Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-01-2025 19:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
115138f633799e2a5980d8ddade988d864868a87b5ed8740ce9bcf5eeb80c8c9.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
115138f633799e2a5980d8ddade988d864868a87b5ed8740ce9bcf5eeb80c8c9.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
115138f633799e2a5980d8ddade988d864868a87b5ed8740ce9bcf5eeb80c8c9.exe
-
Size
96KB
-
MD5
b35401b962e70ea2ae8158288da93368
-
SHA1
258c30e0e93301aff0d9bfacfa7203d703f26bf3
-
SHA256
115138f633799e2a5980d8ddade988d864868a87b5ed8740ce9bcf5eeb80c8c9
-
SHA512
19c61192b8a91c1231d28ad09b51af6547a7d8a663e349bb8d8b160757e3496cc49558754f3b06c21100b5ea4dfe2ccf624f1dd5ca19b85d3853a8b7e0a873f1
-
SSDEEP
1536:XrI0WLFl4FhKVyRBt/aynJpQgX2LJ7RZObZUUWaegPYAS:7E3ynJCJClUUWaef
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaifpi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laiipofp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omalpc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pblajhje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cklhcfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpochfji.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emjgim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gehbjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnldla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfqlfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cncnob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocaebc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbnlaldg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmhijd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppjfgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlnjbedi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Legben32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofgdcipq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioolkncg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmblagmf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnmaea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eohmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Momcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opbean32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqmmmmph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddllkbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fndpmndl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipkdek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kifojnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aokkahlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbenoi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jafdcbge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbalopbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmhgmmbf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokmdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogcnmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidlqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flkdfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihmfco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmafajfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibaeen32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gejhef32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpnakk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmeandma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhaggp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiagde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 115138f633799e2a5980d8ddade988d864868a87b5ed8740ce9bcf5eeb80c8c9.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fealin32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgpgfmh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imnocf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmfkhmdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdmmeo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jppnpjel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcmodajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafkgphl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimqajgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckgohf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmodajm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpeiie32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023d58-554.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 1384 Dbpjaeoc.exe 3948 Dkhnjk32.exe 4852 Dodjjimm.exe 2116 Dbbffdlq.exe 4744 Eiloco32.exe 3500 Ekkkoj32.exe 1876 Efpomccg.exe 4952 Emjgim32.exe 4288 Ebgpad32.exe 4592 Eiahnnph.exe 5064 Eokqkh32.exe 1524 Ebimgcfi.exe 4104 Emoadlfo.exe 2652 Eblimcdf.exe 2056 Emanjldl.exe 700 Eppjfgcp.exe 2684 Flfkkhid.exe 4412 Fbpchb32.exe 1108 Fijkdmhn.exe 2716 Fligqhga.exe 5056 Fbbpmb32.exe 228 Fealin32.exe 3132 Flkdfh32.exe 2196 Fpgpgfmh.exe 884 Ffqhcq32.exe 5004 Fechomko.exe 1812 Fpimlfke.exe 540 Fbgihaji.exe 4876 Fmmmfj32.exe 2348 Gehbjm32.exe 1096 Glbjggof.exe 3348 Gblbca32.exe 2152 Gmafajfi.exe 4932 Gppcmeem.exe 4172 Gemkelcd.exe 4084 Gmdcfidg.exe 1968 Gbalopbn.exe 1560 Gikdkj32.exe 1152 Gpelhd32.exe 3356 Gimqajgh.exe 1128 Gojiiafp.exe 3516 Hedafk32.exe 2920 Hlnjbedi.exe 1604 Hibjli32.exe 3232 Hplbickp.exe 3256 Hehkajig.exe 1832 Hlbcnd32.exe 2548 Hoaojp32.exe 4044 Hifcgion.exe 3604 Hpqldc32.exe 4728 Hiipmhmk.exe 2880 Ibaeen32.exe 4220 Ifmqfm32.exe 5104 Ipeeobbe.exe 3240 Illfdc32.exe 4836 Ibfnqmpf.exe 796 Ilnbicff.exe 2876 Igdgglfl.exe 1492 Imnocf32.exe 408 Ioolkncg.exe 1552 Impliekg.exe 3596 Jcmdaljn.exe 2336 Jcoaglhk.exe 1816 Jpcapp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hifcgion.exe Hoaojp32.exe File created C:\Windows\SysWOW64\Qbkofn32.dll Ppahmb32.exe File created C:\Windows\SysWOW64\Lakfeodm.exe Lchfib32.exe File opened for modification C:\Windows\SysWOW64\Pplobcpp.exe Pnkbkk32.exe File created C:\Windows\SysWOW64\Lhpapf32.dll Fkfcqb32.exe File opened for modification C:\Windows\SysWOW64\Ekkkoj32.exe Eiloco32.exe File opened for modification C:\Windows\SysWOW64\Gimqajgh.exe Gpelhd32.exe File created C:\Windows\SysWOW64\Hlhbih32.dll Fnkfmm32.exe File created C:\Windows\SysWOW64\Kpqfid32.dll Gpolbo32.exe File opened for modification C:\Windows\SysWOW64\Ooibkpmi.exe Nmjfodne.exe File opened for modification C:\Windows\SysWOW64\Pmpolgoi.exe Pjbcplpe.exe File created C:\Windows\SysWOW64\Pkpbai32.dll Hppeim32.exe File created C:\Windows\SysWOW64\Hcmhel32.dll Iajdgcab.exe File created C:\Windows\SysWOW64\Kgffoo32.dll Ioolkncg.exe File created C:\Windows\SysWOW64\Pghien32.dll Ckgohf32.exe File created C:\Windows\SysWOW64\Ibqnkh32.exe Ilfennic.exe File opened for modification C:\Windows\SysWOW64\Ekjded32.exe Eqdpgk32.exe File created C:\Windows\SysWOW64\Ggkqgaol.exe Geldkfpi.exe File created C:\Windows\SysWOW64\Hihibbjo.exe Hnbeeiji.exe File created C:\Windows\SysWOW64\Bcbbjj32.dll Eiloco32.exe File created C:\Windows\SysWOW64\Gikdkj32.exe Gbalopbn.exe File created C:\Windows\SysWOW64\Qnbidcgp.dll Bkgeainn.exe File created C:\Windows\SysWOW64\Lojmcdgl.exe Lebijnak.exe File created C:\Windows\SysWOW64\Cjgjmg32.dll Hibjli32.exe File created C:\Windows\SysWOW64\Idaiki32.dll Pdjgha32.exe File created C:\Windows\SysWOW64\Hlpihhpj.dll Hbenoi32.exe File created C:\Windows\SysWOW64\Elckbhbj.dll Lhcali32.exe File created C:\Windows\SysWOW64\Pkbcikkp.dll Mhjhmhhd.exe File opened for modification C:\Windows\SysWOW64\Opbean32.exe Omdieb32.exe File created C:\Windows\SysWOW64\Hplbickp.exe Hibjli32.exe File opened for modification C:\Windows\SysWOW64\Qpeahb32.exe Qacameaj.exe File created C:\Windows\SysWOW64\Lelgfl32.dll Conanfli.exe File created C:\Windows\SysWOW64\Ghaeocdd.dll Ocgkan32.exe File created C:\Windows\SysWOW64\Mhegobpi.dll Imnocf32.exe File created C:\Windows\SysWOW64\Flbfjl32.dll Ompfej32.exe File opened for modification C:\Windows\SysWOW64\Nfqnbjfi.exe Nofefp32.exe File created C:\Windows\SysWOW64\Ockdmmoj.exe Omalpc32.exe File created C:\Windows\SysWOW64\Jfhmgagf.dll Eqgmmk32.exe File opened for modification C:\Windows\SysWOW64\Fbplml32.exe Fndpmndl.exe File created C:\Windows\SysWOW64\Hpkknmgd.exe Heegad32.exe File created C:\Windows\SysWOW64\Mlkhbi32.dll Iogopi32.exe File created C:\Windows\SysWOW64\Dahkpm32.dll Iehmmb32.exe File created C:\Windows\SysWOW64\Flinad32.dll Jpnakk32.exe File created C:\Windows\SysWOW64\Ndqojdee.dll Nopfpgip.exe File created C:\Windows\SysWOW64\Hnnljj32.exe Hpkknmgd.exe File created C:\Windows\SysWOW64\Laiimcij.dll Lcmodajm.exe File opened for modification C:\Windows\SysWOW64\Pmphaaln.exe Pidlqb32.exe File opened for modification C:\Windows\SysWOW64\Fbgihaji.exe Fpimlfke.exe File opened for modification C:\Windows\SysWOW64\Lqmmmmph.exe Lnldla32.exe File created C:\Windows\SysWOW64\Jnfpnk32.dll Pdenmbkk.exe File created C:\Windows\SysWOW64\Bkibgh32.exe Bpdnjple.exe File opened for modification C:\Windows\SysWOW64\Lhgkgijg.exe Lancko32.exe File created C:\Windows\SysWOW64\Mokmdh32.exe Mmmqhl32.exe File created C:\Windows\SysWOW64\Pfiddm32.exe Pdjgha32.exe File opened for modification C:\Windows\SysWOW64\Hbenoi32.exe Hpfbcn32.exe File created C:\Windows\SysWOW64\Hpioin32.exe Hlmchoan.exe File opened for modification C:\Windows\SysWOW64\Lpochfji.exe Lhgkgijg.exe File created C:\Windows\SysWOW64\Fligqhga.exe Fijkdmhn.exe File opened for modification C:\Windows\SysWOW64\Imnocf32.exe Igdgglfl.exe File created C:\Windows\SysWOW64\Jpcapp32.exe Jcoaglhk.exe File created C:\Windows\SysWOW64\Ebcmfjll.dll Mmfkhmdi.exe File opened for modification C:\Windows\SysWOW64\Hedafk32.exe Gojiiafp.exe File created C:\Windows\SysWOW64\Impliekg.exe Ioolkncg.exe File opened for modification C:\Windows\SysWOW64\Klahfp32.exe Kcidmkpq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9620 9496 WerFault.exe 452 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiloco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emanjldl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdoacabq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eohmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbeml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihibbjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lakfeodm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fechomko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmdaljn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcgiefen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aopemh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjhmhhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkdfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmafajfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgmeigd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dndgfpbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcdeeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhgbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpadhll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgdai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emjgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbgihaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkffkhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfqnbjfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbjggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopfpgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gejhef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppnpjel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifcgion.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqhbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoioli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkgeainn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llqjbhdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmphaaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifmqfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kflide32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokmdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhblllfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhgjaml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekonpckp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkfcqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbplml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpioin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Halhfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpjgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pififb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbpchb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbalopbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmfkhmdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onmfimga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnljj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlblcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilfennic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmodajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpqldc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpoalo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgifbhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfagighf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caojpaij.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglkoeio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqgedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpiedk32.dll" Pmphaaln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hohahelb.dll" Hoaojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfoann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgpilmfi.dll" Gbbajjlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chjjqebm.dll" Pbhgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjamhbn.dll" Dbpjaeoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbpchb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiikpnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncelonn.dll" Edbiniff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhmnagf.dll" Johggfha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjdbkbbn.dll" Kpoalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dndgfpbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hockka32.dll" Qjiipk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll" Cklhcfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkopekaa.dll" Eokqkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfjfecno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnfpnk32.dll" Pdenmbkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehpadhll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keifdpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efpomccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmfdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcdqdie.dll" Qacameaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpdennml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onmfimga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobkpkdh.dll" 115138f633799e2a5980d8ddade988d864868a87b5ed8740ce9bcf5eeb80c8c9.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfhbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gejhef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajiqfi32.dll" Hpfbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhplpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkhnjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnfpinmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnonkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekjded32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfhmgagf.dll" Eqgmmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfenglqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfdjinjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aphnnafb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gddedlaq.dll" Kjlopc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmhgmmbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekonpckp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klambq32.dll" Fgjhpcmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imnocf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcgplk32.dll" Apjkcadp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boihcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkknmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ambfbo32.dll" Fmmmfj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnkbkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kflide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgkan32.dll" Opbean32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqlfhjig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpochfji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjpjgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofgdcipq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilnbicff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfeljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnfmbmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhcmpgk.dll" Ilfennic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oonlfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcbkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpqldc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfcabp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1960 wrote to memory of 1384 1960 115138f633799e2a5980d8ddade988d864868a87b5ed8740ce9bcf5eeb80c8c9.exe 83 PID 1960 wrote to memory of 1384 1960 115138f633799e2a5980d8ddade988d864868a87b5ed8740ce9bcf5eeb80c8c9.exe 83 PID 1960 wrote to memory of 1384 1960 115138f633799e2a5980d8ddade988d864868a87b5ed8740ce9bcf5eeb80c8c9.exe 83 PID 1384 wrote to memory of 3948 1384 Dbpjaeoc.exe 84 PID 1384 wrote to memory of 3948 1384 Dbpjaeoc.exe 84 PID 1384 wrote to memory of 3948 1384 Dbpjaeoc.exe 84 PID 3948 wrote to memory of 4852 3948 Dkhnjk32.exe 85 PID 3948 wrote to memory of 4852 3948 Dkhnjk32.exe 85 PID 3948 wrote to memory of 4852 3948 Dkhnjk32.exe 85 PID 4852 wrote to memory of 2116 4852 Dodjjimm.exe 86 PID 4852 wrote to memory of 2116 4852 Dodjjimm.exe 86 PID 4852 wrote to memory of 2116 4852 Dodjjimm.exe 86 PID 2116 wrote to memory of 4744 2116 Dbbffdlq.exe 87 PID 2116 wrote to memory of 4744 2116 Dbbffdlq.exe 87 PID 2116 wrote to memory of 4744 2116 Dbbffdlq.exe 87 PID 4744 wrote to memory of 3500 4744 Eiloco32.exe 88 PID 4744 wrote to memory of 3500 4744 Eiloco32.exe 88 PID 4744 wrote to memory of 3500 4744 Eiloco32.exe 88 PID 3500 wrote to memory of 1876 3500 Ekkkoj32.exe 89 PID 3500 wrote to memory of 1876 3500 Ekkkoj32.exe 89 PID 3500 wrote to memory of 1876 3500 Ekkkoj32.exe 89 PID 1876 wrote to memory of 4952 1876 Efpomccg.exe 90 PID 1876 wrote to memory of 4952 1876 Efpomccg.exe 90 PID 1876 wrote to memory of 4952 1876 Efpomccg.exe 90 PID 4952 wrote to memory of 4288 4952 Emjgim32.exe 91 PID 4952 wrote to memory of 4288 4952 Emjgim32.exe 91 PID 4952 wrote to memory of 4288 4952 Emjgim32.exe 91 PID 4288 wrote to memory of 4592 4288 Ebgpad32.exe 92 PID 4288 wrote to memory of 4592 4288 Ebgpad32.exe 92 PID 4288 wrote to memory of 4592 4288 Ebgpad32.exe 92 PID 4592 wrote to memory of 5064 4592 Eiahnnph.exe 93 PID 4592 wrote to memory of 5064 4592 Eiahnnph.exe 93 PID 4592 wrote to memory of 5064 4592 Eiahnnph.exe 93 PID 5064 wrote to memory of 1524 5064 Eokqkh32.exe 94 PID 5064 wrote to memory of 1524 5064 Eokqkh32.exe 94 PID 5064 wrote to memory of 1524 5064 Eokqkh32.exe 94 PID 1524 wrote to memory of 4104 1524 Ebimgcfi.exe 95 PID 1524 wrote to memory of 4104 1524 Ebimgcfi.exe 95 PID 1524 wrote to memory of 4104 1524 Ebimgcfi.exe 95 PID 4104 wrote to memory of 2652 4104 Emoadlfo.exe 96 PID 4104 wrote to memory of 2652 4104 Emoadlfo.exe 96 PID 4104 wrote to memory of 2652 4104 Emoadlfo.exe 96 PID 2652 wrote to memory of 2056 2652 Eblimcdf.exe 97 PID 2652 wrote to memory of 2056 2652 Eblimcdf.exe 97 PID 2652 wrote to memory of 2056 2652 Eblimcdf.exe 97 PID 2056 wrote to memory of 700 2056 Emanjldl.exe 98 PID 2056 wrote to memory of 700 2056 Emanjldl.exe 98 PID 2056 wrote to memory of 700 2056 Emanjldl.exe 98 PID 700 wrote to memory of 2684 700 Eppjfgcp.exe 99 PID 700 wrote to memory of 2684 700 Eppjfgcp.exe 99 PID 700 wrote to memory of 2684 700 Eppjfgcp.exe 99 PID 2684 wrote to memory of 4412 2684 Flfkkhid.exe 100 PID 2684 wrote to memory of 4412 2684 Flfkkhid.exe 100 PID 2684 wrote to memory of 4412 2684 Flfkkhid.exe 100 PID 4412 wrote to memory of 1108 4412 Fbpchb32.exe 101 PID 4412 wrote to memory of 1108 4412 Fbpchb32.exe 101 PID 4412 wrote to memory of 1108 4412 Fbpchb32.exe 101 PID 1108 wrote to memory of 2716 1108 Fijkdmhn.exe 102 PID 1108 wrote to memory of 2716 1108 Fijkdmhn.exe 102 PID 1108 wrote to memory of 2716 1108 Fijkdmhn.exe 102 PID 2716 wrote to memory of 5056 2716 Fligqhga.exe 103 PID 2716 wrote to memory of 5056 2716 Fligqhga.exe 103 PID 2716 wrote to memory of 5056 2716 Fligqhga.exe 103 PID 5056 wrote to memory of 228 5056 Fbbpmb32.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\115138f633799e2a5980d8ddade988d864868a87b5ed8740ce9bcf5eeb80c8c9.exe"C:\Users\Admin\AppData\Local\Temp\115138f633799e2a5980d8ddade988d864868a87b5ed8740ce9bcf5eeb80c8c9.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Dbpjaeoc.exeC:\Windows\system32\Dbpjaeoc.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\Dkhnjk32.exeC:\Windows\system32\Dkhnjk32.exe3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3948 -
C:\Windows\SysWOW64\Dodjjimm.exeC:\Windows\system32\Dodjjimm.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4852 -
C:\Windows\SysWOW64\Dbbffdlq.exeC:\Windows\system32\Dbbffdlq.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Eiloco32.exeC:\Windows\system32\Eiloco32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\Ekkkoj32.exeC:\Windows\system32\Ekkkoj32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Efpomccg.exeC:\Windows\system32\Efpomccg.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Emjgim32.exeC:\Windows\system32\Emjgim32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Ebgpad32.exeC:\Windows\system32\Ebgpad32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\SysWOW64\Eiahnnph.exeC:\Windows\system32\Eiahnnph.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Windows\SysWOW64\Eokqkh32.exeC:\Windows\system32\Eokqkh32.exe12⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5064 -
C:\Windows\SysWOW64\Ebimgcfi.exeC:\Windows\system32\Ebimgcfi.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1524 -
C:\Windows\SysWOW64\Emoadlfo.exeC:\Windows\system32\Emoadlfo.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\Eblimcdf.exeC:\Windows\system32\Eblimcdf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Emanjldl.exeC:\Windows\system32\Emanjldl.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Eppjfgcp.exeC:\Windows\system32\Eppjfgcp.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Flfkkhid.exeC:\Windows\system32\Flfkkhid.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Fbpchb32.exeC:\Windows\system32\Fbpchb32.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\SysWOW64\Fijkdmhn.exeC:\Windows\system32\Fijkdmhn.exe20⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Fligqhga.exeC:\Windows\system32\Fligqhga.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Fbbpmb32.exeC:\Windows\system32\Fbbpmb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5056 -
C:\Windows\SysWOW64\Fealin32.exeC:\Windows\system32\Fealin32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:228 -
C:\Windows\SysWOW64\Flkdfh32.exeC:\Windows\system32\Flkdfh32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3132 -
C:\Windows\SysWOW64\Fpgpgfmh.exeC:\Windows\system32\Fpgpgfmh.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ffqhcq32.exeC:\Windows\system32\Ffqhcq32.exe26⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Fechomko.exeC:\Windows\system32\Fechomko.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004 -
C:\Windows\SysWOW64\Fpimlfke.exeC:\Windows\system32\Fpimlfke.exe28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Fbgihaji.exeC:\Windows\system32\Fbgihaji.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:540 -
C:\Windows\SysWOW64\Fmmmfj32.exeC:\Windows\system32\Fmmmfj32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4876 -
C:\Windows\SysWOW64\Gehbjm32.exeC:\Windows\system32\Gehbjm32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Glbjggof.exeC:\Windows\system32\Glbjggof.exe32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1096 -
C:\Windows\SysWOW64\Gblbca32.exeC:\Windows\system32\Gblbca32.exe33⤵
- Executes dropped EXE
PID:3348 -
C:\Windows\SysWOW64\Gmafajfi.exeC:\Windows\system32\Gmafajfi.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Gppcmeem.exeC:\Windows\system32\Gppcmeem.exe35⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Gemkelcd.exeC:\Windows\system32\Gemkelcd.exe36⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\SysWOW64\Gmdcfidg.exeC:\Windows\system32\Gmdcfidg.exe37⤵
- Executes dropped EXE
PID:4084 -
C:\Windows\SysWOW64\Gbalopbn.exeC:\Windows\system32\Gbalopbn.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Gikdkj32.exeC:\Windows\system32\Gikdkj32.exe39⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Gpelhd32.exeC:\Windows\system32\Gpelhd32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Gimqajgh.exeC:\Windows\system32\Gimqajgh.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Gojiiafp.exeC:\Windows\system32\Gojiiafp.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1128 -
C:\Windows\SysWOW64\Hedafk32.exeC:\Windows\system32\Hedafk32.exe43⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Hlnjbedi.exeC:\Windows\system32\Hlnjbedi.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Hibjli32.exeC:\Windows\system32\Hibjli32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Hplbickp.exeC:\Windows\system32\Hplbickp.exe46⤵
- Executes dropped EXE
PID:3232 -
C:\Windows\SysWOW64\Hehkajig.exeC:\Windows\system32\Hehkajig.exe47⤵
- Executes dropped EXE
PID:3256 -
C:\Windows\SysWOW64\Hlbcnd32.exeC:\Windows\system32\Hlbcnd32.exe48⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Hoaojp32.exeC:\Windows\system32\Hoaojp32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Hifcgion.exeC:\Windows\system32\Hifcgion.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\Hpqldc32.exeC:\Windows\system32\Hpqldc32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3604 -
C:\Windows\SysWOW64\Hiipmhmk.exeC:\Windows\system32\Hiipmhmk.exe52⤵
- Executes dropped EXE
PID:4728 -
C:\Windows\SysWOW64\Ibaeen32.exeC:\Windows\system32\Ibaeen32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Ifmqfm32.exeC:\Windows\system32\Ifmqfm32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4220 -
C:\Windows\SysWOW64\Ipeeobbe.exeC:\Windows\system32\Ipeeobbe.exe55⤵
- Executes dropped EXE
PID:5104 -
C:\Windows\SysWOW64\Illfdc32.exeC:\Windows\system32\Illfdc32.exe56⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Ibfnqmpf.exeC:\Windows\system32\Ibfnqmpf.exe57⤵
- Executes dropped EXE
PID:4836 -
C:\Windows\SysWOW64\Ilnbicff.exeC:\Windows\system32\Ilnbicff.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:796 -
C:\Windows\SysWOW64\Igdgglfl.exeC:\Windows\system32\Igdgglfl.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Imnocf32.exeC:\Windows\system32\Imnocf32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Ioolkncg.exeC:\Windows\system32\Ioolkncg.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:408 -
C:\Windows\SysWOW64\Impliekg.exeC:\Windows\system32\Impliekg.exe62⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Jcmdaljn.exeC:\Windows\system32\Jcmdaljn.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3596 -
C:\Windows\SysWOW64\Jcoaglhk.exeC:\Windows\system32\Jcoaglhk.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Jpcapp32.exeC:\Windows\system32\Jpcapp32.exe65⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Johnamkm.exeC:\Windows\system32\Johnamkm.exe66⤵PID:1600
-
C:\Windows\SysWOW64\Jniood32.exeC:\Windows\system32\Jniood32.exe67⤵PID:3304
-
C:\Windows\SysWOW64\Jgbchj32.exeC:\Windows\system32\Jgbchj32.exe68⤵PID:1684
-
C:\Windows\SysWOW64\Kpjgaoqm.exeC:\Windows\system32\Kpjgaoqm.exe69⤵PID:2108
-
C:\Windows\SysWOW64\Kcidmkpq.exeC:\Windows\system32\Kcidmkpq.exe70⤵
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Klahfp32.exeC:\Windows\system32\Klahfp32.exe71⤵PID:4916
-
C:\Windows\SysWOW64\Keimof32.exeC:\Windows\system32\Keimof32.exe72⤵PID:2700
-
C:\Windows\SysWOW64\Kpoalo32.exeC:\Windows\system32\Kpoalo32.exe73⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3512 -
C:\Windows\SysWOW64\Kflide32.exeC:\Windows\system32\Kflide32.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Kfnfjehl.exeC:\Windows\system32\Kfnfjehl.exe75⤵PID:3476
-
C:\Windows\SysWOW64\Kjlopc32.exeC:\Windows\system32\Kjlopc32.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Lcdciiec.exeC:\Windows\system32\Lcdciiec.exe77⤵PID:2228
-
C:\Windows\SysWOW64\Ljnlecmp.exeC:\Windows\system32\Ljnlecmp.exe78⤵PID:2892
-
C:\Windows\SysWOW64\Lfeljd32.exeC:\Windows\system32\Lfeljd32.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3756 -
C:\Windows\SysWOW64\Lnldla32.exeC:\Windows\system32\Lnldla32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4384 -
C:\Windows\SysWOW64\Lqmmmmph.exeC:\Windows\system32\Lqmmmmph.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:928 -
C:\Windows\SysWOW64\Lfjfecno.exeC:\Windows\system32\Lfjfecno.exe82⤵
- Modifies registry class
PID:440 -
C:\Windows\SysWOW64\Lqojclne.exeC:\Windows\system32\Lqojclne.exe83⤵PID:2488
-
C:\Windows\SysWOW64\Mmfkhmdi.exeC:\Windows\system32\Mmfkhmdi.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Windows\SysWOW64\Mfnoqc32.exeC:\Windows\system32\Mfnoqc32.exe85⤵PID:3456
-
C:\Windows\SysWOW64\Mmhgmmbf.exeC:\Windows\system32\Mmhgmmbf.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:3312 -
C:\Windows\SysWOW64\Mqdcnl32.exeC:\Windows\system32\Mqdcnl32.exe87⤵PID:676
-
C:\Windows\SysWOW64\Mfqlfb32.exeC:\Windows\system32\Mfqlfb32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3236 -
C:\Windows\SysWOW64\Mcelpggq.exeC:\Windows\system32\Mcelpggq.exe89⤵PID:2788
-
C:\Windows\SysWOW64\Mgphpe32.exeC:\Windows\system32\Mgphpe32.exe90⤵PID:4756
-
C:\Windows\SysWOW64\Mmmqhl32.exeC:\Windows\system32\Mmmqhl32.exe91⤵
- Drops file in System32 directory
PID:4864 -
C:\Windows\SysWOW64\Mokmdh32.exeC:\Windows\system32\Mokmdh32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Windows\SysWOW64\Mcgiefen.exeC:\Windows\system32\Mcgiefen.exe93⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Mnmmboed.exeC:\Windows\system32\Mnmmboed.exe94⤵PID:3448
-
C:\Windows\SysWOW64\Mcifkf32.exeC:\Windows\system32\Mcifkf32.exe95⤵PID:3680
-
C:\Windows\SysWOW64\Mfhbga32.exeC:\Windows\system32\Mfhbga32.exe96⤵
- Modifies registry class
PID:4588 -
C:\Windows\SysWOW64\Nqmfdj32.exeC:\Windows\system32\Nqmfdj32.exe97⤵
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Nopfpgip.exeC:\Windows\system32\Nopfpgip.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3832 -
C:\Windows\SysWOW64\Njfkmphe.exeC:\Windows\system32\Njfkmphe.exe99⤵PID:3956
-
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe100⤵PID:3076
-
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe101⤵PID:4832
-
C:\Windows\SysWOW64\Njhgbp32.exeC:\Windows\system32\Njhgbp32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Nqbpojnp.exeC:\Windows\system32\Nqbpojnp.exe103⤵PID:1956
-
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe104⤵PID:4888
-
C:\Windows\SysWOW64\Nnfpinmi.exeC:\Windows\system32\Nnfpinmi.exe105⤵
- Modifies registry class
PID:5028 -
C:\Windows\SysWOW64\Nmipdk32.exeC:\Windows\system32\Nmipdk32.exe106⤵PID:3540
-
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe107⤵PID:4312
-
C:\Windows\SysWOW64\Nmkmjjaa.exeC:\Windows\system32\Nmkmjjaa.exe108⤵PID:3768
-
C:\Windows\SysWOW64\Nagiji32.exeC:\Windows\system32\Nagiji32.exe109⤵PID:1568
-
C:\Windows\SysWOW64\Nceefd32.exeC:\Windows\system32\Nceefd32.exe110⤵PID:624
-
C:\Windows\SysWOW64\Nfcabp32.exeC:\Windows\system32\Nfcabp32.exe111⤵
- Modifies registry class
PID:464 -
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4152 -
C:\Windows\SysWOW64\Ogcnmc32.exeC:\Windows\system32\Ogcnmc32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4500 -
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe114⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Ompfej32.exeC:\Windows\system32\Ompfej32.exe115⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Ogekbb32.exeC:\Windows\system32\Ogekbb32.exe116⤵PID:4800
-
C:\Windows\SysWOW64\Ojdgnn32.exeC:\Windows\system32\Ojdgnn32.exe117⤵PID:5128
-
C:\Windows\SysWOW64\Onocomdo.exeC:\Windows\system32\Onocomdo.exe118⤵PID:5172
-
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe119⤵PID:5216
-
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe120⤵PID:5260
-
C:\Windows\SysWOW64\Opclldhj.exeC:\Windows\system32\Opclldhj.exe121⤵PID:5304
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-