exe 32 PID 2844 wrote to memory of 2792 2844 Micklk32.exe 32 PID 2844 wrote to memory of 2792 2844 Micklk32.exe 32 PID 2792 wrote to memory of 2652 2792 Mejlalji.exe 33 PID 2792 wrote to memory of 2652 2792 Mejlalji.exe 33 PID 2792 wrote to memory of 2652 2792 Mejlalji.exe 33 PID 2792 wrote to memory of 2652 2792 Mejlalji.exe 33 PID 2652 wrote to memory of 2656 2652 Mmadbjkk.exe 34 PID 2652 wrote to memory of 2656 2652 Mmadbjkk.exe 34 PID 2652 wrote to memory of 2656 2652 Mmadbjkk.exe 34 PID 2652 wrote to memory of 2656 2652 Mmadbjkk.exe 34 PID 2656 wrote to memory of 3024 2656 Mbnljqic.exe 35 PID 2656 wrote to memory of 3024 2656 Mbnljqic.exe 35 PID 2656 wrote to memory of 3024 2656 Mbnljqic.exe 35 PID 2656 wrote to memory of 3024 2656 Mbnljqic.exe 35 PID 3024 wrote to memory of 2644 3024 Mgjebg32.exe 36 PID 3024 wrote to memory of 2644 3024 Mgjebg32.exe 36 PID 3024 wrote to memory of 2644 3024 Mgjebg32.exe 36 PID 3024 wrote to memory of 2644 3024 Mgjebg32.exe 36 PID 2644 wrote to memory of 2528 2644 Macilmnk.exe 37 PID 2644 wrote to memory of 2528 2644 Macilmnk.exe 37 PID 2644 wrote to memory of 2528 2644 Macilmnk.exe 37 PID 2644 wrote to memory of 2528 2644 Macilmnk.exe 37 PID 2528 wrote to memory of 2252 2528 Mgmahg32.exe 38 PID 2528 wrote to memory of 2252 2528 Mgmahg32.exe 38 PID 2528 wrote to memory of 2252 2528 Mgmahg32.exe 38 PID 2528 wrote to memory of 2252 2528 Mgmahg32.exe 38 PID 2252 wrote to memory of 2356 2252 Mbbfep32.exe 39 PID 2252 wrote to memory of 2356 2252 Mbbfep32.exe 39 PID 2252 wrote to memory of 2356 2252 Mbbfep32.exe 39 PID 2252 wrote to memory of 2356 2252 Mbbfep32.exe 39 PID 2356 wrote to memory of 1928 2356 Mccbmh32.exe 40 PID 2356 wrote to memory of 1928 2356 Mccbmh32.exe 40 PID 2356 wrote to memory of 1928 2356 Mccbmh32.exe 40 PID 2356 wrote to memory of 1928 2356 Mccbmh32.exe 40 PID 1928 wrote to memory of 2292 1928 Nmlgfnal.exe 41 PID 1928 wrote to memory of 2292 1928 Nmlgfnal.exe 41 PID 1928 wrote to memory of 2292 1928 Nmlgfnal.exe 41 PID 1928 wrote to memory of 2292 1928 Nmlgfnal.exe 41 PID 2292 wrote to memory of 1248 2292 Ncfoch32.exe 42 PID 2292 wrote to memory of 1248 2292 Ncfoch32.exe 42 PID 2292 wrote to memory of 1248 2292 Ncfoch32.exe 42 PID 2292 wrote to memory of 1248 2292 Ncfoch32.exe 42 PID 1248 wrote to memory of 1920 1248 Nnkcpq32.exe 43 PID 1248 wrote to memory of 1920 1248 Nnkcpq32.exe 43 PID 1248 wrote to memory of 1920 1248 Nnkcpq32.exe 43 PID 1248 wrote to memory of 1920 1248 Nnkcpq32.exe 43 PID 1920 wrote to memory of 2824 1920 Najpll32.exe 44 PID 1920 wrote to memory of 2824 1920 Najpll32.exe 44 PID 1920 wrote to memory of 2824 1920 Najpll32.exe 44 PID 1920 wrote to memory of 2824 1920 Najpll32.exe 44 PID 2824 wrote to memory of 2732 2824 Nfghdcfj.exe 45 PID 2824 wrote to memory of 2732 2824 Nfghdcfj.exe 45 PID 2824 wrote to memory of 2732 2824 Nfghdcfj.exe 45 PID 2824 wrote to memory of 2732 2824 Nfghdcfj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe"C:\Users\Admin\AppData\Local\Temp\a29ffd3d65312633589da8ab20862ed07e19e5bdca0fd786a284ecd5a1c559b6.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Lbicoamh.exeC:\Windows\system32\Lbicoamh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Mbnljqic.exeC:\Windows\system32\Mbnljqic.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Mgjebg32.exeC:\Windows\system32\Mgjebg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Macilmnk.exeC:\Windows\system32\Macilmnk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Mgmahg32.exeC:\Windows\system32\Mgmahg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Mbbfep32.exeC:\Windows\system32\Mbbfep32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Mccbmh32.exeC:\Windows\system32\Mccbmh32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Nmlgfnal.exeC:\Windows\system32\Nmlgfnal.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Ncfoch32.exeC:\Windows\system32\Ncfoch32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Oioggmmc.exeC:\Windows\system32\Oioggmmc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Obgkpb32.exeC:\Windows\system32\Obgkpb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2428 -
C:\Windows\SysWOW64\Omqlpp32.exeC:\Windows\system32\Omqlpp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2752 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe33⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe37⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe39⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe40⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Pgbdodnh.exeC:\Windows\system32\Pgbdodnh.exe42⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe43⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe44⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe45⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1176 -
C:\Windows\SysWOW64\Popeif32.exeC:\Windows\system32\Popeif32.exe47⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe48⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Qkffng32.exeC:\Windows\system32\Qkffng32.exe49⤵
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe52⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe53⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe55⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe56⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe57⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2596 -
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe61⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe62⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe64⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe65⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe66⤵
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe67⤵
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe68⤵PID:2064
-
C:\Windows\SysWOW64\Anneqafn.exeC:\Windows\system32\Anneqafn.exe69⤵
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe70⤵
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Aopahjll.exeC:\Windows\system32\Aopahjll.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe73⤵
- System Location Discovery: System Language Discovery
PID:2504 -
C:\Windows\SysWOW64\Ajeeeblb.exeC:\Windows\system32\Ajeeeblb.exe74⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe75⤵
- System Location Discovery: System Language Discovery
PID:1352 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe76⤵PID:1840
-
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe77⤵PID:2816
-
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe78⤵PID:2496
-
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe79⤵PID:1532
-
C:\Windows\SysWOW64\Aijbfo32.exeC:\Windows\system32\Aijbfo32.exe80⤵PID:1304
-
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:2352 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe82⤵PID:1412
-
C:\Windows\SysWOW64\Bimoloog.exeC:\Windows\system32\Bimoloog.exe83⤵PID:1976
-
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe84⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe85⤵PID:1836
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe86⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe88⤵PID:2960
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe89⤵
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe90⤵PID:1828
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe91⤵PID:1424
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe92⤵PID:1712
-
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe93⤵
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1644 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe95⤵PID:1588
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:756 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe97⤵PID:3020
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe98⤵PID:2128
-
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe99⤵
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe100⤵PID:2580
-
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe101⤵PID:2244
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe102⤵PID:316
-
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe103⤵PID:1232
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe104⤵PID:1896
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe105⤵PID:2948
-
C:\Windows\SysWOW64\Cfnoogbo.exeC:\Windows\system32\Cfnoogbo.exe106⤵PID:2232
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe107⤵PID:1668
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe108⤵PID:1236
-
C:\Windows\SysWOW64\Ccbphk32.exeC:\Windows\system32\Ccbphk32.exe109⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe110⤵PID:2124
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe111⤵PID:2392
-
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe112⤵PID:1780
-
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe113⤵PID:2768
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe114⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe115⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Cfeepelg.exeC:\Windows\system32\Cfeepelg.exe116⤵PID:2456
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe117⤵PID:1032
-
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe118⤵PID:2344
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe119⤵PID:2880
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe121⤵
- Modifies registry class
PID:1444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-