Analysis
-
max time kernel
51s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05-02-2025 06:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd.exe
-
Size
96KB
-
MD5
ab09e2e3f2216f62143c7fc524f90bb3
-
SHA1
ddb52a7b4abd5e6738d9d6544547e5151c7ffc29
-
SHA256
a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd
-
SHA512
9c3473221789774e0db3d056d573b39171bb66bba0252ab481ab470c692666f0927e2f6cea01bc5e7bf490e299cdcbb704a905bf75d024a8b020e831c1af0bbe
-
SSDEEP
1536:a9WT3udzsRHX93eYQq9Q9HYNKCAES0sV2Lfg7RZObZUUWaegPYAy:MWj/x11yHsh/RYClUUWaeP
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifhdphd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhahb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphlck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acbieing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imfeip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhahb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgfqldf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkndiabh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alicahno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffenmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njopgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbilmop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcllfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhnjdfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njobpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhnfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchdfb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemgqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akfaof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfpndkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imhanp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpmlcpdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjfdpckc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmdfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpkckneh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmbkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clfkfeno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldnbeokn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldhldpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpqaanqd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnhhq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkopifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jklnggjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfcbdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eghdanac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjbhgolp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lafgdfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmgkoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pglclk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqhhbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiopah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhhblgim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelqff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alicahno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjeihl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfgke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncjhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajpgkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibgglfdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oppbjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nodnmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Papkcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcjogidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlepjbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okdahbmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjdkllec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dekhnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epnldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdooij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbieing.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 2 IoCs
resource yara_rule behavioral1/files/0x000400000001cc48-1134.dat family_bruteratel behavioral1/files/0x000300000002078d-5264.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2932 Pchdfb32.exe 2888 Qnnhcknd.exe 2952 Qckalamk.exe 3028 Qjeihl32.exe 2908 Amhopfof.exe 2784 Afbpnlcd.exe 2180 Aokdga32.exe 1636 Anpahn32.exe 2840 Bghfacem.exe 3004 Bfncbp32.exe 2152 Bpfgke32.exe 2092 Bphdpe32.exe 1752 Bfeibo32.exe 1160 Cpmmkdkn.exe 2072 Clfkfeno.exe 1148 Cogdhpkp.exe 2116 Ckndmaad.exe 1040 Dmomnlne.exe 1196 Dbkffc32.exe 2360 Dkbnhq32.exe 1436 Dihkimag.exe 936 Dmecokhm.exe 1716 Dgnhhq32.exe 1144 Ehaaei32.exe 1536 Eokiabjf.exe 2988 Edkopifk.exe 2220 Encchoml.exe 1172 Edohki32.exe 2160 Fnhlcn32.exe 2944 Ffcahq32.exe 2904 Ffenmp32.exe 2356 Fqkbkicd.exe 3040 Fbnkha32.exe 776 Gdodjlda.exe 1888 Godhgedg.exe 1348 Gimmpj32.exe 2800 Gednek32.exe 2916 Gfggbcdg.exe 1096 Gjephakn.exe 1708 Hmfhjmho.exe 2060 Hecjco32.exe 2500 Hbgjmcba.exe 1956 Hbjgbbpn.exe 2320 Imfeip32.exe 1952 Ihkifi32.exe 2688 Imhanp32.exe 2388 Ilmool32.exe 952 Ibgglfdl.exe 2544 Ipkgejcf.exe 2684 Jgeobdkc.exe 1728 Jpndkj32.exe 2984 Jifhdphd.exe 2892 Jcnmme32.exe 2864 Jdpidm32.exe 2856 Jkjaaglp.exe 2756 Jeofnpke.exe 2504 Jklnggjm.exe 1624 Jpigonhd.exe 3060 Kjakhcne.exe 3036 Kgelahmn.exe 2484 Kcllfi32.exe 788 Knaqcabh.exe 2512 Kcnilhap.exe 2192 Kjhahb32.exe -
Loads dropped DLL 64 IoCs
pid Process 1820 a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd.exe 1820 a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd.exe 2932 Pchdfb32.exe 2932 Pchdfb32.exe 2888 Qnnhcknd.exe 2888 Qnnhcknd.exe 2952 Qckalamk.exe 2952 Qckalamk.exe 3028 Qjeihl32.exe 3028 Qjeihl32.exe 2908 Amhopfof.exe 2908 Amhopfof.exe 2784 Afbpnlcd.exe 2784 Afbpnlcd.exe 2180 Aokdga32.exe 2180 Aokdga32.exe 1636 Anpahn32.exe 1636 Anpahn32.exe 2840 Bghfacem.exe 2840 Bghfacem.exe 3004 Bfncbp32.exe 3004 Bfncbp32.exe 2152 Bpfgke32.exe 2152 Bpfgke32.exe 2092 Bphdpe32.exe 2092 Bphdpe32.exe 1752 Bfeibo32.exe 1752 Bfeibo32.exe 1160 Cpmmkdkn.exe 1160 Cpmmkdkn.exe 2072 Clfkfeno.exe 2072 Clfkfeno.exe 1148 Cogdhpkp.exe 1148 Cogdhpkp.exe 2116 Ckndmaad.exe 2116 Ckndmaad.exe 1040 Dmomnlne.exe 1040 Dmomnlne.exe 1196 Dbkffc32.exe 1196 Dbkffc32.exe 2360 Dkbnhq32.exe 2360 Dkbnhq32.exe 1436 Dihkimag.exe 1436 Dihkimag.exe 936 Dmecokhm.exe 936 Dmecokhm.exe 1716 Dgnhhq32.exe 1716 Dgnhhq32.exe 1144 Ehaaei32.exe 1144 Ehaaei32.exe 1536 Eokiabjf.exe 1536 Eokiabjf.exe 2988 Edkopifk.exe 2988 Edkopifk.exe 2220 Encchoml.exe 2220 Encchoml.exe 1172 Edohki32.exe 1172 Edohki32.exe 2160 Fnhlcn32.exe 2160 Fnhlcn32.exe 2944 Ffcahq32.exe 2944 Ffcahq32.exe 2904 Ffenmp32.exe 2904 Ffenmp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kfbjjjci.exe Jfpndkel.exe File opened for modification C:\Windows\SysWOW64\Imhanp32.exe Ihkifi32.exe File created C:\Windows\SysWOW64\Dcolqccn.dll Lncjhd32.exe File created C:\Windows\SysWOW64\Fmncmobl.dll Ojjnioae.exe File opened for modification C:\Windows\SysWOW64\Bkjpncii.exe Bdpgai32.exe File opened for modification C:\Windows\SysWOW64\Dgnhhq32.exe Dmecokhm.exe File created C:\Windows\SysWOW64\Gqemkl32.dll Nnnbqeib.exe File created C:\Windows\SysWOW64\Lecjaf32.dll Cjljpjjk.exe File opened for modification C:\Windows\SysWOW64\Njobpa32.exe Nnhakp32.exe File created C:\Windows\SysWOW64\Bahhpf32.dll Kpqaanqd.exe File created C:\Windows\SysWOW64\Pkihpi32.exe Pobgjhgh.exe File opened for modification C:\Windows\SysWOW64\Fdmjmenh.exe Faonqiod.exe File opened for modification C:\Windows\SysWOW64\Mfdjpo32.exe Mhpigk32.exe File opened for modification C:\Windows\SysWOW64\Cdmgkl32.exe Copobe32.exe File opened for modification C:\Windows\SysWOW64\Hcohbh32.exe Hekhid32.exe File opened for modification C:\Windows\SysWOW64\Okdahbmm.exe Odjikh32.exe File opened for modification C:\Windows\SysWOW64\Odgqoa32.exe Oojhfj32.exe File created C:\Windows\SysWOW64\Amhigkdj.dll Opcaiggo.exe File opened for modification C:\Windows\SysWOW64\Njipabhe.exe Nijcgp32.exe File created C:\Windows\SysWOW64\Eaegaaah.exe Dcaghm32.exe File opened for modification C:\Windows\SysWOW64\Jeenfd32.exe Ijpjik32.exe File created C:\Windows\SysWOW64\Fnnebjpf.dll Jlkigbef.exe File created C:\Windows\SysWOW64\Jjngil32.dll Lpfagd32.exe File created C:\Windows\SysWOW64\Eghkhikg.dll Hekhid32.exe File opened for modification C:\Windows\SysWOW64\Fqkbkicd.exe Ffenmp32.exe File opened for modification C:\Windows\SysWOW64\Hcajjf32.exe Hjieapck.exe File created C:\Windows\SysWOW64\Blhphg32.dll Lppkgi32.exe File opened for modification C:\Windows\SysWOW64\Npngng32.exe Nffcebdd.exe File created C:\Windows\SysWOW64\Epinhg32.exe Ebemnc32.exe File created C:\Windows\SysWOW64\Cmgpnn32.dll Kofnbk32.exe File created C:\Windows\SysWOW64\Kbcfme32.exe Kjhahb32.exe File created C:\Windows\SysWOW64\Hdilalko.exe Gcjogidl.exe File created C:\Windows\SysWOW64\Pobgjhgh.exe Phhonn32.exe File created C:\Windows\SysWOW64\Ekjqfj32.dll Jocceo32.exe File created C:\Windows\SysWOW64\Cjaieoko.exe Colegflh.exe File created C:\Windows\SysWOW64\Lljolodf.exe Kofnbk32.exe File created C:\Windows\SysWOW64\Qkdhdd32.dll Bphdpe32.exe File created C:\Windows\SysWOW64\Ilmool32.exe Imhanp32.exe File created C:\Windows\SysWOW64\Mibdcakk.exe Mpipkl32.exe File opened for modification C:\Windows\SysWOW64\Fjfllm32.exe Fdjddf32.exe File created C:\Windows\SysWOW64\Bdmhcp32.exe Bgihjl32.exe File opened for modification C:\Windows\SysWOW64\Iapfmg32.exe Inajql32.exe File created C:\Windows\SysWOW64\Hnbgdh32.exe Gegbpe32.exe File created C:\Windows\SysWOW64\Ahlejlon.dll Gkojcgga.exe File created C:\Windows\SysWOW64\Agboqe32.dll Infjfblm.exe File created C:\Windows\SysWOW64\Mqhhbn32.exe Mkkpjg32.exe File opened for modification C:\Windows\SysWOW64\Hjkdoh32.exe Hhjhgpcn.exe File created C:\Windows\SysWOW64\Dmmadecm.dll Qhbdmeoe.exe File opened for modification C:\Windows\SysWOW64\Aqljdclg.exe Afffgjma.exe File created C:\Windows\SysWOW64\Eigaib32.dll Mdahnmck.exe File created C:\Windows\SysWOW64\Fphoal32.dll Mkkpjg32.exe File created C:\Windows\SysWOW64\Fkbadifn.exe Fdemap32.exe File opened for modification C:\Windows\SysWOW64\Dcfknooi.exe Cjngej32.exe File created C:\Windows\SysWOW64\Hdcebagp.exe Hnimeg32.exe File opened for modification C:\Windows\SysWOW64\Ingmoj32.exe Iijdfc32.exe File opened for modification C:\Windows\SysWOW64\Gkojcgga.exe Fidkep32.exe File created C:\Windows\SysWOW64\Hecjco32.exe Hmfhjmho.exe File opened for modification C:\Windows\SysWOW64\Acdfki32.exe Ahoamplo.exe File opened for modification C:\Windows\SysWOW64\Ieiegf32.exe Hibebeqb.exe File created C:\Windows\SysWOW64\Iijdfc32.exe Ibplji32.exe File created C:\Windows\SysWOW64\Ifiilp32.exe Imqdcjkd.exe File created C:\Windows\SysWOW64\Kgelahmn.exe Kjakhcne.exe File opened for modification C:\Windows\SysWOW64\Oojhfj32.exe Oafhmf32.exe File opened for modification C:\Windows\SysWOW64\Kofnbk32.exe Kiifjd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2128 1520 WerFault.exe 587 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkmmpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apllml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgblphf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfagd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inaliedk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokiabjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eefdgeig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadlgjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnmme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfcbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgeopqfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keehmobp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibplji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqgofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmcge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcaaloed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmjmenh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcpmonea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplgljbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecjco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emfbgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhikl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbnkha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkaai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidkep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npngng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfknjfbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmecokhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjngej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdoec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqhhbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmbiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljhmmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agebam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifiilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjlgaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiniaboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjaieoko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipkgejcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnimeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkefcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcppmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfggbcdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biikne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhakp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbdje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfigdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pglclk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmffhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkepdbkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpnibl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcaghm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljdlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajedn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpndlobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhdgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emceag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhnfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picdejbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkcllmhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchdfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbpnlcd.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbdoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eiajmgka.dll" Elaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pchdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blonkf32.dll" Egljjmkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moahdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffecai32.dll" Lgdafeln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnodjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jeenfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bonenbgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebemnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmklad32.dll" Bhfjgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijhmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jidppaio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmffhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfkindn.dll" Nfhpjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqgofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfeiad32.dll" Cgjjdijo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaegaaah.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Encchoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gednek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pglclk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkaihkih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibjnpail.dll" Aamekk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kneflplf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkmmpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmnkl32.dll" Gjnbmlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmgklpjm.dll" Lpjiik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciknhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egljjmkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhnjdfcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elhhkb32.dll" Icqagkqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eibbqmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfakne32.dll" Ffoihepa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iggdmkmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbgjmcba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iecaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khhpmbeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjaieoko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgnhhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biebdbhl.dll" Ceioieei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nojinbej.dll" Pddinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aglhph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjhgpcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmgpnn32.dll" Kofnbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afffgjma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpfkhbon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aihjpman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glbhic32.dll" Iolohhpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpmmkdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnepjk32.dll" Bhjngnod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jchhhjjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akfaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjelpcob.dll" Ldfgbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odjikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdmjfi32.dll" Bnhljnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbkmhded.dll" Colegflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhphkjnb.dll" Hmfhjmho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfalaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cklpml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqlhlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmgmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlnhkclm.dll" Ghkbccdn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1820 wrote to memory of 2932 1820 a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd.exe 30 PID 1820 wrote to memory of 2932 1820 a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd.exe 30 PID 1820 wrote to memory of 2932 1820 a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd.exe 30 PID 1820 wrote to memory of 2932 1820 a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd.exe 30 PID 2932 wrote to memory of 2888 2932 Pchdfb32.exe 31 PID 2932 wrote to memory of 2888 2932 Pchdfb32.exe 31 PID 2932 wrote to memory of 2888 2932 Pchdfb32.exe 31 PID 2932 wrote to memory of 2888 2932 Pchdfb32.exe 31 PID 2888 wrote to memory of 2952 2888 Qnnhcknd.exe 32 PID 2888 wrote to memory of 2952 2888 Qnnhcknd.exe 32 PID 2888 wrote to memory of 2952 2888 Qnnhcknd.exe 32 PID 2888 wrote to memory of 2952 2888 Qnnhcknd.exe 32 PID 2952 wrote to memory of 3028 2952 Qckalamk.exe 33 PID 2952 wrote to memory of 3028 2952 Qckalamk.exe 33 PID 2952 wrote to memory of 3028 2952 Qckalamk.exe 33 PID 2952 wrote to memory of 3028 2952 Qckalamk.exe 33 PID 3028 wrote to memory of 2908 3028 Qjeihl32.exe 34 PID 3028 wrote to memory of 2908 3028 Qjeihl32.exe 34 PID 3028 wrote to memory of 2908 3028 Qjeihl32.exe 34 PID 3028 wrote to memory of 2908 3028 Qjeihl32.exe 34 PID 2908 wrote to memory of 2784 2908 Amhopfof.exe 35 PID 2908 wrote to memory of 2784 2908 Amhopfof.exe 35 PID 2908 wrote to memory of 2784 2908 Amhopfof.exe 35 PID 2908 wrote to memory of 2784 2908 Amhopfof.exe 35 PID 2784 wrote to memory of 2180 2784 Afbpnlcd.exe 36 PID 2784 wrote to memory of 2180 2784 Afbpnlcd.exe 36 PID 2784 wrote to memory of 2180 2784 Afbpnlcd.exe 36 PID 2784 wrote to memory of 2180 2784 Afbpnlcd.exe 36 PID 2180 wrote to memory of 1636 2180 Aokdga32.exe 37 PID 2180 wrote to memory of 1636 2180 Aokdga32.exe 37 PID 2180 wrote to memory of 1636 2180 Aokdga32.exe 37 PID 2180 wrote to memory of 1636 2180 Aokdga32.exe 37 PID 1636 wrote to memory of 2840 1636 Anpahn32.exe 38 PID 1636 wrote to memory of 2840 1636 Anpahn32.exe 38 PID 1636 wrote to memory of 2840 1636 Anpahn32.exe 38 PID 1636 wrote to memory of 2840 1636 Anpahn32.exe 38 PID 2840 wrote to memory of 3004 2840 Bghfacem.exe 39 PID 2840 wrote to memory of 3004 2840 Bghfacem.exe 39 PID 2840 wrote to memory of 3004 2840 Bghfacem.exe 39 PID 2840 wrote to memory of 3004 2840 Bghfacem.exe 39 PID 3004 wrote to memory of 2152 3004 Bfncbp32.exe 40 PID 3004 wrote to memory of 2152 3004 Bfncbp32.exe 40 PID 3004 wrote to memory of 2152 3004 Bfncbp32.exe 40 PID 3004 wrote to memory of 2152 3004 Bfncbp32.exe 40 PID 2152 wrote to memory of 2092 2152 Bpfgke32.exe 41 PID 2152 wrote to memory of 2092 2152 Bpfgke32.exe 41 PID 2152 wrote to memory of 2092 2152 Bpfgke32.exe 41 PID 2152 wrote to memory of 2092 2152 Bpfgke32.exe 41 PID 2092 wrote to memory of 1752 2092 Bphdpe32.exe 42 PID 2092 wrote to memory of 1752 2092 Bphdpe32.exe 42 PID 2092 wrote to memory of 1752 2092 Bphdpe32.exe 42 PID 2092 wrote to memory of 1752 2092 Bphdpe32.exe 42 PID 1752 wrote to memory of 1160 1752 Bfeibo32.exe 43 PID 1752 wrote to memory of 1160 1752 Bfeibo32.exe 43 PID 1752 wrote to memory of 1160 1752 Bfeibo32.exe 43 PID 1752 wrote to memory of 1160 1752 Bfeibo32.exe 43 PID 1160 wrote to memory of 2072 1160 Cpmmkdkn.exe 44 PID 1160 wrote to memory of 2072 1160 Cpmmkdkn.exe 44 PID 1160 wrote to memory of 2072 1160 Cpmmkdkn.exe 44 PID 1160 wrote to memory of 2072 1160 Cpmmkdkn.exe 44 PID 2072 wrote to memory of 1148 2072 Clfkfeno.exe 45 PID 2072 wrote to memory of 1148 2072 Clfkfeno.exe 45 PID 2072 wrote to memory of 1148 2072 Clfkfeno.exe 45 PID 2072 wrote to memory of 1148 2072 Clfkfeno.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd.exe"C:\Users\Admin\AppData\Local\Temp\a177599d46d8ef7525ce30cf46790e54edaa796a88e58fdab9d0b71d0d35b5fd.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1820 -
C:\Windows\SysWOW64\Pchdfb32.exeC:\Windows\system32\Pchdfb32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Qnnhcknd.exeC:\Windows\system32\Qnnhcknd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Qckalamk.exeC:\Windows\system32\Qckalamk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Qjeihl32.exeC:\Windows\system32\Qjeihl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Amhopfof.exeC:\Windows\system32\Amhopfof.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Afbpnlcd.exeC:\Windows\system32\Afbpnlcd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Aokdga32.exeC:\Windows\system32\Aokdga32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Anpahn32.exeC:\Windows\system32\Anpahn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Bghfacem.exeC:\Windows\system32\Bghfacem.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Bfncbp32.exeC:\Windows\system32\Bfncbp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Bpfgke32.exeC:\Windows\system32\Bpfgke32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Bphdpe32.exeC:\Windows\system32\Bphdpe32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Bfeibo32.exeC:\Windows\system32\Bfeibo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Cpmmkdkn.exeC:\Windows\system32\Cpmmkdkn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Clfkfeno.exeC:\Windows\system32\Clfkfeno.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Cogdhpkp.exeC:\Windows\system32\Cogdhpkp.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Ckndmaad.exeC:\Windows\system32\Ckndmaad.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Dmomnlne.exeC:\Windows\system32\Dmomnlne.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Dbkffc32.exeC:\Windows\system32\Dbkffc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1196 -
C:\Windows\SysWOW64\Dkbnhq32.exeC:\Windows\system32\Dkbnhq32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Dihkimag.exeC:\Windows\system32\Dihkimag.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Dmecokhm.exeC:\Windows\system32\Dmecokhm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\Dgnhhq32.exeC:\Windows\system32\Dgnhhq32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Ehaaei32.exeC:\Windows\system32\Ehaaei32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Eokiabjf.exeC:\Windows\system32\Eokiabjf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Edkopifk.exeC:\Windows\system32\Edkopifk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Encchoml.exeC:\Windows\system32\Encchoml.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Edohki32.exeC:\Windows\system32\Edohki32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Ffcahq32.exeC:\Windows\system32\Ffcahq32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Fqkbkicd.exeC:\Windows\system32\Fqkbkicd.exe33⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Fbnkha32.exeC:\Windows\system32\Fbnkha32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3040 -
C:\Windows\SysWOW64\Gdodjlda.exeC:\Windows\system32\Gdodjlda.exe35⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Godhgedg.exeC:\Windows\system32\Godhgedg.exe36⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Gimmpj32.exeC:\Windows\system32\Gimmpj32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Gednek32.exeC:\Windows\system32\Gednek32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Gfggbcdg.exeC:\Windows\system32\Gfggbcdg.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Gjephakn.exeC:\Windows\system32\Gjephakn.exe40⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Hmfhjmho.exeC:\Windows\system32\Hmfhjmho.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1708 -
C:\Windows\SysWOW64\Hecjco32.exeC:\Windows\system32\Hecjco32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Hbgjmcba.exeC:\Windows\system32\Hbgjmcba.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Hbjgbbpn.exeC:\Windows\system32\Hbjgbbpn.exe44⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Imfeip32.exeC:\Windows\system32\Imfeip32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Ihkifi32.exeC:\Windows\system32\Ihkifi32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe48⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Ibgglfdl.exeC:\Windows\system32\Ibgglfdl.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Ipkgejcf.exeC:\Windows\system32\Ipkgejcf.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2544 -
C:\Windows\SysWOW64\Jgeobdkc.exeC:\Windows\system32\Jgeobdkc.exe51⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe52⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Jifhdphd.exeC:\Windows\system32\Jifhdphd.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Jcnmme32.exeC:\Windows\system32\Jcnmme32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Jdpidm32.exeC:\Windows\system32\Jdpidm32.exe55⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Jkjaaglp.exeC:\Windows\system32\Jkjaaglp.exe56⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe57⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Jklnggjm.exeC:\Windows\system32\Jklnggjm.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Jpigonhd.exeC:\Windows\system32\Jpigonhd.exe59⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Kjakhcne.exeC:\Windows\system32\Kjakhcne.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe61⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Kcllfi32.exeC:\Windows\system32\Kcllfi32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Knaqcabh.exeC:\Windows\system32\Knaqcabh.exe63⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Kcnilhap.exeC:\Windows\system32\Kcnilhap.exe64⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Kjhahb32.exeC:\Windows\system32\Kjhahb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Kbcfme32.exeC:\Windows\system32\Kbcfme32.exe66⤵PID:2640
-
C:\Windows\SysWOW64\Klijjnen.exeC:\Windows\system32\Klijjnen.exe67⤵PID:620
-
C:\Windows\SysWOW64\Lbfcbdce.exeC:\Windows\system32\Lbfcbdce.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Lhpkoo32.exeC:\Windows\system32\Lhpkoo32.exe69⤵PID:2672
-
C:\Windows\SysWOW64\Lnmcge32.exeC:\Windows\system32\Lnmcge32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Ldfldpqf.exeC:\Windows\system32\Ldfldpqf.exe71⤵PID:2424
-
C:\Windows\SysWOW64\Lolpah32.exeC:\Windows\system32\Lolpah32.exe72⤵PID:2976
-
C:\Windows\SysWOW64\Ldihjo32.exeC:\Windows\system32\Ldihjo32.exe73⤵PID:1692
-
C:\Windows\SysWOW64\Lbmicc32.exeC:\Windows\system32\Lbmicc32.exe74⤵PID:1648
-
C:\Windows\SysWOW64\Lcneklck.exeC:\Windows\system32\Lcneklck.exe75⤵PID:2740
-
C:\Windows\SysWOW64\Lncjhd32.exeC:\Windows\system32\Lncjhd32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Ldnbeokn.exeC:\Windows\system32\Ldnbeokn.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Mmifiahi.exeC:\Windows\system32\Mmifiahi.exe78⤵PID:2112
-
C:\Windows\SysWOW64\Mgnkfjho.exeC:\Windows\system32\Mgnkfjho.exe79⤵PID:1892
-
C:\Windows\SysWOW64\Mpipkl32.exeC:\Windows\system32\Mpipkl32.exe80⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Mibdcakk.exeC:\Windows\system32\Mibdcakk.exe81⤵PID:1828
-
C:\Windows\SysWOW64\Mbjhlg32.exeC:\Windows\system32\Mbjhlg32.exe82⤵PID:2080
-
C:\Windows\SysWOW64\Mmpmjpba.exeC:\Windows\system32\Mmpmjpba.exe83⤵PID:1644
-
C:\Windows\SysWOW64\Mfhabe32.exeC:\Windows\system32\Mfhabe32.exe84⤵PID:2216
-
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe85⤵PID:1912
-
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe86⤵PID:1084
-
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Nadoiccn.exeC:\Windows\system32\Nadoiccn.exe88⤵PID:2540
-
C:\Windows\SysWOW64\Nmkpnd32.exeC:\Windows\system32\Nmkpnd32.exe89⤵PID:2624
-
C:\Windows\SysWOW64\Njopgh32.exeC:\Windows\system32\Njopgh32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1592 -
C:\Windows\SysWOW64\Naihdb32.exeC:\Windows\system32\Naihdb32.exe91⤵PID:2868
-
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe92⤵PID:2912
-
C:\Windows\SysWOW64\Npneeocq.exeC:\Windows\system32\Npneeocq.exe93⤵PID:876
-
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe94⤵PID:2724
-
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Oemjbe32.exeC:\Windows\system32\Oemjbe32.exe96⤵PID:1704
-
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe97⤵PID:2656
-
C:\Windows\SysWOW64\Ohncdp32.exeC:\Windows\system32\Ohncdp32.exe98⤵PID:2088
-
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe99⤵
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Oojhfj32.exeC:\Windows\system32\Oojhfj32.exe100⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Odgqoa32.exeC:\Windows\system32\Odgqoa32.exe101⤵PID:1520
-
C:\Windows\SysWOW64\Oakaheoa.exeC:\Windows\system32\Oakaheoa.exe102⤵PID:580
-
C:\Windows\SysWOW64\Odimdqne.exeC:\Windows\system32\Odimdqne.exe103⤵PID:2680
-
C:\Windows\SysWOW64\Pamnnemo.exeC:\Windows\system32\Pamnnemo.exe104⤵PID:2408
-
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe105⤵PID:2872
-
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2804 -
C:\Windows\SysWOW64\Pglclk32.exeC:\Windows\system32\Pglclk32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Ppegdapd.exeC:\Windows\system32\Ppegdapd.exe108⤵PID:3016
-
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe109⤵PID:1872
-
C:\Windows\SysWOW64\Pceqfl32.exeC:\Windows\system32\Pceqfl32.exe110⤵PID:2280
-
C:\Windows\SysWOW64\Pjpicfdb.exeC:\Windows\system32\Pjpicfdb.exe111⤵PID:2476
-
C:\Windows\SysWOW64\Adncoc32.exeC:\Windows\system32\Adncoc32.exe112⤵PID:2012
-
C:\Windows\SysWOW64\Adppdckh.exeC:\Windows\system32\Adppdckh.exe113⤵PID:968
-
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe114⤵PID:2660
-
C:\Windows\SysWOW64\Ankabh32.exeC:\Windows\system32\Ankabh32.exe115⤵PID:1288
-
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Aqljdclg.exeC:\Windows\system32\Aqljdclg.exe117⤵PID:2260
-
C:\Windows\SysWOW64\Agebam32.exeC:\Windows\system32\Agebam32.exe118⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe119⤵PID:2760
-
C:\Windows\SysWOW64\Bclcfnih.exeC:\Windows\system32\Bclcfnih.exe120⤵PID:2508
-
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-