Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05-02-2025 03:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1bN.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1bN.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1bN.exe
-
Size
96KB
-
MD5
c5489dd82a786d50650ac9e0a7dbd590
-
SHA1
b9fa2e6335a8c1ce26c33ca33c3da95340fee4e2
-
SHA256
7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1b
-
SHA512
5f3bec96298f0e6cf2d10a0388cb5c467ddb733cdd526486f8f155090d52a42ed9b6fb4425e5ae98f3e19d6ec606e99434d5178d8f5ef3370e1444c6555d9aa2
-
SSDEEP
1536:a9WT3udzsRHX93eYQq9Q9HYNKCAES0sV2Lfg7RZObZUUWaegPYAS:MWj/x11yHsh/RYClUUWaef
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpigma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnngfna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpgmijgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bibpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppcbgkka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaeipfei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjdmjgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opaebkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhjhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjfkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkpbdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afffenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aababceh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hloiib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjmpcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfoin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npgihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jckgicnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pebpkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnfop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifjlcmmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfdnihk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnaooi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Panaeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ackmih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chqoipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhoice32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bajqfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoompl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnihdemo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohidmoaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnfqccna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigkel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnifja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkdihhag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkeecogo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldjpbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bagkmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkcpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfphcj32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x0004000000020607-4472.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 1708 Mpdqdkie.exe 1800 Mdpldi32.exe 2488 Mpgmijgc.exe 2796 Mbeiefff.exe 2760 Nlnnnk32.exe 2736 Nbhfke32.exe 2620 Nianhplq.exe 2264 Nlpkdkkd.exe 1228 Nbjcqe32.exe 2296 Nhgkil32.exe 2976 Noacef32.exe 2668 Neklbppb.exe 1296 Nledoj32.exe 1952 Nocpkf32.exe 264 Nemhhpmp.exe 2400 Nkjapglg.exe 848 Nmhmlbkk.exe 3032 Npgihn32.exe 292 Ogqaehak.exe 340 Oionacqo.exe 728 Oaffbqaa.exe 3004 Odebolpe.exe 2156 Ogcnkgoh.exe 2396 Oiakgcnl.exe 2484 Ommfga32.exe 1644 Odgodl32.exe 2412 Onocmadb.exe 1736 Olbchn32.exe 1832 Oekhacbn.exe 2812 Ohidmoaa.exe 2124 Ooclji32.exe 2324 Oemegc32.exe 2612 Pkjmoj32.exe 492 Pcaepg32.exe 1784 Pdbahpec.exe 2888 Pkljdj32.exe 2904 Pafbadcm.exe 2504 Pddnnp32.exe 2132 Pkofjijm.exe 1432 Pnmcfeia.exe 2060 Pgegok32.exe 572 Pjcckf32.exe 2584 Pnopldgn.exe 2256 Pkcpei32.exe 1360 Pnalad32.exe 2428 Pdldnomh.exe 2068 Qfmafg32.exe 992 Qndigd32.exe 1984 Qmgibqjc.exe 2336 Qcqaok32.exe 2092 Qglmpi32.exe 2240 Qjkjle32.exe 2828 Qinjgbpg.exe 2716 Qqdbiopj.exe 2816 Accnekon.exe 1848 Abfnpg32.exe 680 Aipfmane.exe 2896 Akncimmh.exe 2008 Abhkfg32.exe 2032 Aeggbbci.exe 1152 Amnocpdk.exe 556 Aollokco.exe 1660 Abkhkgbb.exe 3036 Aeidgbaf.exe -
Loads dropped DLL 64 IoCs
pid Process 2084 7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1bN.exe 2084 7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1bN.exe 1708 Mpdqdkie.exe 1708 Mpdqdkie.exe 1800 Mdpldi32.exe 1800 Mdpldi32.exe 2488 Mpgmijgc.exe 2488 Mpgmijgc.exe 2796 Mbeiefff.exe 2796 Mbeiefff.exe 2760 Nlnnnk32.exe 2760 Nlnnnk32.exe 2736 Nbhfke32.exe 2736 Nbhfke32.exe 2620 Nianhplq.exe 2620 Nianhplq.exe 2264 Nlpkdkkd.exe 2264 Nlpkdkkd.exe 1228 Nbjcqe32.exe 1228 Nbjcqe32.exe 2296 Nhgkil32.exe 2296 Nhgkil32.exe 2976 Noacef32.exe 2976 Noacef32.exe 2668 Neklbppb.exe 2668 Neklbppb.exe 1296 Nledoj32.exe 1296 Nledoj32.exe 1952 Nocpkf32.exe 1952 Nocpkf32.exe 264 Nemhhpmp.exe 264 Nemhhpmp.exe 2400 Nkjapglg.exe 2400 Nkjapglg.exe 848 Nmhmlbkk.exe 848 Nmhmlbkk.exe 3032 Npgihn32.exe 3032 Npgihn32.exe 292 Ogqaehak.exe 292 Ogqaehak.exe 340 Oionacqo.exe 340 Oionacqo.exe 728 Oaffbqaa.exe 728 Oaffbqaa.exe 3004 Odebolpe.exe 3004 Odebolpe.exe 2156 Ogcnkgoh.exe 2156 Ogcnkgoh.exe 2396 Oiakgcnl.exe 2396 Oiakgcnl.exe 2484 Ommfga32.exe 2484 Ommfga32.exe 1644 Odgodl32.exe 1644 Odgodl32.exe 2412 Onocmadb.exe 2412 Onocmadb.exe 1736 Olbchn32.exe 1736 Olbchn32.exe 1832 Oekhacbn.exe 1832 Oekhacbn.exe 2812 Ohidmoaa.exe 2812 Ohidmoaa.exe 2124 Ooclji32.exe 2124 Ooclji32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Moohhbcf.dll Njfjnpgp.exe File opened for modification C:\Windows\SysWOW64\Nfoghakb.exe Ndqkleln.exe File opened for modification C:\Windows\SysWOW64\Aollokco.exe Amnocpdk.exe File created C:\Windows\SysWOW64\Poedbd32.dll Daipqhdg.exe File created C:\Windows\SysWOW64\Dfcemimp.dll Gpelnb32.exe File created C:\Windows\SysWOW64\Hjfcpo32.exe Hhhgcc32.exe File created C:\Windows\SysWOW64\Jjplgd32.dll Ihmpobck.exe File created C:\Windows\SysWOW64\Ekomolag.dll Pincfpoo.exe File created C:\Windows\SysWOW64\Hidcef32.exe Hfegij32.exe File created C:\Windows\SysWOW64\Ogcnkgoh.exe Odebolpe.exe File created C:\Windows\SysWOW64\Knmdeioh.exe Kjahej32.exe File created C:\Windows\SysWOW64\Olkfmi32.exe Oiljam32.exe File created C:\Windows\SysWOW64\Ngndfk32.dll Acnjnh32.exe File created C:\Windows\SysWOW64\Ccjoli32.exe Calcpm32.exe File created C:\Windows\SysWOW64\Lhmlombo.dll Ajhiei32.exe File created C:\Windows\SysWOW64\Qfljkp32.exe Qnebjc32.exe File created C:\Windows\SysWOW64\Dogpdg32.exe Dfphcj32.exe File opened for modification C:\Windows\SysWOW64\Hmalldcn.exe Hifpke32.exe File opened for modification C:\Windows\SysWOW64\Lgoboc32.exe Lcdfnehp.exe File created C:\Windows\SysWOW64\Mnmpdlac.exe Mkndhabp.exe File created C:\Windows\SysWOW64\Ofcqcp32.exe Obhdcanc.exe File created C:\Windows\SysWOW64\Cgnein32.dll Cikbhc32.exe File opened for modification C:\Windows\SysWOW64\Cedpbd32.exe Cmmhaf32.exe File opened for modification C:\Windows\SysWOW64\Elnqmd32.exe Ejpdai32.exe File created C:\Windows\SysWOW64\Kjleflod.exe Kfpifm32.exe File created C:\Windows\SysWOW64\Ooahll32.dll Gpcoib32.exe File created C:\Windows\SysWOW64\Gfmgelil.exe Gcokiaji.exe File opened for modification C:\Windows\SysWOW64\Odgamdef.exe Oplelf32.exe File opened for modification C:\Windows\SysWOW64\Amcbankf.exe Ajeeeblb.exe File created C:\Windows\SysWOW64\Icmongda.dll Illbhp32.exe File created C:\Windows\SysWOW64\Acqnnndl.exe Aababceh.exe File created C:\Windows\SysWOW64\Gapfdgmi.dll Hjdfjo32.exe File created C:\Windows\SysWOW64\Lofoed32.dll Jplkmgol.exe File created C:\Windows\SysWOW64\Njdqka32.exe Nbniid32.exe File created C:\Windows\SysWOW64\Ieigfk32.exe Ibkkjp32.exe File opened for modification C:\Windows\SysWOW64\Lbfook32.exe Lohccp32.exe File created C:\Windows\SysWOW64\Oionacqo.exe Ogqaehak.exe File created C:\Windows\SysWOW64\Debplg32.exe Dcccpl32.exe File created C:\Windows\SysWOW64\Fmegncpp.exe Ffkoai32.exe File created C:\Windows\SysWOW64\Hloiib32.exe Hipmmg32.exe File opened for modification C:\Windows\SysWOW64\Ajjfkh32.exe Akhfoldn.exe File opened for modification C:\Windows\SysWOW64\Jgaiobjn.exe Jhoice32.exe File created C:\Windows\SysWOW64\Fbaepf32.dll Kohnoc32.exe File opened for modification C:\Windows\SysWOW64\Qcqaok32.exe Qmgibqjc.exe File opened for modification C:\Windows\SysWOW64\Lcfbdd32.exe Lokgcf32.exe File created C:\Windows\SysWOW64\Hfdoodan.dll Jbcjnnpl.exe File opened for modification C:\Windows\SysWOW64\Allefimb.exe Ahpifj32.exe File opened for modification C:\Windows\SysWOW64\Ogqaehak.exe Npgihn32.exe File opened for modification C:\Windows\SysWOW64\Ijnbcmkk.exe Illbhp32.exe File created C:\Windows\SysWOW64\Jmhnkfpa.exe Jeafjiop.exe File created C:\Windows\SysWOW64\Hifhgh32.dll Nbflno32.exe File created C:\Windows\SysWOW64\Hkojbh32.dll Odgodl32.exe File opened for modification C:\Windows\SysWOW64\Ciifbchf.exe Bfkifhib.exe File created C:\Windows\SysWOW64\Pcbncfjd.exe Ppcbgkka.exe File created C:\Windows\SysWOW64\Kkidapal.dll Nmhmlbkk.exe File created C:\Windows\SysWOW64\Afjjed32.exe Ackmih32.exe File opened for modification C:\Windows\SysWOW64\Nameek32.exe Nnoiio32.exe File created C:\Windows\SysWOW64\Gpajfg32.dll Cgcnghpl.exe File created C:\Windows\SysWOW64\Fklkbele.dll Clbnhmjo.exe File created C:\Windows\SysWOW64\Odgamdef.exe Oplelf32.exe File created C:\Windows\SysWOW64\Pnopldgn.exe Pjcckf32.exe File created C:\Windows\SysWOW64\Emgeoj32.dll Pkcpei32.exe File created C:\Windows\SysWOW64\Alhjjh32.dll Ibkkjp32.exe File created C:\Windows\SysWOW64\Aijbfo32.exe Ajgbkbjp.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9056 9012 WerFault.exe 884 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elipgofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdnbbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaaah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pebpkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heikgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mejlalji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oijjka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqpecma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpganf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbahpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnbdko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plolgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfcpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgqjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgmigeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbdmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imahkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Golbnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pckajebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnadkic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipiljgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbfep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fheabelm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddliip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnpflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbopmnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Helgmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmpobck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaimk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpigma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgqkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbojdmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fogibnha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jioopgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oemegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkjmoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accnekon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlebf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlfmbibo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nemhhpmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnmifk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaijak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjlmpfhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddiibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqjmncna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkoig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkpeci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcaimgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odchbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgmijgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkofjijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooicid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcjnnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qppkfhlc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmaon32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abfnpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqmamm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcbabpcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmpkqklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbijlpke.dll" Gjfgqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpmcielb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nncdpa32.dll" Macilmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagflkia.dll" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckmjbbc.dll" Aipfmane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnfcel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoiaho32.dll" Oalhqohl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbfook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfbaelk.dll" Bbmapj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dojddmec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfeeehni.dll" Jojkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epphbb32.dll" Khcomhbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbcjo32.dll" Qppkfhlc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qgmpibam.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpifj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmgibqjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcjeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcamjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekbgfpm.dll" Cillkbac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diibmpdj.dll" Jpgjgboe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbojmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnhgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongke32.dll" Nibqqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkcbnanl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlpkdkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmeolj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccdmnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihpfgalh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lddlkg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efpolbgp.dll" Noffdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opaebkmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caaggpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpafcmd.dll" Danmmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keacocpm.dll" Elnqmd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pincfpoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbgbj32.dll" Omklkkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifgkmbho.dll" Bmkomchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilabmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggpbcccn.dll" Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlbakl32.dll" Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnkjnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogqaehak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgmeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdignc32.dll" Abpjjeim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkfbfjdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhkkbmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehpalp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfliim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adifpk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2084 wrote to memory of 1708 2084 7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1bN.exe 30 PID 2084 wrote to memory of 1708 2084 7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1bN.exe 30 PID 2084 wrote to memory of 1708 2084 7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1bN.exe 30 PID 2084 wrote to memory of 1708 2084 7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1bN.exe 30 PID 1708 wrote to memory of 1800 1708 Mpdqdkie.exe 31 PID 1708 wrote to memory of 1800 1708 Mpdqdkie.exe 31 PID 1708 wrote to memory of 1800 1708 Mpdqdkie.exe 31 PID 1708 wrote to memory of 1800 1708 Mpdqdkie.exe 31 PID 1800 wrote to memory of 2488 1800 Mdpldi32.exe 32 PID 1800 wrote to memory of 2488 1800 Mdpldi32.exe 32 PID 1800 wrote to memory of 2488 1800 Mdpldi32.exe 32 PID 1800 wrote to memory of 2488 1800 Mdpldi32.exe 32 PID 2488 wrote to memory of 2796 2488 Mpgmijgc.exe 33 PID 2488 wrote to memory of 2796 2488 Mpgmijgc.exe 33 PID 2488 wrote to memory of 2796 2488 Mpgmijgc.exe 33 PID 2488 wrote to memory of 2796 2488 Mpgmijgc.exe 33 PID 2796 wrote to memory of 2760 2796 Mbeiefff.exe 34 PID 2796 wrote to memory of 2760 2796 Mbeiefff.exe 34 PID 2796 wrote to memory of 2760 2796 Mbeiefff.exe 34 PID 2796 wrote to memory of 2760 2796 Mbeiefff.exe 34 PID 2760 wrote to memory of 2736 2760 Nlnnnk32.exe 35 PID 2760 wrote to memory of 2736 2760 Nlnnnk32.exe 35 PID 2760 wrote to memory of 2736 2760 Nlnnnk32.exe 35 PID 2760 wrote to memory of 2736 2760 Nlnnnk32.exe 35 PID 2736 wrote to memory of 2620 2736 Nbhfke32.exe 36 PID 2736 wrote to memory of 2620 2736 Nbhfke32.exe 36 PID 2736 wrote to memory of 2620 2736 Nbhfke32.exe 36 PID 2736 wrote to memory of 2620 2736 Nbhfke32.exe 36 PID 2620 wrote to memory of 2264 2620 Nianhplq.exe 37 PID 2620 wrote to memory of 2264 2620 Nianhplq.exe 37 PID 2620 wrote to memory of 2264 2620 Nianhplq.exe 37 PID 2620 wrote to memory of 2264 2620 Nianhplq.exe 37 PID 2264 wrote to memory of 1228 2264 Nlpkdkkd.exe 38 PID 2264 wrote to memory of 1228 2264 Nlpkdkkd.exe 38 PID 2264 wrote to memory of 1228 2264 Nlpkdkkd.exe 38 PID 2264 wrote to memory of 1228 2264 Nlpkdkkd.exe 38 PID 1228 wrote to memory of 2296 1228 Nbjcqe32.exe 39 PID 1228 wrote to memory of 2296 1228 Nbjcqe32.exe 39 PID 1228 wrote to memory of 2296 1228 Nbjcqe32.exe 39 PID 1228 wrote to memory of 2296 1228 Nbjcqe32.exe 39 PID 2296 wrote to memory of 2976 2296 Nhgkil32.exe 40 PID 2296 wrote to memory of 2976 2296 Nhgkil32.exe 40 PID 2296 wrote to memory of 2976 2296 Nhgkil32.exe 40 PID 2296 wrote to memory of 2976 2296 Nhgkil32.exe 40 PID 2976 wrote to memory of 2668 2976 Noacef32.exe 41 PID 2976 wrote to memory of 2668 2976 Noacef32.exe 41 PID 2976 wrote to memory of 2668 2976 Noacef32.exe 41 PID 2976 wrote to memory of 2668 2976 Noacef32.exe 41 PID 2668 wrote to memory of 1296 2668 Neklbppb.exe 42 PID 2668 wrote to memory of 1296 2668 Neklbppb.exe 42 PID 2668 wrote to memory of 1296 2668 Neklbppb.exe 42 PID 2668 wrote to memory of 1296 2668 Neklbppb.exe 42 PID 1296 wrote to memory of 1952 1296 Nledoj32.exe 43 PID 1296 wrote to memory of 1952 1296 Nledoj32.exe 43 PID 1296 wrote to memory of 1952 1296 Nledoj32.exe 43 PID 1296 wrote to memory of 1952 1296 Nledoj32.exe 43 PID 1952 wrote to memory of 264 1952 Nocpkf32.exe 44 PID 1952 wrote to memory of 264 1952 Nocpkf32.exe 44 PID 1952 wrote to memory of 264 1952 Nocpkf32.exe 44 PID 1952 wrote to memory of 264 1952 Nocpkf32.exe 44 PID 264 wrote to memory of 2400 264 Nemhhpmp.exe 45 PID 264 wrote to memory of 2400 264 Nemhhpmp.exe 45 PID 264 wrote to memory of 2400 264 Nemhhpmp.exe 45 PID 264 wrote to memory of 2400 264 Nemhhpmp.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1bN.exe"C:\Users\Admin\AppData\Local\Temp\7cad2e28a128d79d9180c46f26df1d53b8a0eadec0e06a54340c3e669c6f7f1bN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Mdpldi32.exeC:\Windows\system32\Mdpldi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Mpgmijgc.exeC:\Windows\system32\Mpgmijgc.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Nbhfke32.exeC:\Windows\system32\Nbhfke32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Nianhplq.exeC:\Windows\system32\Nianhplq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Nlpkdkkd.exeC:\Windows\system32\Nlpkdkkd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Nhgkil32.exeC:\Windows\system32\Nhgkil32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Noacef32.exeC:\Windows\system32\Noacef32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Neklbppb.exeC:\Windows\system32\Neklbppb.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Nocpkf32.exeC:\Windows\system32\Nocpkf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Nemhhpmp.exeC:\Windows\system32\Nemhhpmp.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Nkjapglg.exeC:\Windows\system32\Nkjapglg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Nmhmlbkk.exeC:\Windows\system32\Nmhmlbkk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:848 -
C:\Windows\SysWOW64\Npgihn32.exeC:\Windows\system32\Npgihn32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Ogqaehak.exeC:\Windows\system32\Ogqaehak.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:292 -
C:\Windows\SysWOW64\Oionacqo.exeC:\Windows\system32\Oionacqo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:340 -
C:\Windows\SysWOW64\Oaffbqaa.exeC:\Windows\system32\Oaffbqaa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:728 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Ogcnkgoh.exeC:\Windows\system32\Ogcnkgoh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Oiakgcnl.exeC:\Windows\system32\Oiakgcnl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2396 -
C:\Windows\SysWOW64\Ommfga32.exeC:\Windows\system32\Ommfga32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Onocmadb.exeC:\Windows\system32\Onocmadb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Olbchn32.exeC:\Windows\system32\Olbchn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1832 -
C:\Windows\SysWOW64\Ohidmoaa.exeC:\Windows\system32\Ohidmoaa.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2812 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Oemegc32.exeC:\Windows\system32\Oemegc32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Pkjmoj32.exeC:\Windows\system32\Pkjmoj32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Pcaepg32.exeC:\Windows\system32\Pcaepg32.exe35⤵
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1784 -
C:\Windows\SysWOW64\Pkljdj32.exeC:\Windows\system32\Pkljdj32.exe37⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe38⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Pnmcfeia.exeC:\Windows\system32\Pnmcfeia.exe41⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe42⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe44⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Pkcpei32.exeC:\Windows\system32\Pkcpei32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Pnalad32.exeC:\Windows\system32\Pnalad32.exe46⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe47⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Qfmafg32.exeC:\Windows\system32\Qfmafg32.exe48⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Qndigd32.exeC:\Windows\system32\Qndigd32.exe49⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Qmgibqjc.exeC:\Windows\system32\Qmgibqjc.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Qcqaok32.exeC:\Windows\system32\Qcqaok32.exe51⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe52⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe53⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Qinjgbpg.exeC:\Windows\system32\Qinjgbpg.exe54⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Qqdbiopj.exeC:\Windows\system32\Qqdbiopj.exe55⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Accnekon.exeC:\Windows\system32\Accnekon.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Aipfmane.exeC:\Windows\system32\Aipfmane.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe59⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe60⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe61⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe63⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe64⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe65⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe66⤵PID:2304
-
C:\Windows\SysWOW64\Akcldl32.exeC:\Windows\system32\Akcldl32.exe67⤵PID:1680
-
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe68⤵PID:988
-
C:\Windows\SysWOW64\Aapemc32.exeC:\Windows\system32\Aapemc32.exe69⤵PID:796
-
C:\Windows\SysWOW64\Aigmnqgm.exeC:\Windows\system32\Aigmnqgm.exe70⤵PID:2408
-
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe71⤵PID:2340
-
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe72⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Aboaff32.exeC:\Windows\system32\Aboaff32.exe73⤵PID:2792
-
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe75⤵PID:2672
-
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe76⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2964 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe78⤵PID:2000
-
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe79⤵PID:2948
-
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe80⤵
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:592 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe82⤵PID:920
-
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe83⤵PID:1960
-
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1348 -
C:\Windows\SysWOW64\Baigca32.exeC:\Windows\system32\Baigca32.exe85⤵PID:3068
-
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe86⤵PID:2200
-
C:\Windows\SysWOW64\Bffpki32.exeC:\Windows\system32\Bffpki32.exe87⤵PID:2080
-
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe88⤵PID:2544
-
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe89⤵PID:3016
-
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe90⤵PID:2928
-
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe91⤵
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe92⤵PID:1968
-
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe93⤵PID:2884
-
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe94⤵PID:2660
-
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe95⤵PID:1316
-
C:\Windows\SysWOW64\Bfkifhib.exeC:\Windows\system32\Bfkifhib.exe96⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe97⤵PID:2136
-
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe98⤵PID:1084
-
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe99⤵PID:776
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe100⤵PID:2212
-
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe101⤵
- Drops file in System32 directory
PID:1872 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe102⤵PID:1700
-
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe103⤵PID:2748
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe104⤵PID:2636
-
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe105⤵PID:2772
-
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2164 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe107⤵PID:2880
-
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe108⤵
- Drops file in System32 directory
PID:2588 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe109⤵PID:2308
-
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe110⤵PID:1748
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe111⤵PID:2780
-
C:\Windows\SysWOW64\Comdkipe.exeC:\Windows\system32\Comdkipe.exe112⤵PID:2388
-
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe113⤵PID:800
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe114⤵PID:2392
-
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe115⤵PID:1716
-
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe116⤵PID:2608
-
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe117⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Dbojdmcd.exeC:\Windows\system32\Dbojdmcd.exe119⤵
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe120⤵
- Modifies registry class
PID:2416 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe121⤵PID:1620
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-