Analysis
-
max time kernel
27s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
21-01-2025 06:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61.exe
Resource
win7-20240729-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61.exe
-
Size
96KB
-
MD5
d6ef85173a7a6d6c98351014f1ad3334
-
SHA1
f6694bb05c8d6a137b3b2f3a1f66b4bfc14a90e5
-
SHA256
e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61
-
SHA512
68076ef7affefbd0d0d29905a1f5680c2aa03c0cc6d28b92419a9cb81e3abdc7096c6159e45f7da9c3937bb0cd7bb5d9166c90565cef2e842a5f538d0619fed3
-
SSDEEP
1536:TPA2oVuTvgsGS8kn9dnKu+2LdVB7RZObZUUWaegPYAy:TY2oVuTDP9rDrBClUUWaeP
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kechdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfeaiime.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdpcokdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deondj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmqmod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olbogqoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfoaho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjahej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qldhkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcgmfgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmbmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfbbjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagpdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkbaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hneeilgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnjcomcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oabkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcmdnfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fliook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaimipjl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neiaeiii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laleof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dekdikhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olebgfao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cceogcfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Japciodd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqjkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggkibhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghlfjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adaiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emaijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcekfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbpekam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjokokha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cepipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kigndekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glbaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmpaom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephbal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbidne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaecod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejlnmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdmjamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaphjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpjofl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcmamj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibcphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnkffeo.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 4 IoCs
resource yara_rule behavioral1/files/0x0004000000020683-4476.dat family_bruteratel behavioral1/files/0x00040000000206a7-4492.dat family_bruteratel behavioral1/files/0x00030000000208bf-4908.dat family_bruteratel behavioral1/files/0x0003000000020ede-6714.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2404 Hahnac32.exe 2796 Hfegij32.exe 2752 Hjacjifm.exe 2960 Hpnkbpdd.exe 2792 Hldlga32.exe 1692 Hboddk32.exe 2680 Hlgimqhf.exe 2016 Hneeilgj.exe 1652 Iikifegp.exe 2144 Iliebpfc.exe 1660 Inhanl32.exe 1728 Ieajkfmd.exe 1784 Ijnbcmkk.exe 608 Injndk32.exe 2468 Idgglb32.exe 1664 Inlkik32.exe 1600 Iefcfe32.exe 1684 Ifgpnmom.exe 2160 Ioohokoo.exe 2968 Ippdgc32.exe 1824 Ihglhp32.exe 716 Iihiphln.exe 2988 Jmdepg32.exe 2572 Jbqmhnbo.exe 596 Jkhejkcq.exe 548 Jdpjba32.exe 2436 Jimbkh32.exe 2872 Jedcpi32.exe 2192 Jpigma32.exe 2756 Jolghndm.exe 2624 Jialfgcc.exe 3068 Jbjpom32.exe 1592 Jehlkhig.exe 2032 Khghgchk.exe 1360 Klbdgb32.exe 1252 Khielcfh.exe 1980 Kglehp32.exe 2848 Knfndjdp.exe 2300 Kpdjaecc.exe 1104 Kkjnnn32.exe 2956 Kadfkhkf.exe 964 Kdbbgdjj.exe 2376 Kjokokha.exe 1552 Kpicle32.exe 816 Kgclio32.exe 3056 Kjahej32.exe 3004 Knmdeioh.exe 1168 Lcjlnpmo.exe 2560 Lgehno32.exe 1584 Lfhhjklc.exe 2836 Lhfefgkg.exe 2456 Llbqfe32.exe 484 Loqmba32.exe 3028 Lclicpkm.exe 1096 Lfkeokjp.exe 1344 Ljfapjbi.exe 780 Lldmleam.exe 2584 Lkgngb32.exe 1964 Lcofio32.exe 1100 Lbafdlod.exe 2028 Lhknaf32.exe 408 Lkjjma32.exe 1588 Lbcbjlmb.exe 1444 Lfoojj32.exe -
Loads dropped DLL 64 IoCs
pid Process 2092 e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61.exe 2092 e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61.exe 2404 Hahnac32.exe 2404 Hahnac32.exe 2796 Hfegij32.exe 2796 Hfegij32.exe 2752 Hjacjifm.exe 2752 Hjacjifm.exe 2960 Hpnkbpdd.exe 2960 Hpnkbpdd.exe 2792 Hldlga32.exe 2792 Hldlga32.exe 1692 Hboddk32.exe 1692 Hboddk32.exe 2680 Hlgimqhf.exe 2680 Hlgimqhf.exe 2016 Hneeilgj.exe 2016 Hneeilgj.exe 1652 Iikifegp.exe 1652 Iikifegp.exe 2144 Iliebpfc.exe 2144 Iliebpfc.exe 1660 Inhanl32.exe 1660 Inhanl32.exe 1728 Ieajkfmd.exe 1728 Ieajkfmd.exe 1784 Ijnbcmkk.exe 1784 Ijnbcmkk.exe 608 Injndk32.exe 608 Injndk32.exe 2468 Idgglb32.exe 2468 Idgglb32.exe 1664 Inlkik32.exe 1664 Inlkik32.exe 1600 Iefcfe32.exe 1600 Iefcfe32.exe 1684 Ifgpnmom.exe 1684 Ifgpnmom.exe 2160 Ioohokoo.exe 2160 Ioohokoo.exe 2968 Ippdgc32.exe 2968 Ippdgc32.exe 1824 Ihglhp32.exe 1824 Ihglhp32.exe 716 Iihiphln.exe 716 Iihiphln.exe 2988 Jmdepg32.exe 2988 Jmdepg32.exe 2572 Jbqmhnbo.exe 2572 Jbqmhnbo.exe 596 Jkhejkcq.exe 596 Jkhejkcq.exe 548 Jdpjba32.exe 548 Jdpjba32.exe 2436 Jimbkh32.exe 2436 Jimbkh32.exe 2872 Jedcpi32.exe 2872 Jedcpi32.exe 2192 Jpigma32.exe 2192 Jpigma32.exe 2756 Jolghndm.exe 2756 Jolghndm.exe 2624 Jialfgcc.exe 2624 Jialfgcc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pgddfe32.dll Lbcbjlmb.exe File created C:\Windows\SysWOW64\Coicfd32.exe Cmkfji32.exe File created C:\Windows\SysWOW64\Nhmbnqfg.dll Fdkmeiei.exe File created C:\Windows\SysWOW64\Cfnmapnj.dll Mfokinhf.exe File created C:\Windows\SysWOW64\Ocaadj32.dll Lljpjchg.exe File created C:\Windows\SysWOW64\Ppmgfb32.exe Plbkfdba.exe File created C:\Windows\SysWOW64\Agpeaa32.exe Adaiee32.exe File created C:\Windows\SysWOW64\Iecbnqcj.dll Eojlbb32.exe File created C:\Windows\SysWOW64\Ippdgc32.exe Ioohokoo.exe File created C:\Windows\SysWOW64\Ajngeelc.dll Fpjofl32.exe File opened for modification C:\Windows\SysWOW64\Jmlddeio.exe Jjnhhjjk.exe File opened for modification C:\Windows\SysWOW64\Cfehhn32.exe Ccgklc32.exe File created C:\Windows\SysWOW64\Efeckm32.dll Cchbgi32.exe File created C:\Windows\SysWOW64\Gjdldd32.exe Gkalhgfd.exe File created C:\Windows\SysWOW64\Piliii32.exe Pfnmmn32.exe File created C:\Windows\SysWOW64\Jcfoeb32.dll Pfpibn32.exe File opened for modification C:\Windows\SysWOW64\Cmkfji32.exe Cjljnn32.exe File created C:\Windows\SysWOW64\Mikjpiim.exe Mjhjdm32.exe File opened for modification C:\Windows\SysWOW64\Dlofgj32.exe Dipjkn32.exe File created C:\Windows\SysWOW64\Jmnqje32.exe Jjpdmi32.exe File created C:\Windows\SysWOW64\Khnapkjg.exe Kadica32.exe File opened for modification C:\Windows\SysWOW64\Obbdml32.exe Npdhaq32.exe File opened for modification C:\Windows\SysWOW64\Imbjcpnn.exe Ijcngenj.exe File created C:\Windows\SysWOW64\Hfegij32.exe Hahnac32.exe File created C:\Windows\SysWOW64\Oiffkkbk.exe Oekjjl32.exe File opened for modification C:\Windows\SysWOW64\Bfdenafn.exe Bceibfgj.exe File created C:\Windows\SysWOW64\Okqcnknc.dll Ehhdaj32.exe File created C:\Windows\SysWOW64\Emgioakg.exe Ekhmcelc.exe File created C:\Windows\SysWOW64\Ggkibhjf.exe Gconbj32.exe File created C:\Windows\SysWOW64\Khgkpl32.exe Kidjdpie.exe File opened for modification C:\Windows\SysWOW64\Ghacfmic.exe Gdegfn32.exe File opened for modification C:\Windows\SysWOW64\Hieiqo32.exe Hejmpqop.exe File created C:\Windows\SysWOW64\Jmlddeio.exe Jjnhhjjk.exe File created C:\Windows\SysWOW64\Ojmklbll.dll Efjmbaba.exe File created C:\Windows\SysWOW64\Mebgijei.dll Jbclgf32.exe File created C:\Windows\SysWOW64\Imggplgm.exe Iikkon32.exe File created C:\Windows\SysWOW64\Bjlkhpje.dll Lfhhjklc.exe File created C:\Windows\SysWOW64\Mfokinhf.exe Mcqombic.exe File created C:\Windows\SysWOW64\Gkmbmh32.exe Gkmbmh32.exe File created C:\Windows\SysWOW64\Ebepdj32.dll Elkofg32.exe File created C:\Windows\SysWOW64\Lknocpdc.dll Fahhnn32.exe File opened for modification C:\Windows\SysWOW64\Hnhgha32.exe Hkjkle32.exe File created C:\Windows\SysWOW64\Imldmnjj.dll Edlafebn.exe File created C:\Windows\SysWOW64\Gmiflpof.dll Hmdkjmip.exe File created C:\Windows\SysWOW64\Kmkbjj32.dll Hgkfal32.exe File created C:\Windows\SysWOW64\Mfeaiime.exe Mcfemmna.exe File opened for modification C:\Windows\SysWOW64\Bnochnpm.exe Bkpglbaj.exe File created C:\Windows\SysWOW64\Hfglml32.dll Bdkhjgeh.exe File created C:\Windows\SysWOW64\Lhkbmo32.dll Dafoikjb.exe File created C:\Windows\SysWOW64\Efedga32.exe Dcghkf32.exe File created C:\Windows\SysWOW64\Fcqjfeja.exe Faonom32.exe File opened for modification C:\Windows\SysWOW64\Hklhae32.exe Hcepqh32.exe File created C:\Windows\SysWOW64\Ojmpooah.exe Ohncbdbd.exe File created C:\Windows\SysWOW64\Andgop32.exe Aoagccfn.exe File opened for modification C:\Windows\SysWOW64\Bjkhdacm.exe Bkhhhd32.exe File opened for modification C:\Windows\SysWOW64\Cnmfdb32.exe Clojhf32.exe File created C:\Windows\SysWOW64\Lfpeln32.dll Fmlbjq32.exe File opened for modification C:\Windows\SysWOW64\Jjnhhjjk.exe Jhoklnkg.exe File created C:\Windows\SysWOW64\Mcknhm32.exe Mlafkb32.exe File created C:\Windows\SysWOW64\Cqdfehii.exe Cnejim32.exe File created C:\Windows\SysWOW64\Dhnhab32.dll Ejaphpnp.exe File created C:\Windows\SysWOW64\Hnpdlk32.dll Eheglk32.exe File opened for modification C:\Windows\SysWOW64\Hejmpqop.exe Hbkqdepm.exe File created C:\Windows\SysWOW64\Dokmejcg.dll Lnecigcp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8172 8096 WerFault.exe 802 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieofkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfkhndca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephbal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folhgbid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igceej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcogbdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elacliin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlfjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpcchai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejlnmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimoiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjacjifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnoiio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcopebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojglhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhqmadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imggplgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbqkiind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlafkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmipdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomnhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjoqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkjac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccnifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfoaho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgoff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhfhbce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbiocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afliclij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnnlocgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigbebhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkolakkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgkfal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obgnhkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajndh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjfnomde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnokgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pehcij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmacpfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibqqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlhkofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khielcfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhljkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kambcbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edoefl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeqopcld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhdaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiflohqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcqlkjae.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blkjkflb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbnnnbbh.dll" Opihgfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckhhgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkidliln.dll" Ncinap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aacjid32.dll" Gcmamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjffnf32.dll" Kdbbgdjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll" Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okmjae32.dll" Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhamf32.dll" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mndofg32.dll" Dmkcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlgimqhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jedcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmndgq32.dll" Dbiocd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhjbqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpbkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcpacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckkhdaei.dll" Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpmmfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anjnnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhcmgmam.dll" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdegfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjkkbjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqaafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbkqdepm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgchgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjfnomde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahknna32.dll" Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqnodo32.dll" Kpojkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipejmko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kipmhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmbhhfg.dll" Dfbnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkman32.dll" Ijnkifgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmbpf32.dll" Bhbkpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqmpdioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkqqnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpoggldm.dll" Eaphjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Indnnfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlfbgb32.dll" Ippdgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojcqog32.dll" Lklgbadb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnoiio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoojnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmhbkohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nefamd32.dll" Cepipm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbfbnddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Indnnfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmkijgm.dll" Jbjpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqpflg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhgnaehm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbojmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcbnpgkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gamnhq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2092 wrote to memory of 2404 2092 e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61.exe 30 PID 2092 wrote to memory of 2404 2092 e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61.exe 30 PID 2092 wrote to memory of 2404 2092 e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61.exe 30 PID 2092 wrote to memory of 2404 2092 e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61.exe 30 PID 2404 wrote to memory of 2796 2404 Hahnac32.exe 31 PID 2404 wrote to memory of 2796 2404 Hahnac32.exe 31 PID 2404 wrote to memory of 2796 2404 Hahnac32.exe 31 PID 2404 wrote to memory of 2796 2404 Hahnac32.exe 31 PID 2796 wrote to memory of 2752 2796 Hfegij32.exe 32 PID 2796 wrote to memory of 2752 2796 Hfegij32.exe 32 PID 2796 wrote to memory of 2752 2796 Hfegij32.exe 32 PID 2796 wrote to memory of 2752 2796 Hfegij32.exe 32 PID 2752 wrote to memory of 2960 2752 Hjacjifm.exe 33 PID 2752 wrote to memory of 2960 2752 Hjacjifm.exe 33 PID 2752 wrote to memory of 2960 2752 Hjacjifm.exe 33 PID 2752 wrote to memory of 2960 2752 Hjacjifm.exe 33 PID 2960 wrote to memory of 2792 2960 Hpnkbpdd.exe 34 PID 2960 wrote to memory of 2792 2960 Hpnkbpdd.exe 34 PID 2960 wrote to memory of 2792 2960 Hpnkbpdd.exe 34 PID 2960 wrote to memory of 2792 2960 Hpnkbpdd.exe 34 PID 2792 wrote to memory of 1692 2792 Hldlga32.exe 35 PID 2792 wrote to memory of 1692 2792 Hldlga32.exe 35 PID 2792 wrote to memory of 1692 2792 Hldlga32.exe 35 PID 2792 wrote to memory of 1692 2792 Hldlga32.exe 35 PID 1692 wrote to memory of 2680 1692 Hboddk32.exe 36 PID 1692 wrote to memory of 2680 1692 Hboddk32.exe 36 PID 1692 wrote to memory of 2680 1692 Hboddk32.exe 36 PID 1692 wrote to memory of 2680 1692 Hboddk32.exe 36 PID 2680 wrote to memory of 2016 2680 Hlgimqhf.exe 37 PID 2680 wrote to memory of 2016 2680 Hlgimqhf.exe 37 PID 2680 wrote to memory of 2016 2680 Hlgimqhf.exe 37 PID 2680 wrote to memory of 2016 2680 Hlgimqhf.exe 37 PID 2016 wrote to memory of 1652 2016 Hneeilgj.exe 38 PID 2016 wrote to memory of 1652 2016 Hneeilgj.exe 38 PID 2016 wrote to memory of 1652 2016 Hneeilgj.exe 38 PID 2016 wrote to memory of 1652 2016 Hneeilgj.exe 38 PID 1652 wrote to memory of 2144 1652 Iikifegp.exe 39 PID 1652 wrote to memory of 2144 1652 Iikifegp.exe 39 PID 1652 wrote to memory of 2144 1652 Iikifegp.exe 39 PID 1652 wrote to memory of 2144 1652 Iikifegp.exe 39 PID 2144 wrote to memory of 1660 2144 Iliebpfc.exe 40 PID 2144 wrote to memory of 1660 2144 Iliebpfc.exe 40 PID 2144 wrote to memory of 1660 2144 Iliebpfc.exe 40 PID 2144 wrote to memory of 1660 2144 Iliebpfc.exe 40 PID 1660 wrote to memory of 1728 1660 Inhanl32.exe 41 PID 1660 wrote to memory of 1728 1660 Inhanl32.exe 41 PID 1660 wrote to memory of 1728 1660 Inhanl32.exe 41 PID 1660 wrote to memory of 1728 1660 Inhanl32.exe 41 PID 1728 wrote to memory of 1784 1728 Ieajkfmd.exe 42 PID 1728 wrote to memory of 1784 1728 Ieajkfmd.exe 42 PID 1728 wrote to memory of 1784 1728 Ieajkfmd.exe 42 PID 1728 wrote to memory of 1784 1728 Ieajkfmd.exe 42 PID 1784 wrote to memory of 608 1784 Ijnbcmkk.exe 43 PID 1784 wrote to memory of 608 1784 Ijnbcmkk.exe 43 PID 1784 wrote to memory of 608 1784 Ijnbcmkk.exe 43 PID 1784 wrote to memory of 608 1784 Ijnbcmkk.exe 43 PID 608 wrote to memory of 2468 608 Injndk32.exe 44 PID 608 wrote to memory of 2468 608 Injndk32.exe 44 PID 608 wrote to memory of 2468 608 Injndk32.exe 44 PID 608 wrote to memory of 2468 608 Injndk32.exe 44 PID 2468 wrote to memory of 1664 2468 Idgglb32.exe 45 PID 2468 wrote to memory of 1664 2468 Idgglb32.exe 45 PID 2468 wrote to memory of 1664 2468 Idgglb32.exe 45 PID 2468 wrote to memory of 1664 2468 Idgglb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61.exe"C:\Users\Admin\AppData\Local\Temp\e8416425bfd573be0878eb53d27fedcc03e608e6dc2c1ae0ac35f84d81144e61.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2968 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:716 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:596 -
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2436 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe34⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe35⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Klbdgb32.exeC:\Windows\system32\Klbdgb32.exe36⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe38⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe39⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe40⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe41⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe42⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe45⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe46⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe48⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Lcjlnpmo.exeC:\Windows\system32\Lcjlnpmo.exe49⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe50⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1584 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe52⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2456 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe54⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe55⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe56⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe57⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe58⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe59⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Lcofio32.exeC:\Windows\system32\Lcofio32.exe60⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe62⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe63⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1588 -
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe65⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Lgqkbb32.exeC:\Windows\system32\Lgqkbb32.exe67⤵PID:2480
-
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe68⤵
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Lnjcomcf.exeC:\Windows\system32\Lnjcomcf.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2548 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe70⤵PID:2768
-
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe71⤵
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe72⤵PID:2400
-
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe73⤵PID:2512
-
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe74⤵PID:1696
-
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe75⤵PID:1920
-
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe76⤵
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe77⤵PID:2488
-
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe78⤵PID:2928
-
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe79⤵PID:2312
-
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe80⤵
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe82⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe83⤵PID:2868
-
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe84⤵PID:2716
-
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe85⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe86⤵PID:2844
-
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe87⤵PID:2652
-
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe88⤵
- Drops file in System32 directory
PID:856 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe89⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe90⤵PID:1840
-
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe91⤵PID:2008
-
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe92⤵PID:2088
-
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe93⤵PID:2916
-
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe94⤵PID:2004
-
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe95⤵PID:352
-
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe96⤵PID:2012
-
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe97⤵PID:2084
-
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe98⤵PID:2812
-
C:\Windows\SysWOW64\Nibqqh32.exeC:\Windows\system32\Nibqqh32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Nlqmmd32.exeC:\Windows\system32\Nlqmmd32.exe100⤵PID:1372
-
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe101⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe102⤵PID:1768
-
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe104⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe105⤵PID:1520
-
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1944 -
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe107⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe108⤵
- Modifies registry class
PID:1680 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe109⤵PID:2808
-
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe110⤵PID:2408
-
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe111⤵PID:1232
-
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe112⤵PID:1140
-
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe113⤵
- Drops file in System32 directory
PID:1632 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe114⤵PID:2496
-
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe115⤵PID:2284
-
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe116⤵
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe117⤵PID:1016
-
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe118⤵PID:1308
-
C:\Windows\SysWOW64\Omnipjni.exeC:\Windows\system32\Omnipjni.exe119⤵PID:1624
-
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe120⤵PID:2616
-
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe121⤵PID:3032
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-