Analysis
-
max time kernel
65s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04-02-2025 07:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569.exe
-
Size
96KB
-
MD5
aa9903b164b2c5671199e7cd58b40531
-
SHA1
7bc51b247f7119b9af3059e693f604c399e89a3b
-
SHA256
f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569
-
SHA512
05f9aaa05fe18e13755d242b1b3b76657b7c335cc136a4f133ace50e4254d189c443ccf9a65da2450afb5fb7707378e0e8fc0c4ff28883f8f10c61c4d847e8b1
-
SSDEEP
1536:yPwBSqY5sV9zFWhYZ1vhZo6jh72Lo7RZObZUUWaegPYAS:yIBq5sHzFWqZ1v06jhYoClUUWaef
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdailaib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnadiko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdbkaoce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcapckod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkgchckl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnllppfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdicfbpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbblpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meafpibb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggcnbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbgmah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpiadq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mboekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhdpaqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcigjolm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbkfpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmeffp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeholco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidgdcli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bebjdjal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhmkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmmcgilj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojoood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kejdqffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cghpgbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqdong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmakd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldldq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enmbeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknani32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpagbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfemdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekqqea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojeka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibigeojp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knapen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgienc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fccncknc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcapckod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okomappb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhkjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iccqedfa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjmnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjfkde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Difcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iolohhpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabihm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkefcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liohhbno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nceeaikk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcnchg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqaanoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padcqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkclcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jebojh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhfhaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeobfgak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhpflblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mboekp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qomcdf32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 5 IoCs
resource yara_rule behavioral1/files/0x000500000001c86c-604.dat family_bruteratel behavioral1/files/0x000400000001d938-1921.dat family_bruteratel behavioral1/files/0x00030000000207ad-5181.dat family_bruteratel behavioral1/files/0x00030000000209c9-6108.dat family_bruteratel behavioral1/files/0x0003000000020e11-7752.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2288 Lnaokn32.exe 2944 Lpbhmiji.exe 2456 Mfamko32.exe 3032 Mjofanld.exe 1048 Mbkkepio.exe 2608 Mgjpcf32.exe 2812 Nglmifca.exe 2508 Nkjeod32.exe 1844 Nqgngk32.exe 540 Nmnoll32.exe 2568 Nffcebdd.exe 2348 Ofklpa32.exe 2188 Oepianef.exe 2452 Oebffm32.exe 2220 Ojoood32.exe 1124 Pfhlie32.exe 1712 Piiekp32.exe 1244 Pbaide32.exe 2564 Pikaqppk.exe 844 Pinnfonh.exe 1372 Pojgnf32.exe 964 Qomcdf32.exe 472 Qeglqpaj.exe 2964 Qbkljd32.exe 1920 Aoamoefh.exe 2324 Anfjpa32.exe 2296 Ahlnmjkf.exe 2980 Ankckagj.exe 1576 Ajbdpblo.exe 2748 Blcmbmip.exe 2756 Bkhjcing.exe 2760 Bdbkaoce.exe 900 Bqilfp32.exe 1356 Cdjabn32.exe 1584 Cmeffp32.exe 2180 Cmjoaofc.exe 1260 Dpjhcj32.exe 1096 Deimaa32.exe 1536 Dcojbm32.exe 2244 Dmgokcja.exe 1652 Eccdmmpk.exe 1716 Eagdgaoe.exe 2516 Edhmhl32.exe 1052 Eeijpdbd.exe 112 Eponmmaj.exe 1624 Eelfedpa.exe 1988 Eodknifb.exe 2384 Eabgjeef.exe 2360 Flhkhnel.exe 1352 Feppqc32.exe 2184 Foidii32.exe 2820 Fhaibnim.exe 1600 Feeilbhg.exe 3000 Fhcehngk.exe 2904 Fmpnpe32.exe 2832 Fhfbmn32.exe 2196 Fmbkfd32.exe 1172 Gpagbp32.exe 2176 Gkfkoi32.exe 2700 Gcapckod.exe 1996 Gljdlq32.exe 2488 Gcdmikma.exe 1220 Gllabp32.exe 2412 Gaiijgbi.exe -
Loads dropped DLL 64 IoCs
pid Process 2388 f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569.exe 2388 f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569.exe 2288 Lnaokn32.exe 2288 Lnaokn32.exe 2944 Lpbhmiji.exe 2944 Lpbhmiji.exe 2456 Mfamko32.exe 2456 Mfamko32.exe 3032 Mjofanld.exe 3032 Mjofanld.exe 1048 Mbkkepio.exe 1048 Mbkkepio.exe 2608 Mgjpcf32.exe 2608 Mgjpcf32.exe 2812 Nglmifca.exe 2812 Nglmifca.exe 2508 Nkjeod32.exe 2508 Nkjeod32.exe 1844 Nqgngk32.exe 1844 Nqgngk32.exe 540 Nmnoll32.exe 540 Nmnoll32.exe 2568 Nffcebdd.exe 2568 Nffcebdd.exe 2348 Ofklpa32.exe 2348 Ofklpa32.exe 2188 Oepianef.exe 2188 Oepianef.exe 2452 Oebffm32.exe 2452 Oebffm32.exe 2220 Ojoood32.exe 2220 Ojoood32.exe 1124 Pfhlie32.exe 1124 Pfhlie32.exe 1712 Piiekp32.exe 1712 Piiekp32.exe 1244 Pbaide32.exe 1244 Pbaide32.exe 2564 Pikaqppk.exe 2564 Pikaqppk.exe 844 Pinnfonh.exe 844 Pinnfonh.exe 1372 Pojgnf32.exe 1372 Pojgnf32.exe 964 Qomcdf32.exe 964 Qomcdf32.exe 472 Qeglqpaj.exe 472 Qeglqpaj.exe 2964 Qbkljd32.exe 2964 Qbkljd32.exe 1920 Aoamoefh.exe 1920 Aoamoefh.exe 2324 Anfjpa32.exe 2324 Anfjpa32.exe 2296 Ahlnmjkf.exe 2296 Ahlnmjkf.exe 2980 Ankckagj.exe 2980 Ankckagj.exe 1576 Ajbdpblo.exe 1576 Ajbdpblo.exe 2748 Blcmbmip.exe 2748 Blcmbmip.exe 2756 Bkhjcing.exe 2756 Bkhjcing.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hafdbmjp.exe Hdlkpd32.exe File opened for modification C:\Windows\SysWOW64\Ocedieek.exe Odpghiqc.exe File opened for modification C:\Windows\SysWOW64\Llnhgn32.exe Lbfdnijp.exe File opened for modification C:\Windows\SysWOW64\Iqbekpal.exe Igjabj32.exe File opened for modification C:\Windows\SysWOW64\Qlaffbqk.exe Qnmfmoaa.exe File created C:\Windows\SysWOW64\Indkgm32.exe Idlgohcl.exe File created C:\Windows\SysWOW64\Ciifgpjl.dll Fqjbme32.exe File created C:\Windows\SysWOW64\Hpjlca32.dll Ipqmgbbf.exe File created C:\Windows\SysWOW64\Hlhleh32.dll Hkngbj32.exe File opened for modification C:\Windows\SysWOW64\Ceqlff32.exe Clhgnagn.exe File opened for modification C:\Windows\SysWOW64\Hdbmnchk.exe Hjiiemaj.exe File created C:\Windows\SysWOW64\Pkalph32.exe Pqlhbo32.exe File created C:\Windows\SysWOW64\Kelqff32.exe Kkglim32.exe File opened for modification C:\Windows\SysWOW64\Gidgdcli.exe Gdgoll32.exe File created C:\Windows\SysWOW64\Elalei32.dll Bfoffmhd.exe File opened for modification C:\Windows\SysWOW64\Mjofanld.exe Mfamko32.exe File created C:\Windows\SysWOW64\Fqcocg32.dll Kdcinjpo.exe File created C:\Windows\SysWOW64\Edahca32.exe Ejldfh32.exe File created C:\Windows\SysWOW64\Paqoef32.exe Pjfghl32.exe File opened for modification C:\Windows\SysWOW64\Liaenblm.exe Lbgmah32.exe File created C:\Windows\SysWOW64\Gqbaqccn.exe Gigllafc.exe File opened for modification C:\Windows\SysWOW64\Ibfcei32.exe Hinolcbf.exe File created C:\Windows\SysWOW64\Pbdpndec.dll Lanmde32.exe File created C:\Windows\SysWOW64\Efihcpqk.exe Ekcdegqe.exe File created C:\Windows\SysWOW64\Cedhac32.dll Bqilfp32.exe File created C:\Windows\SysWOW64\Bbkkbpjc.exe Akpfmnmh.exe File created C:\Windows\SysWOW64\Ojgado32.exe Odjikh32.exe File opened for modification C:\Windows\SysWOW64\Ckilmfke.exe Cfmceomm.exe File created C:\Windows\SysWOW64\Llhjoj32.dll Ikfffh32.exe File opened for modification C:\Windows\SysWOW64\Cdpfiekl.exe Cocnanmd.exe File opened for modification C:\Windows\SysWOW64\Pblinp32.exe Picdejbg.exe File created C:\Windows\SysWOW64\Pajliiec.dll Bebjdjal.exe File created C:\Windows\SysWOW64\Kqijcg32.dll Ilpohecc.exe File opened for modification C:\Windows\SysWOW64\Ipmgncii.exe Ibigeojp.exe File created C:\Windows\SysWOW64\Qgenbkca.dll Mbabpodi.exe File created C:\Windows\SysWOW64\Kngoaklb.dll Nbckeb32.exe File created C:\Windows\SysWOW64\Ickoimie.exe Ijbjpg32.exe File created C:\Windows\SysWOW64\Iqgaenpf.dll Hfiofefm.exe File created C:\Windows\SysWOW64\Gciejn32.dll Nikflm32.exe File opened for modification C:\Windows\SysWOW64\Eodknifb.exe Eelfedpa.exe File created C:\Windows\SysWOW64\Degage32.exe Dlomnp32.exe File opened for modification C:\Windows\SysWOW64\Hcmmhmhd.exe Hfiloiik.exe File opened for modification C:\Windows\SysWOW64\Lfpebq32.exe Lmgaikep.exe File opened for modification C:\Windows\SysWOW64\Jqakompl.exe Jobnej32.exe File created C:\Windows\SysWOW64\Gpolcg32.dll Biecoj32.exe File created C:\Windows\SysWOW64\Jpneablg.dll Galfpgpg.exe File opened for modification C:\Windows\SysWOW64\Hnllcoed.exe Hcghffen.exe File created C:\Windows\SysWOW64\Mqkgeb32.dll Cgcoal32.exe File created C:\Windows\SysWOW64\Jqgkkj32.dll Fndfmljk.exe File opened for modification C:\Windows\SysWOW64\Lcolpe32.exe Kjfhgp32.exe File opened for modification C:\Windows\SysWOW64\Egdnjlcg.exe Eqjenb32.exe File created C:\Windows\SysWOW64\Ldpbmg32.exe Lnejqmie.exe File opened for modification C:\Windows\SysWOW64\Lmmcgilj.exe Lceond32.exe File opened for modification C:\Windows\SysWOW64\Dfjcncak.exe Dmaoem32.exe File opened for modification C:\Windows\SysWOW64\Cjcfjoil.exe Conbmfif.exe File created C:\Windows\SysWOW64\Mihkoa32.exe Lldkem32.exe File created C:\Windows\SysWOW64\Bbobdolj.dll Injnfl32.exe File opened for modification C:\Windows\SysWOW64\Jchobqnc.exe Ijpjik32.exe File created C:\Windows\SysWOW64\Mpcjfa32.exe Lkfbmj32.exe File created C:\Windows\SysWOW64\Gigano32.exe Fdkheh32.exe File created C:\Windows\SysWOW64\Onkoadhm.exe Oljbil32.exe File created C:\Windows\SysWOW64\Fnnbfjmp.exe Fqjbme32.exe File opened for modification C:\Windows\SysWOW64\Qmpafnld.exe Qcgmnh32.exe File opened for modification C:\Windows\SysWOW64\Nflidmic.exe Mdkmld32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2640 3952 WerFault.exe 769 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdpaqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkafofde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqninhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edkbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcnkemgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfflal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcghffen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcehpbdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfpnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbdobpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahlnmjkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fianpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gemhpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnkdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkkbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghcdpjqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmppcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oleinmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepianef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blcmbmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbjpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooghg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihopjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifhinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knapen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhpcmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiieqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchobqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflidmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjbpemb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bebjdjal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpcgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdcinjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbkaoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkfgnldd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feeldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liaenblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmceomm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcagn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmqip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpdhiaoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbkljd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnppei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkglim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjbphod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hepffelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckidl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqlff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdanngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccdmmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmfmacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblinp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmgaikep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnmfmoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmaedolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbljmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhookh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajedn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjopnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqlfjfni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbohn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfiofefm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjhaob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fndfmljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpmqom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnejqmie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nffpfe32.dll" Pinnfonh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfhmhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjbnlqld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmdkodce.dll" Lmbcmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aomekckd.dll" Aeokdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihgpibnp.dll" Aflmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmjohoej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gplgmodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aandhbgj.dll" Kjopnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijcmipjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpecddpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gigjch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mihngj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionahd32.dll" Lkhfhaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adkbiook.dll" Pligbekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jennjblp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjdjbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmaedolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piaiko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpjlca32.dll" Ipqmgbbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfffhk32.dll" Fmpnpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpneablg.dll" Galfpgpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnkggjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bichbckg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimjpp32.dll" Hhfcnb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbkkepio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgokcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knmflijn.dll" Jgidnobg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjimpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdibpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peooek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igojmjgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aochck32.dll" Nqjmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edkbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfihjm32.dll" Qbfqfppe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfljpm32.dll" Pkbcjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkfgnldd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgdcjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgenbkca.dll" Mbabpodi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jffjbfpf.dll" Dlbcgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcdkmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkgdbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlijan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mebpchmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Medligko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofmknifp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bepmokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnhjbjam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ainhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjnilh32.dll" Ifkecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpgloo32.dll" Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpmcmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfjeppd.dll" Dhqnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omemciec.dll" Dghgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjcpm32.dll" Nndjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bollem32.dll" Pjkpckob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maplcm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2388 wrote to memory of 2288 2388 f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569.exe 29 PID 2388 wrote to memory of 2288 2388 f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569.exe 29 PID 2388 wrote to memory of 2288 2388 f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569.exe 29 PID 2388 wrote to memory of 2288 2388 f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569.exe 29 PID 2288 wrote to memory of 2944 2288 Lnaokn32.exe 30 PID 2288 wrote to memory of 2944 2288 Lnaokn32.exe 30 PID 2288 wrote to memory of 2944 2288 Lnaokn32.exe 30 PID 2288 wrote to memory of 2944 2288 Lnaokn32.exe 30 PID 2944 wrote to memory of 2456 2944 Lpbhmiji.exe 31 PID 2944 wrote to memory of 2456 2944 Lpbhmiji.exe 31 PID 2944 wrote to memory of 2456 2944 Lpbhmiji.exe 31 PID 2944 wrote to memory of 2456 2944 Lpbhmiji.exe 31 PID 2456 wrote to memory of 3032 2456 Mfamko32.exe 32 PID 2456 wrote to memory of 3032 2456 Mfamko32.exe 32 PID 2456 wrote to memory of 3032 2456 Mfamko32.exe 32 PID 2456 wrote to memory of 3032 2456 Mfamko32.exe 32 PID 3032 wrote to memory of 1048 3032 Mjofanld.exe 33 PID 3032 wrote to memory of 1048 3032 Mjofanld.exe 33 PID 3032 wrote to memory of 1048 3032 Mjofanld.exe 33 PID 3032 wrote to memory of 1048 3032 Mjofanld.exe 33 PID 1048 wrote to memory of 2608 1048 Mbkkepio.exe 34 PID 1048 wrote to memory of 2608 1048 Mbkkepio.exe 34 PID 1048 wrote to memory of 2608 1048 Mbkkepio.exe 34 PID 1048 wrote to memory of 2608 1048 Mbkkepio.exe 34 PID 2608 wrote to memory of 2812 2608 Mgjpcf32.exe 35 PID 2608 wrote to memory of 2812 2608 Mgjpcf32.exe 35 PID 2608 wrote to memory of 2812 2608 Mgjpcf32.exe 35 PID 2608 wrote to memory of 2812 2608 Mgjpcf32.exe 35 PID 2812 wrote to memory of 2508 2812 Nglmifca.exe 36 PID 2812 wrote to memory of 2508 2812 Nglmifca.exe 36 PID 2812 wrote to memory of 2508 2812 Nglmifca.exe 36 PID 2812 wrote to memory of 2508 2812 Nglmifca.exe 36 PID 2508 wrote to memory of 1844 2508 Nkjeod32.exe 37 PID 2508 wrote to memory of 1844 2508 Nkjeod32.exe 37 PID 2508 wrote to memory of 1844 2508 Nkjeod32.exe 37 PID 2508 wrote to memory of 1844 2508 Nkjeod32.exe 37 PID 1844 wrote to memory of 540 1844 Nqgngk32.exe 38 PID 1844 wrote to memory of 540 1844 Nqgngk32.exe 38 PID 1844 wrote to memory of 540 1844 Nqgngk32.exe 38 PID 1844 wrote to memory of 540 1844 Nqgngk32.exe 38 PID 540 wrote to memory of 2568 540 Nmnoll32.exe 39 PID 540 wrote to memory of 2568 540 Nmnoll32.exe 39 PID 540 wrote to memory of 2568 540 Nmnoll32.exe 39 PID 540 wrote to memory of 2568 540 Nmnoll32.exe 39 PID 2568 wrote to memory of 2348 2568 Nffcebdd.exe 40 PID 2568 wrote to memory of 2348 2568 Nffcebdd.exe 40 PID 2568 wrote to memory of 2348 2568 Nffcebdd.exe 40 PID 2568 wrote to memory of 2348 2568 Nffcebdd.exe 40 PID 2348 wrote to memory of 2188 2348 Ofklpa32.exe 41 PID 2348 wrote to memory of 2188 2348 Ofklpa32.exe 41 PID 2348 wrote to memory of 2188 2348 Ofklpa32.exe 41 PID 2348 wrote to memory of 2188 2348 Ofklpa32.exe 41 PID 2188 wrote to memory of 2452 2188 Oepianef.exe 42 PID 2188 wrote to memory of 2452 2188 Oepianef.exe 42 PID 2188 wrote to memory of 2452 2188 Oepianef.exe 42 PID 2188 wrote to memory of 2452 2188 Oepianef.exe 42 PID 2452 wrote to memory of 2220 2452 Oebffm32.exe 43 PID 2452 wrote to memory of 2220 2452 Oebffm32.exe 43 PID 2452 wrote to memory of 2220 2452 Oebffm32.exe 43 PID 2452 wrote to memory of 2220 2452 Oebffm32.exe 43 PID 2220 wrote to memory of 1124 2220 Ojoood32.exe 44 PID 2220 wrote to memory of 1124 2220 Ojoood32.exe 44 PID 2220 wrote to memory of 1124 2220 Ojoood32.exe 44 PID 2220 wrote to memory of 1124 2220 Ojoood32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569.exe"C:\Users\Admin\AppData\Local\Temp\f5774a7bab80de9614fa989d23cc0c146195820e8e48381eb11016f5c60d8569.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Lnaokn32.exeC:\Windows\system32\Lnaokn32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Lpbhmiji.exeC:\Windows\system32\Lpbhmiji.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Mfamko32.exeC:\Windows\system32\Mfamko32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Mjofanld.exeC:\Windows\system32\Mjofanld.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Mbkkepio.exeC:\Windows\system32\Mbkkepio.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048 -
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Nglmifca.exeC:\Windows\system32\Nglmifca.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Nqgngk32.exeC:\Windows\system32\Nqgngk32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Nffcebdd.exeC:\Windows\system32\Nffcebdd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ofklpa32.exeC:\Windows\system32\Ofklpa32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Ojoood32.exeC:\Windows\system32\Ojoood32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Pfhlie32.exeC:\Windows\system32\Pfhlie32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1124 -
C:\Windows\SysWOW64\Piiekp32.exeC:\Windows\system32\Piiekp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Pbaide32.exeC:\Windows\system32\Pbaide32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Pikaqppk.exeC:\Windows\system32\Pikaqppk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Pinnfonh.exeC:\Windows\system32\Pinnfonh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\Qbkljd32.exeC:\Windows\system32\Qbkljd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Aoamoefh.exeC:\Windows\system32\Aoamoefh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Ankckagj.exeC:\Windows\system32\Ankckagj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Blcmbmip.exeC:\Windows\system32\Blcmbmip.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Bqilfp32.exeC:\Windows\system32\Bqilfp32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe35⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Cmeffp32.exeC:\Windows\system32\Cmeffp32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1584 -
C:\Windows\SysWOW64\Cmjoaofc.exeC:\Windows\system32\Cmjoaofc.exe37⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Dpjhcj32.exeC:\Windows\system32\Dpjhcj32.exe38⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Deimaa32.exeC:\Windows\system32\Deimaa32.exe39⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Dcojbm32.exeC:\Windows\system32\Dcojbm32.exe40⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Eccdmmpk.exeC:\Windows\system32\Eccdmmpk.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Eagdgaoe.exeC:\Windows\system32\Eagdgaoe.exe43⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Edhmhl32.exeC:\Windows\system32\Edhmhl32.exe44⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe45⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe46⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe48⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Eabgjeef.exeC:\Windows\system32\Eabgjeef.exe49⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Flhkhnel.exeC:\Windows\system32\Flhkhnel.exe50⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Feppqc32.exeC:\Windows\system32\Feppqc32.exe51⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe52⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Fhaibnim.exeC:\Windows\system32\Fhaibnim.exe53⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Feeilbhg.exeC:\Windows\system32\Feeilbhg.exe54⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe55⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Fmpnpe32.exeC:\Windows\system32\Fmpnpe32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe57⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Fmbkfd32.exeC:\Windows\system32\Fmbkfd32.exe58⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe60⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Gcapckod.exeC:\Windows\system32\Gcapckod.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Gljdlq32.exeC:\Windows\system32\Gljdlq32.exe62⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Gcdmikma.exeC:\Windows\system32\Gcdmikma.exe63⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Gllabp32.exeC:\Windows\system32\Gllabp32.exe64⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe65⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe66⤵PID:2128
-
C:\Windows\SysWOW64\Galfpgpg.exeC:\Windows\system32\Galfpgpg.exe67⤵
- Drops file in System32 directory
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Gheola32.exeC:\Windows\system32\Gheola32.exe68⤵
- Modifies registry class
PID:1464 -
C:\Windows\SysWOW64\Hfiofefm.exeC:\Windows\system32\Hfiofefm.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:572 -
C:\Windows\SysWOW64\Hkfgnldd.exeC:\Windows\system32\Hkfgnldd.exe70⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Hdolga32.exeC:\Windows\system32\Hdolga32.exe71⤵PID:780
-
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Hdailaib.exeC:\Windows\system32\Hdailaib.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Hjnaehgj.exeC:\Windows\system32\Hjnaehgj.exe74⤵PID:2736
-
C:\Windows\SysWOW64\Hmojfcdk.exeC:\Windows\system32\Hmojfcdk.exe75⤵PID:2824
-
C:\Windows\SysWOW64\Ijbjpg32.exeC:\Windows\system32\Ijbjpg32.exe76⤵
- Drops file in System32 directory
PID:2356 -
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe77⤵PID:1580
-
C:\Windows\SysWOW64\Ijegeg32.exeC:\Windows\system32\Ijegeg32.exe78⤵PID:2092
-
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe79⤵PID:2952
-
C:\Windows\SysWOW64\Imepgbnc.exeC:\Windows\system32\Imepgbnc.exe80⤵PID:2420
-
C:\Windows\SysWOW64\Ikkmho32.exeC:\Windows\system32\Ikkmho32.exe81⤵PID:1728
-
C:\Windows\SysWOW64\Iecaad32.exeC:\Windows\system32\Iecaad32.exe82⤵PID:2428
-
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe83⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Jchobqnc.exeC:\Windows\system32\Jchobqnc.exe84⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Jalolemm.exeC:\Windows\system32\Jalolemm.exe85⤵PID:640
-
C:\Windows\SysWOW64\Jnppei32.exeC:\Windows\system32\Jnppei32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1816 -
C:\Windows\SysWOW64\Jgidnobg.exeC:\Windows\system32\Jgidnobg.exe87⤵
- Modifies registry class
PID:836 -
C:\Windows\SysWOW64\Jmelfeqn.exeC:\Windows\system32\Jmelfeqn.exe88⤵PID:2292
-
C:\Windows\SysWOW64\Jfnaok32.exeC:\Windows\system32\Jfnaok32.exe89⤵PID:2448
-
C:\Windows\SysWOW64\Jjimpj32.exeC:\Windows\system32\Jjimpj32.exe90⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Jecnpg32.exeC:\Windows\system32\Jecnpg32.exe91⤵PID:2148
-
C:\Windows\SysWOW64\Klmfmacc.exeC:\Windows\system32\Klmfmacc.exe92⤵
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Kiafff32.exeC:\Windows\system32\Kiafff32.exe93⤵PID:1660
-
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe94⤵PID:2224
-
C:\Windows\SysWOW64\Kiccle32.exeC:\Windows\system32\Kiccle32.exe95⤵PID:1532
-
C:\Windows\SysWOW64\Kjdpcnfi.exeC:\Windows\system32\Kjdpcnfi.exe96⤵PID:2540
-
C:\Windows\SysWOW64\Kejdqffo.exeC:\Windows\system32\Kejdqffo.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908 -
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe98⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Kelqff32.exeC:\Windows\system32\Kelqff32.exe99⤵PID:288
-
C:\Windows\SysWOW64\Koeeoljm.exeC:\Windows\system32\Koeeoljm.exe100⤵PID:1640
-
C:\Windows\SysWOW64\Ldangbhd.exeC:\Windows\system32\Ldangbhd.exe101⤵PID:2368
-
C:\Windows\SysWOW64\Lmjbphod.exeC:\Windows\system32\Lmjbphod.exe102⤵
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\Lddjmb32.exeC:\Windows\system32\Lddjmb32.exe103⤵PID:1516
-
C:\Windows\SysWOW64\Liqcei32.exeC:\Windows\system32\Liqcei32.exe104⤵PID:2720
-
C:\Windows\SysWOW64\Lpkkbcle.exeC:\Windows\system32\Lpkkbcle.exe105⤵PID:2752
-
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe106⤵PID:2616
-
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe107⤵PID:3052
-
C:\Windows\SysWOW64\Meafpibb.exeC:\Windows\system32\Meafpibb.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1312 -
C:\Windows\SysWOW64\Mkplnp32.exeC:\Windows\system32\Mkplnp32.exe109⤵PID:1804
-
C:\Windows\SysWOW64\Mdhpgeeg.exeC:\Windows\system32\Mdhpgeeg.exe110⤵PID:368
-
C:\Windows\SysWOW64\Mjeholco.exeC:\Windows\system32\Mjeholco.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1408 -
C:\Windows\SysWOW64\Mdkmld32.exeC:\Windows\system32\Mdkmld32.exe112⤵
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Nflidmic.exeC:\Windows\system32\Nflidmic.exe113⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Nodnmb32.exeC:\Windows\system32\Nodnmb32.exe114⤵PID:2648
-
C:\Windows\SysWOW64\Nfnfjmgp.exeC:\Windows\system32\Nfnfjmgp.exe115⤵PID:2892
-
C:\Windows\SysWOW64\Nhmbfhfd.exeC:\Windows\system32\Nhmbfhfd.exe116⤵PID:2740
-
C:\Windows\SysWOW64\Ncbfcq32.exeC:\Windows\system32\Ncbfcq32.exe117⤵PID:2880
-
C:\Windows\SysWOW64\Nhookh32.exeC:\Windows\system32\Nhookh32.exe118⤵
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Nfcoel32.exeC:\Windows\system32\Nfcoel32.exe119⤵PID:2972
-
C:\Windows\SysWOW64\Nhalag32.exeC:\Windows\system32\Nhalag32.exe120⤵PID:2764
-
C:\Windows\SysWOW64\Nbjpjm32.exeC:\Windows\system32\Nbjpjm32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-