Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
25-01-2025 07:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb.exe
-
Size
96KB
-
MD5
944dc024b06875a37d7bce955b3fe123
-
SHA1
8b02416c3c423fe09c867517c68026b045e01f96
-
SHA256
ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb
-
SHA512
5b22d366080f6d29c3670c2d9fd9b91c2ea1870d86bc30a0e0a2e3e33538404c582e2e1136b9f0284a727583c3c051793c550009b64815954848efcd0ddc73cb
-
SSDEEP
1536:3B5y9vHwuBAhJgW1Tit2Lxk7RZObZUUWaegPYAS:3B5ypVBA7gci+qClUUWae/
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplkmgol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcbgkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiogq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnmpdlac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlcibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgabdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlpkdkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjfpafmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbojdmcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjipenda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koddccaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agpcihcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippbnjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpjeialg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmebm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaajei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmgfqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkjnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elnqmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkbojpna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqncaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Copjdhib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpgajgeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pegqpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfejjgli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnfblgca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddiibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfpldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqnifg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfoch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbbbdcgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knekla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafbadcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcmbgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlmpfhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oihqgbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anahqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmben32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhdhif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gacbmk32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 4 IoCs
resource yara_rule behavioral1/files/0x000400000001d9be-1969.dat family_bruteratel behavioral1/files/0x0003000000020c27-5848.dat family_bruteratel behavioral1/files/0x0003000000020dea-6357.dat family_bruteratel behavioral1/files/0x0003000000020dee-6365.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2308 Glbqje32.exe 2836 Gpnmjd32.exe 2780 Gblifo32.exe 2640 Gbnflo32.exe 2616 Gembhj32.exe 2424 Ghkndf32.exe 1860 Gnefapmj.exe 2996 Gacbmk32.exe 2856 Ghmkjedk.exe 2964 Gjlgfaco.exe 984 Hafock32.exe 2700 Hddlof32.exe 1304 Hnjplo32.exe 1636 Hahlhkhi.exe 2476 Hdfhdfgl.exe 992 Hfedqagp.exe 2180 Hmomml32.exe 1364 Hpmiig32.exe 1100 Hbleeb32.exe 1540 Hjcmgp32.exe 1060 Hldjnhce.exe 2320 Hdkape32.exe 2244 Hfjnla32.exe 292 Hihjhl32.exe 1612 Hlffdh32.exe 2804 Hoebpc32.exe 2728 Hbqoqbho.exe 2908 Hijgml32.exe 1956 Ipdojfgh.exe 2768 Ibckfa32.exe 1808 Ihpdoh32.exe 2844 Iknpkd32.exe 2452 Iecdhm32.exe 2848 Idfdcijh.exe 2972 Ikpmpc32.exe 1036 Iajemnia.exe 1980 Idiaii32.exe 348 Ikbifcpb.exe 780 Inafbooe.exe 2220 Ippbnjni.exe 2268 Igijkd32.exe 916 Iihfgp32.exe 952 Idmkdh32.exe 988 Jglgpdcc.exe 1664 Jkgcab32.exe 932 Jliohkak.exe 2544 Jcbhee32.exe 540 Jeadap32.exe 1796 Jjmpbopd.exe 2808 Joihjfnl.exe 2628 Jcedkd32.exe 2716 Jgqpkc32.exe 2672 Jpiedieo.exe 2948 Jolepe32.exe 1984 Jajala32.exe 2880 Jfemlpdf.exe 1476 Jhdihkcj.exe 1916 Jkbfdfbm.exe 772 Jonbee32.exe 3056 Jblnaq32.exe 1828 Jdkjnl32.exe 1548 Jhffnk32.exe 1868 Jkebjf32.exe 904 Kncofa32.exe -
Loads dropped DLL 64 IoCs
pid Process 1992 ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb.exe 1992 ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb.exe 2308 Glbqje32.exe 2308 Glbqje32.exe 2836 Gpnmjd32.exe 2836 Gpnmjd32.exe 2780 Gblifo32.exe 2780 Gblifo32.exe 2640 Gbnflo32.exe 2640 Gbnflo32.exe 2616 Gembhj32.exe 2616 Gembhj32.exe 2424 Ghkndf32.exe 2424 Ghkndf32.exe 1860 Gnefapmj.exe 1860 Gnefapmj.exe 2996 Gacbmk32.exe 2996 Gacbmk32.exe 2856 Ghmkjedk.exe 2856 Ghmkjedk.exe 2964 Gjlgfaco.exe 2964 Gjlgfaco.exe 984 Hafock32.exe 984 Hafock32.exe 2700 Hddlof32.exe 2700 Hddlof32.exe 1304 Hnjplo32.exe 1304 Hnjplo32.exe 1636 Hahlhkhi.exe 1636 Hahlhkhi.exe 2476 Hdfhdfgl.exe 2476 Hdfhdfgl.exe 992 Hfedqagp.exe 992 Hfedqagp.exe 2180 Hmomml32.exe 2180 Hmomml32.exe 1364 Hpmiig32.exe 1364 Hpmiig32.exe 1100 Hbleeb32.exe 1100 Hbleeb32.exe 1540 Hjcmgp32.exe 1540 Hjcmgp32.exe 1060 Hldjnhce.exe 1060 Hldjnhce.exe 2320 Hdkape32.exe 2320 Hdkape32.exe 2244 Hfjnla32.exe 2244 Hfjnla32.exe 292 Hihjhl32.exe 292 Hihjhl32.exe 1612 Hlffdh32.exe 1612 Hlffdh32.exe 2804 Hoebpc32.exe 2804 Hoebpc32.exe 2728 Hbqoqbho.exe 2728 Hbqoqbho.exe 2908 Hijgml32.exe 2908 Hijgml32.exe 1956 Ipdojfgh.exe 1956 Ipdojfgh.exe 2768 Ibckfa32.exe 2768 Ibckfa32.exe 1808 Ihpdoh32.exe 1808 Ihpdoh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Aqonbm32.exe Amcbankf.exe File opened for modification C:\Windows\SysWOW64\Jialfgcc.exe Jajcdjca.exe File opened for modification C:\Windows\SysWOW64\Kjahej32.exe Kffldlne.exe File created C:\Windows\SysWOW64\Khoqme32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bgnfdm32.exe Bepjha32.exe File opened for modification C:\Windows\SysWOW64\Ejkkfjkj.exe Ekhkjm32.exe File created C:\Windows\SysWOW64\Lcdgejhm.dll Ackmih32.exe File created C:\Windows\SysWOW64\Aaaphj32.dll Cedpbd32.exe File opened for modification C:\Windows\SysWOW64\Idmkdh32.exe Iihfgp32.exe File created C:\Windows\SysWOW64\Dppllabf.dll Famope32.exe File opened for modification C:\Windows\SysWOW64\Pljlbf32.exe Process not Found File created C:\Windows\SysWOW64\Bgibnj32.exe Bcmfmlen.exe File created C:\Windows\SysWOW64\Nmoadk32.dll Fjbafi32.exe File created C:\Windows\SysWOW64\Ciajik32.dll Hhhgcc32.exe File opened for modification C:\Windows\SysWOW64\Ppcbgkka.exe Omefkplm.exe File created C:\Windows\SysWOW64\Lonpma32.exe Kpkpadnl.exe File opened for modification C:\Windows\SysWOW64\Accnekon.exe Qogbdl32.exe File created C:\Windows\SysWOW64\Aennba32.exe Aababceh.exe File created C:\Windows\SysWOW64\Eogmcjef.exe Elipgofb.exe File created C:\Windows\SysWOW64\Klbdgb32.exe Khghgchk.exe File opened for modification C:\Windows\SysWOW64\Mfmndn32.exe Mgjnhaco.exe File created C:\Windows\SysWOW64\Ibcihh32.dll Process not Found File created C:\Windows\SysWOW64\Gqfgjogd.dll Mbcmpfhi.exe File created C:\Windows\SysWOW64\Iibfajdc.exe Iegjqk32.exe File created C:\Windows\SysWOW64\Lofoed32.dll Jplkmgol.exe File created C:\Windows\SysWOW64\Kcecbq32.exe Kpgffe32.exe File opened for modification C:\Windows\SysWOW64\Pkjphcff.exe Process not Found File created C:\Windows\SysWOW64\Ocgbji32.exe Odebolpe.exe File created C:\Windows\SysWOW64\Eeiead32.dll Lngnfnji.exe File created C:\Windows\SysWOW64\Pkifdd32.exe Pgnjde32.exe File created C:\Windows\SysWOW64\Qnebjc32.exe Qobbofgn.exe File opened for modification C:\Windows\SysWOW64\Hboddk32.exe Hpphhp32.exe File opened for modification C:\Windows\SysWOW64\Ifjlcmmj.exe Idkpganf.exe File created C:\Windows\SysWOW64\Mgedmb32.exe Mcjhmcok.exe File created C:\Windows\SysWOW64\Mbgogp32.dll Fdiogq32.exe File created C:\Windows\SysWOW64\Gadafg32.dll Eolmip32.exe File created C:\Windows\SysWOW64\Jondii32.dll Kllnhg32.exe File opened for modification C:\Windows\SysWOW64\Eiekpd32.exe Eejopecj.exe File created C:\Windows\SysWOW64\Pdgmlhha.exe Process not Found File created C:\Windows\SysWOW64\Calcpm32.exe Process not Found File created C:\Windows\SysWOW64\Nbhgbm32.dll Pgckjk32.exe File created C:\Windows\SysWOW64\Hbfepmmn.exe Hphidanj.exe File opened for modification C:\Windows\SysWOW64\Jnpkflne.exe Jkbojpna.exe File created C:\Windows\SysWOW64\Djidckbd.dll Elkmmodo.exe File created C:\Windows\SysWOW64\Chappo32.dll Dkadjn32.exe File opened for modification C:\Windows\SysWOW64\Bimoloog.exe Bfncpcoc.exe File created C:\Windows\SysWOW64\Cdhqpd32.dll Lgbeoibb.exe File created C:\Windows\SysWOW64\Jajala32.exe Jolepe32.exe File created C:\Windows\SysWOW64\Ffibkj32.exe Fcjeon32.exe File opened for modification C:\Windows\SysWOW64\Aopahjll.exe Aqmamm32.exe File created C:\Windows\SysWOW64\Enjmdhnf.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pgcmbcih.exe Process not Found File created C:\Windows\SysWOW64\Bkhhhd32.exe Process not Found File created C:\Windows\SysWOW64\Ceebklai.exe Process not Found File created C:\Windows\SysWOW64\Mlkjne32.exe Mccbmh32.exe File created C:\Windows\SysWOW64\Mildmcdo.dll Lbackc32.exe File opened for modification C:\Windows\SysWOW64\Bcegin32.exe Bpjkiogm.exe File created C:\Windows\SysWOW64\Ilcoce32.exe Ieigfk32.exe File opened for modification C:\Windows\SysWOW64\Fdnolfon.exe Ffkoai32.exe File created C:\Windows\SysWOW64\Qdgpabaa.dll Ohnaik32.exe File opened for modification C:\Windows\SysWOW64\Onfoin32.exe Nfoghakb.exe File opened for modification C:\Windows\SysWOW64\Bpnddn32.exe Bmphhc32.exe File opened for modification C:\Windows\SysWOW64\Jnnnalph.exe Jkpbdq32.exe File created C:\Windows\SysWOW64\Jpogbgmi.exe Jnpkflne.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10808 10704 Process not Found 1197 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpiedieo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakqgeoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhafhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okpcoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfphcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgkoiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcpac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfcpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljcllqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqnoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gembhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjlgfaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chnbcpmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgohna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnihdemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qogbdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpemm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkplgnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooqpdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbajkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkfddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjmijme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdnbbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlklnjoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekhkjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kllnhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amohfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekqmbod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffljlpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfbfjdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffkoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfghdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnadkic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkgjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehdan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackmih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnkbpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpeeqig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfmbibo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjfgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbiiog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpnmjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbonei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlelhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljabgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elajgpmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcjnnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnejk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eniclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjeialg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhgcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgnjde32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdignc32.dll" Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aplpbjee.dll" Iimfld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibcihh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgblmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codfplej.dll" Jikeeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgjfek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chcloo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pphcfh32.dll" Omefkplm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fffjig32.dll" Kncaojfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefejmjq.dll" Phnnho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmnmmikh.dll" Oaaifdhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdgkco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkakicam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfemlpdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbfepmmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Folfoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqalaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjibgc32.dll" Mnomjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phbgcnig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkbonmp.dll" Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kainfp32.dll" Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dchmkkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpiocebf.dll" Amaelomh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgcomkpo.dll" Nhakcfab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbqahmoc.dll" Ppkhhjei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppcmncq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaehhqjh.dll" Pmdmmalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lefggi32.dll" Bffpki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabdql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhlfoln.dll" Bgibnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goiehm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpmldkn.dll" Kglcogeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjehmbkc.dll" Hpphhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akgddhmc.dll" Hkiicmdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpicm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmogmjmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciohqa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjcppidk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inafbooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enemcbio.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooclji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qackpado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anllfndp.dll" Jcedkd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkadjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qogbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmglf32.dll" Mpamde32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1992 wrote to memory of 2308 1992 ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb.exe 30 PID 1992 wrote to memory of 2308 1992 ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb.exe 30 PID 1992 wrote to memory of 2308 1992 ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb.exe 30 PID 1992 wrote to memory of 2308 1992 ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb.exe 30 PID 2308 wrote to memory of 2836 2308 Glbqje32.exe 31 PID 2308 wrote to memory of 2836 2308 Glbqje32.exe 31 PID 2308 wrote to memory of 2836 2308 Glbqje32.exe 31 PID 2308 wrote to memory of 2836 2308 Glbqje32.exe 31 PID 2836 wrote to memory of 2780 2836 Gpnmjd32.exe 32 PID 2836 wrote to memory of 2780 2836 Gpnmjd32.exe 32 PID 2836 wrote to memory of 2780 2836 Gpnmjd32.exe 32 PID 2836 wrote to memory of 2780 2836 Gpnmjd32.exe 32 PID 2780 wrote to memory of 2640 2780 Gblifo32.exe 33 PID 2780 wrote to memory of 2640 2780 Gblifo32.exe 33 PID 2780 wrote to memory of 2640 2780 Gblifo32.exe 33 PID 2780 wrote to memory of 2640 2780 Gblifo32.exe 33 PID 2640 wrote to memory of 2616 2640 Gbnflo32.exe 34 PID 2640 wrote to memory of 2616 2640 Gbnflo32.exe 34 PID 2640 wrote to memory of 2616 2640 Gbnflo32.exe 34 PID 2640 wrote to memory of 2616 2640 Gbnflo32.exe 34 PID 2616 wrote to memory of 2424 2616 Gembhj32.exe 35 PID 2616 wrote to memory of 2424 2616 Gembhj32.exe 35 PID 2616 wrote to memory of 2424 2616 Gembhj32.exe 35 PID 2616 wrote to memory of 2424 2616 Gembhj32.exe 35 PID 2424 wrote to memory of 1860 2424 Ghkndf32.exe 36 PID 2424 wrote to memory of 1860 2424 Ghkndf32.exe 36 PID 2424 wrote to memory of 1860 2424 Ghkndf32.exe 36 PID 2424 wrote to memory of 1860 2424 Ghkndf32.exe 36 PID 1860 wrote to memory of 2996 1860 Gnefapmj.exe 37 PID 1860 wrote to memory of 2996 1860 Gnefapmj.exe 37 PID 1860 wrote to memory of 2996 1860 Gnefapmj.exe 37 PID 1860 wrote to memory of 2996 1860 Gnefapmj.exe 37 PID 2996 wrote to memory of 2856 2996 Gacbmk32.exe 38 PID 2996 wrote to memory of 2856 2996 Gacbmk32.exe 38 PID 2996 wrote to memory of 2856 2996 Gacbmk32.exe 38 PID 2996 wrote to memory of 2856 2996 Gacbmk32.exe 38 PID 2856 wrote to memory of 2964 2856 Ghmkjedk.exe 39 PID 2856 wrote to memory of 2964 2856 Ghmkjedk.exe 39 PID 2856 wrote to memory of 2964 2856 Ghmkjedk.exe 39 PID 2856 wrote to memory of 2964 2856 Ghmkjedk.exe 39 PID 2964 wrote to memory of 984 2964 Gjlgfaco.exe 40 PID 2964 wrote to memory of 984 2964 Gjlgfaco.exe 40 PID 2964 wrote to memory of 984 2964 Gjlgfaco.exe 40 PID 2964 wrote to memory of 984 2964 Gjlgfaco.exe 40 PID 984 wrote to memory of 2700 984 Hafock32.exe 41 PID 984 wrote to memory of 2700 984 Hafock32.exe 41 PID 984 wrote to memory of 2700 984 Hafock32.exe 41 PID 984 wrote to memory of 2700 984 Hafock32.exe 41 PID 2700 wrote to memory of 1304 2700 Hddlof32.exe 42 PID 2700 wrote to memory of 1304 2700 Hddlof32.exe 42 PID 2700 wrote to memory of 1304 2700 Hddlof32.exe 42 PID 2700 wrote to memory of 1304 2700 Hddlof32.exe 42 PID 1304 wrote to memory of 1636 1304 Hnjplo32.exe 43 PID 1304 wrote to memory of 1636 1304 Hnjplo32.exe 43 PID 1304 wrote to memory of 1636 1304 Hnjplo32.exe 43 PID 1304 wrote to memory of 1636 1304 Hnjplo32.exe 43 PID 1636 wrote to memory of 2476 1636 Hahlhkhi.exe 44 PID 1636 wrote to memory of 2476 1636 Hahlhkhi.exe 44 PID 1636 wrote to memory of 2476 1636 Hahlhkhi.exe 44 PID 1636 wrote to memory of 2476 1636 Hahlhkhi.exe 44 PID 2476 wrote to memory of 992 2476 Hdfhdfgl.exe 45 PID 2476 wrote to memory of 992 2476 Hdfhdfgl.exe 45 PID 2476 wrote to memory of 992 2476 Hdfhdfgl.exe 45 PID 2476 wrote to memory of 992 2476 Hdfhdfgl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb.exe"C:\Users\Admin\AppData\Local\Temp\ded83681f28b00ecb9821056cf7671af8700c84208113775d2dca221c6c97abb.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ghkndf32.exeC:\Windows\system32\Ghkndf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Gacbmk32.exeC:\Windows\system32\Gacbmk32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Hnjplo32.exeC:\Windows\system32\Hnjplo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1060 -
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2244 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2768 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe33⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe34⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Idfdcijh.exeC:\Windows\system32\Idfdcijh.exe35⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe36⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe37⤵
- Executes dropped EXE
PID:1036 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe38⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe39⤵
- Executes dropped EXE
PID:348 -
C:\Windows\SysWOW64\Inafbooe.exeC:\Windows\system32\Inafbooe.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:780 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe42⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe44⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe45⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe46⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe47⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe48⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe49⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe50⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe51⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe52⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe54⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe57⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Jfemlpdf.exeC:\Windows\system32\Jfemlpdf.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe59⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe60⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Jonbee32.exeC:\Windows\system32\Jonbee32.exe61⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe62⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1828 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe64⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Jkebjf32.exeC:\Windows\system32\Jkebjf32.exe65⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Kncofa32.exeC:\Windows\system32\Kncofa32.exe66⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Kfjggo32.exeC:\Windows\system32\Kfjggo32.exe67⤵PID:2076
-
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe68⤵PID:2568
-
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe69⤵PID:2052
-
C:\Windows\SysWOW64\Kglcogeo.exeC:\Windows\system32\Kglcogeo.exe70⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Kobkpdfa.exeC:\Windows\system32\Kobkpdfa.exe71⤵PID:2752
-
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2776 -
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe73⤵PID:2336
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe74⤵PID:2676
-
C:\Windows\SysWOW64\Kjllab32.exeC:\Windows\system32\Kjllab32.exe75⤵PID:1920
-
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe76⤵PID:2868
-
C:\Windows\SysWOW64\Kqfdnljm.exeC:\Windows\system32\Kqfdnljm.exe77⤵PID:1940
-
C:\Windows\SysWOW64\Kceqjhiq.exeC:\Windows\system32\Kceqjhiq.exe78⤵PID:1296
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe79⤵PID:2312
-
C:\Windows\SysWOW64\Kklikejc.exeC:\Windows\system32\Kklikejc.exe80⤵PID:1416
-
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe81⤵PID:2584
-
C:\Windows\SysWOW64\Knjegqif.exeC:\Windows\system32\Knjegqif.exe82⤵PID:2360
-
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1928 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe84⤵PID:2092
-
C:\Windows\SysWOW64\Kfeikcfa.exeC:\Windows\system32\Kfeikcfa.exe85⤵PID:2288
-
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe86⤵PID:1572
-
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe87⤵PID:2852
-
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe88⤵PID:2920
-
C:\Windows\SysWOW64\Kcijeg32.exeC:\Windows\system32\Kcijeg32.exe89⤵PID:2668
-
C:\Windows\SysWOW64\Kgefefnd.exeC:\Windows\system32\Kgefefnd.exe90⤵PID:2112
-
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe91⤵PID:2960
-
C:\Windows\SysWOW64\Lmbonmll.exeC:\Windows\system32\Lmbonmll.exe92⤵PID:492
-
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe93⤵PID:2016
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe94⤵PID:1520
-
C:\Windows\SysWOW64\Lbogfcjc.exeC:\Windows\system32\Lbogfcjc.exe95⤵PID:1088
-
C:\Windows\SysWOW64\Lmdkcl32.exeC:\Windows\system32\Lmdkcl32.exe96⤵PID:328
-
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe97⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Lobgoh32.exeC:\Windows\system32\Lobgoh32.exe98⤵PID:1720
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe99⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Lflplbpi.exeC:\Windows\system32\Lflplbpi.exe100⤵PID:2764
-
C:\Windows\SysWOW64\Liklhmom.exeC:\Windows\system32\Liklhmom.exe101⤵PID:2712
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe102⤵PID:2600
-
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe103⤵PID:1680
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe105⤵PID:2976
-
C:\Windows\SysWOW64\Leammn32.exeC:\Windows\system32\Leammn32.exe106⤵PID:1684
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe107⤵PID:1204
-
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1048 -
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe109⤵PID:2148
-
C:\Windows\SysWOW64\Lahmbo32.exeC:\Windows\system32\Lahmbo32.exe110⤵PID:1988
-
C:\Windows\SysWOW64\Lgbeoibb.exeC:\Windows\system32\Lgbeoibb.exe111⤵
- Drops file in System32 directory
PID:1712 -
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe112⤵PID:572
-
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe113⤵PID:2656
-
C:\Windows\SysWOW64\Makjho32.exeC:\Windows\system32\Makjho32.exe114⤵PID:2696
-
C:\Windows\SysWOW64\Meffhnal.exeC:\Windows\system32\Meffhnal.exe115⤵PID:2984
-
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe116⤵PID:1480
-
C:\Windows\SysWOW64\Mlpneh32.exeC:\Windows\system32\Mlpneh32.exe117⤵PID:1792
-
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe118⤵PID:2132
-
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe119⤵PID:704
-
C:\Windows\SysWOW64\Mamgmofp.exeC:\Windows\system32\Mamgmofp.exe120⤵PID:2756
-
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe121⤵PID:2528
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-