Analysis
-
max time kernel
133s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
27/10/2024, 19:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe.exe
-
Size
96KB
-
MD5
afb3c2a3e6e471b21973ee649dde840d
-
SHA1
d824f5e8ea40006682a2d414ed1d1ed56812ea4f
-
SHA256
0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe
-
SHA512
5e5f93b8fcd3059ce4c1a2b8229c7d01828096130d22198e928575d3bc05e8c341587f40a1980c5e1fc5bb836685177a3ab2ec737e51ab87258098dd413bbeb3
-
SSDEEP
1536:zALLAc5cnO7gN/yeEMwogVOytw2LU7RZObZUUWaegPYA:zAXAcWnfNqeEdogzDUClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnjeoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfnmhnhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmhncg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gndedhdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnhkkjbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acfpilmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehjcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlaqba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldqkqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngcebnen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilcfjkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amalcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhcanahm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phdiglap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hefibg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmbclj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjpafanf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joaebkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdmekne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmjmodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpjpmqjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiapjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkpckeek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnagbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghihfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blhifemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jodkkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nihgndip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niednn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpgpfdoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcnjmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giljinne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnbjfjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgmhkfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgjce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmdpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpblne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfhfjgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibbqmhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clehoiam.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 6 IoCs
resource yara_rule behavioral1/files/0x000400000001eac7-3556.dat family_bruteratel behavioral1/files/0x0005000000020142-3936.dat family_bruteratel behavioral1/files/0x00030000000210ee-9477.dat family_bruteratel behavioral1/files/0x00030000000218a5-14002.dat family_bruteratel behavioral1/files/0x000300000002193c-14233.dat family_bruteratel behavioral1/files/0x0003000000021d64-16060.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2828 Pgamgken.exe 2268 Qkeofnfk.exe 2984 Akhkkmdh.exe 2928 Anhdmh32.exe 2856 Ajoebigm.exe 2864 Ampncd32.exe 2720 Bmbkid32.exe 2168 Biikne32.exe 2924 Bkjdpp32.exe 592 Bedene32.exe 2312 Bbhfgj32.exe 2040 Cfkkam32.exe 1280 Cjhdgk32.exe 2256 Cinahhff.exe 2484 Cedbmi32.exe 1468 Dhekodik.exe 2160 Didgig32.exe 2544 Dbmlal32.exe 2716 Dmgmbj32.exe 772 Ehonebqq.exe 3060 Eipjmk32.exe 1172 Elqcnfdp.exe 976 Egfglocf.exe 2488 Eigpmjqg.exe 2072 Eenabkfk.exe 2652 Fofekp32.exe 2604 Fagnmkjm.exe 3028 Fhccoe32.exe 2476 Fqnhcgma.exe 2852 Fgjmfa32.exe 2904 Gjkfglom.exe 2580 Gkoodd32.exe 2384 Gomhkb32.exe 2588 Idepdhia.exe 620 Janihlcf.exe 3064 Jinghn32.exe 2448 Kkfjpemb.exe 2596 Kabobo32.exe 564 Lnipgp32.exe 2672 Ljpqlqmd.exe 2456 Lpmeojbo.exe 2136 Lobbpg32.exe 1968 Lhjghlng.exe 700 Mfngbq32.exe 1532 Moflkfca.exe 2512 Mdcdcmai.exe 2304 Mjpmkdpp.exe 948 Mqjehngm.exe 2660 Mkpieggc.exe 2668 Mmafmo32.exe 1916 Mjeffc32.exe 1588 Mpaoojjb.exe 1148 Mjgclcjh.exe 2900 Nqakim32.exe 2224 Nilpmo32.exe 2576 Ncbdjhnf.exe 1036 Nnkekfkd.exe 1496 Neemgp32.exe 2552 Nalnmahf.exe 2840 Nicfnn32.exe 1760 Nbljfdoh.exe 1324 Oldooi32.exe 2404 Ododdlcd.exe 1784 Oacdmpan.exe -
Loads dropped DLL 64 IoCs
pid Process 2348 0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe.exe 2348 0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe.exe 2828 Pgamgken.exe 2828 Pgamgken.exe 2268 Qkeofnfk.exe 2268 Qkeofnfk.exe 2984 Akhkkmdh.exe 2984 Akhkkmdh.exe 2928 Anhdmh32.exe 2928 Anhdmh32.exe 2856 Ajoebigm.exe 2856 Ajoebigm.exe 2864 Ampncd32.exe 2864 Ampncd32.exe 2720 Bmbkid32.exe 2720 Bmbkid32.exe 2168 Biikne32.exe 2168 Biikne32.exe 2924 Bkjdpp32.exe 2924 Bkjdpp32.exe 592 Bedene32.exe 592 Bedene32.exe 2312 Bbhfgj32.exe 2312 Bbhfgj32.exe 2040 Cfkkam32.exe 2040 Cfkkam32.exe 1280 Cjhdgk32.exe 1280 Cjhdgk32.exe 2256 Cinahhff.exe 2256 Cinahhff.exe 2484 Cedbmi32.exe 2484 Cedbmi32.exe 1468 Dhekodik.exe 1468 Dhekodik.exe 2160 Didgig32.exe 2160 Didgig32.exe 2544 Dbmlal32.exe 2544 Dbmlal32.exe 2716 Dmgmbj32.exe 2716 Dmgmbj32.exe 772 Ehonebqq.exe 772 Ehonebqq.exe 3060 Eipjmk32.exe 3060 Eipjmk32.exe 1172 Elqcnfdp.exe 1172 Elqcnfdp.exe 976 Egfglocf.exe 976 Egfglocf.exe 2488 Eigpmjqg.exe 2488 Eigpmjqg.exe 2072 Eenabkfk.exe 2072 Eenabkfk.exe 2652 Fofekp32.exe 2652 Fofekp32.exe 2604 Fagnmkjm.exe 2604 Fagnmkjm.exe 3028 Fhccoe32.exe 3028 Fhccoe32.exe 2476 Fqnhcgma.exe 2476 Fqnhcgma.exe 2852 Fgjmfa32.exe 2852 Fgjmfa32.exe 2904 Gjkfglom.exe 2904 Gjkfglom.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gaiehjfb.exe Ghqqpd32.exe File created C:\Windows\SysWOW64\Qnqmeo32.dll Pfpflenm.exe File opened for modification C:\Windows\SysWOW64\Ggjmhn32.exe Gbmdpg32.exe File created C:\Windows\SysWOW64\Nldbbbno.exe Nannejni.exe File opened for modification C:\Windows\SysWOW64\Glaejokn.exe Fkphcg32.exe File created C:\Windows\SysWOW64\Pjemgibi.exe Process not Found File created C:\Windows\SysWOW64\Mdpbnlbe.exe Process not Found File created C:\Windows\SysWOW64\Dpmlcpdm.exe Cncmei32.exe File created C:\Windows\SysWOW64\Bonenbgj.exe Bdiaqj32.exe File created C:\Windows\SysWOW64\Gkcifn32.dll Process not Found File created C:\Windows\SysWOW64\Bhkjbbln.dll Efllcf32.exe File created C:\Windows\SysWOW64\Pgnpcg32.exe Pldobjec.exe File created C:\Windows\SysWOW64\Mdhdigjp.dll Eljihn32.exe File opened for modification C:\Windows\SysWOW64\Nfmoabnf.exe Process not Found File created C:\Windows\SysWOW64\Nmiccl32.exe Process not Found File created C:\Windows\SysWOW64\Ckboba32.exe Cplkehnk.exe File created C:\Windows\SysWOW64\Bboqgikn.dll Fjdqbbkp.exe File created C:\Windows\SysWOW64\Caajmilh.exe Ckgapo32.exe File created C:\Windows\SysWOW64\Oakgdgok.exe Process not Found File created C:\Windows\SysWOW64\Lnfnomon.dll Process not Found File created C:\Windows\SysWOW64\Fgjmfa32.exe Fqnhcgma.exe File created C:\Windows\SysWOW64\Imccco32.exe Process not Found File created C:\Windows\SysWOW64\Onefel32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hkccpb32.exe Process not Found File created C:\Windows\SysWOW64\Cojnol32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ahdkhp32.exe Anngkg32.exe File created C:\Windows\SysWOW64\Cejhld32.exe Ccileljk.exe File created C:\Windows\SysWOW64\Pafklb32.dll Fdpmljan.exe File created C:\Windows\SysWOW64\Oigmbagp.exe Olclimif.exe File created C:\Windows\SysWOW64\Mdcadn32.dll Biakbc32.exe File created C:\Windows\SysWOW64\Clpeajjb.exe Cfemdp32.exe File created C:\Windows\SysWOW64\Gaoihhbo.dll Angklf32.exe File created C:\Windows\SysWOW64\Hllkhoaj.exe Hinolcbf.exe File opened for modification C:\Windows\SysWOW64\Cojnol32.exe Process not Found File created C:\Windows\SysWOW64\Oqdioaqf.exe Odmhjp32.exe File created C:\Windows\SysWOW64\Kgddin32.exe Knlpphnd.exe File created C:\Windows\SysWOW64\Neemgp32.exe Nnkekfkd.exe File opened for modification C:\Windows\SysWOW64\Amaiklki.exe Qfganb32.exe File created C:\Windows\SysWOW64\Pfeqph32.dll Igjabj32.exe File created C:\Windows\SysWOW64\Pmokcpjc.dll Lbjlppja.exe File created C:\Windows\SysWOW64\Jngdfa32.dll Eipekmjg.exe File created C:\Windows\SysWOW64\Oggkklnk.exe Nkpjfkhf.exe File opened for modification C:\Windows\SysWOW64\Ghlgdecf.exe Gncblo32.exe File opened for modification C:\Windows\SysWOW64\Ejjjef32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ocpfmd32.exe Oncndnlq.exe File created C:\Windows\SysWOW64\Nqkkea32.dll Qfedhb32.exe File created C:\Windows\SysWOW64\Mbpolb32.dll Dfecim32.exe File created C:\Windows\SysWOW64\Qbhpddbf.exe Pipklo32.exe File opened for modification C:\Windows\SysWOW64\Clehoiam.exe Ckdlgq32.exe File created C:\Windows\SysWOW64\Cbhdaaae.dll Process not Found File created C:\Windows\SysWOW64\Bmjnlp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gomhkb32.exe Gkoodd32.exe File opened for modification C:\Windows\SysWOW64\Ajpgkb32.exe Adcobk32.exe File opened for modification C:\Windows\SysWOW64\Mddidnqa.exe Mogqlgbi.exe File created C:\Windows\SysWOW64\Epoemc32.dll Edgkap32.exe File created C:\Windows\SysWOW64\Ebiomefn.dll Ppjjcogn.exe File opened for modification C:\Windows\SysWOW64\Fkdoii32.exe Fmpnpe32.exe File created C:\Windows\SysWOW64\Mnheniaa.exe Process not Found File created C:\Windows\SysWOW64\Mofnek32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fadoqc32.exe Process not Found File created C:\Windows\SysWOW64\Iaqnbb32.exe Ilcfjkgj.exe File created C:\Windows\SysWOW64\Fgdjipfc.exe Fnleqj32.exe File opened for modification C:\Windows\SysWOW64\Ekofijic.exe Edenlp32.exe File created C:\Windows\SysWOW64\Edfncj32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4700 5424 Process not Found 1576 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageedflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpkkbcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmplqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpbhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfliqmjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjcefbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niednn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Donijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amaiklki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcknqicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kchfpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpliac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcdbjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiihcmoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihhmhng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpmljan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oooeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgoqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikhqbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohikeegf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgaikb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnadiko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifhinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcolpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npngng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdqpdja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgidnobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdejpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlleni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlifie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhdgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaeiqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnfhfmhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpodmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljihn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhmgbif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbokj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddgkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aniffaim.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joaebkni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eodepf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaakko32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbegonmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Naqkki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjnajl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjkfglom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odmhjp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hchcmnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boncej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caajmilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnipilbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iolohhpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljdgqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmafmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcobdgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpojog32.dll" Jcknqicd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpplfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nkfpefme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nolhoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmnjgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nannejni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejnjlm32.dll" Dhagaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdfpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpbhmiji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akekgimh.dll" Kfnpgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jplcaknb.dll" Cffejk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfgadbcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgibh32.dll" Angmdoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnlhcog.dll" Dkbpbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlaidjj.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fadeofij.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peolmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boakgapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eggajb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdnmda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joohocpp.dll" Bgmagh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epinic32.dll" Lklmoccl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlleni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfflal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnekcblk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2828 2348 0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe.exe 29 PID 2348 wrote to memory of 2828 2348 0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe.exe 29 PID 2348 wrote to memory of 2828 2348 0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe.exe 29 PID 2348 wrote to memory of 2828 2348 0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe.exe 29 PID 2828 wrote to memory of 2268 2828 Pgamgken.exe 30 PID 2828 wrote to memory of 2268 2828 Pgamgken.exe 30 PID 2828 wrote to memory of 2268 2828 Pgamgken.exe 30 PID 2828 wrote to memory of 2268 2828 Pgamgken.exe 30 PID 2268 wrote to memory of 2984 2268 Qkeofnfk.exe 31 PID 2268 wrote to memory of 2984 2268 Qkeofnfk.exe 31 PID 2268 wrote to memory of 2984 2268 Qkeofnfk.exe 31 PID 2268 wrote to memory of 2984 2268 Qkeofnfk.exe 31 PID 2984 wrote to memory of 2928 2984 Akhkkmdh.exe 32 PID 2984 wrote to memory of 2928 2984 Akhkkmdh.exe 32 PID 2984 wrote to memory of 2928 2984 Akhkkmdh.exe 32 PID 2984 wrote to memory of 2928 2984 Akhkkmdh.exe 32 PID 2928 wrote to memory of 2856 2928 Anhdmh32.exe 33 PID 2928 wrote to memory of 2856 2928 Anhdmh32.exe 33 PID 2928 wrote to memory of 2856 2928 Anhdmh32.exe 33 PID 2928 wrote to memory of 2856 2928 Anhdmh32.exe 33 PID 2856 wrote to memory of 2864 2856 Ajoebigm.exe 34 PID 2856 wrote to memory of 2864 2856 Ajoebigm.exe 34 PID 2856 wrote to memory of 2864 2856 Ajoebigm.exe 34 PID 2856 wrote to memory of 2864 2856 Ajoebigm.exe 34 PID 2864 wrote to memory of 2720 2864 Ampncd32.exe 35 PID 2864 wrote to memory of 2720 2864 Ampncd32.exe 35 PID 2864 wrote to memory of 2720 2864 Ampncd32.exe 35 PID 2864 wrote to memory of 2720 2864 Ampncd32.exe 35 PID 2720 wrote to memory of 2168 2720 Bmbkid32.exe 36 PID 2720 wrote to memory of 2168 2720 Bmbkid32.exe 36 PID 2720 wrote to memory of 2168 2720 Bmbkid32.exe 36 PID 2720 wrote to memory of 2168 2720 Bmbkid32.exe 36 PID 2168 wrote to memory of 2924 2168 Biikne32.exe 37 PID 2168 wrote to memory of 2924 2168 Biikne32.exe 37 PID 2168 wrote to memory of 2924 2168 Biikne32.exe 37 PID 2168 wrote to memory of 2924 2168 Biikne32.exe 37 PID 2924 wrote to memory of 592 2924 Bkjdpp32.exe 38 PID 2924 wrote to memory of 592 2924 Bkjdpp32.exe 38 PID 2924 wrote to memory of 592 2924 Bkjdpp32.exe 38 PID 2924 wrote to memory of 592 2924 Bkjdpp32.exe 38 PID 592 wrote to memory of 2312 592 Bedene32.exe 39 PID 592 wrote to memory of 2312 592 Bedene32.exe 39 PID 592 wrote to memory of 2312 592 Bedene32.exe 39 PID 592 wrote to memory of 2312 592 Bedene32.exe 39 PID 2312 wrote to memory of 2040 2312 Bbhfgj32.exe 40 PID 2312 wrote to memory of 2040 2312 Bbhfgj32.exe 40 PID 2312 wrote to memory of 2040 2312 Bbhfgj32.exe 40 PID 2312 wrote to memory of 2040 2312 Bbhfgj32.exe 40 PID 2040 wrote to memory of 1280 2040 Cfkkam32.exe 41 PID 2040 wrote to memory of 1280 2040 Cfkkam32.exe 41 PID 2040 wrote to memory of 1280 2040 Cfkkam32.exe 41 PID 2040 wrote to memory of 1280 2040 Cfkkam32.exe 41 PID 1280 wrote to memory of 2256 1280 Cjhdgk32.exe 42 PID 1280 wrote to memory of 2256 1280 Cjhdgk32.exe 42 PID 1280 wrote to memory of 2256 1280 Cjhdgk32.exe 42 PID 1280 wrote to memory of 2256 1280 Cjhdgk32.exe 42 PID 2256 wrote to memory of 2484 2256 Cinahhff.exe 43 PID 2256 wrote to memory of 2484 2256 Cinahhff.exe 43 PID 2256 wrote to memory of 2484 2256 Cinahhff.exe 43 PID 2256 wrote to memory of 2484 2256 Cinahhff.exe 43 PID 2484 wrote to memory of 1468 2484 Cedbmi32.exe 44 PID 2484 wrote to memory of 1468 2484 Cedbmi32.exe 44 PID 2484 wrote to memory of 1468 2484 Cedbmi32.exe 44 PID 2484 wrote to memory of 1468 2484 Cedbmi32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe.exe"C:\Users\Admin\AppData\Local\Temp\0e9e287638e66bd1bd6acbde4a1c1a859dfd3c6c8993eb53e4af3865e1fbbbbe.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Pgamgken.exeC:\Windows\system32\Pgamgken.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Qkeofnfk.exeC:\Windows\system32\Qkeofnfk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Akhkkmdh.exeC:\Windows\system32\Akhkkmdh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Anhdmh32.exeC:\Windows\system32\Anhdmh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Bmbkid32.exeC:\Windows\system32\Bmbkid32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Bkjdpp32.exeC:\Windows\system32\Bkjdpp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Bedene32.exeC:\Windows\system32\Bedene32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:592 -
C:\Windows\SysWOW64\Bbhfgj32.exeC:\Windows\system32\Bbhfgj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Cjhdgk32.exeC:\Windows\system32\Cjhdgk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\Cinahhff.exeC:\Windows\system32\Cinahhff.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1468 -
C:\Windows\SysWOW64\Didgig32.exeC:\Windows\system32\Didgig32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Eipjmk32.exeC:\Windows\system32\Eipjmk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1172 -
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Eigpmjqg.exeC:\Windows\system32\Eigpmjqg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2488 -
C:\Windows\SysWOW64\Eenabkfk.exeC:\Windows\system32\Eenabkfk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Fagnmkjm.exeC:\Windows\system32\Fagnmkjm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Fhccoe32.exeC:\Windows\system32\Fhccoe32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3028 -
C:\Windows\SysWOW64\Fqnhcgma.exeC:\Windows\system32\Fqnhcgma.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Gjkfglom.exeC:\Windows\system32\Gjkfglom.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Gkoodd32.exeC:\Windows\system32\Gkoodd32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe34⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Idepdhia.exeC:\Windows\system32\Idepdhia.exe35⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Janihlcf.exeC:\Windows\system32\Janihlcf.exe36⤵
- Executes dropped EXE
PID:620 -
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe38⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe39⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe40⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe41⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Lpmeojbo.exeC:\Windows\system32\Lpmeojbo.exe42⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Lobbpg32.exeC:\Windows\system32\Lobbpg32.exe43⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Lhjghlng.exeC:\Windows\system32\Lhjghlng.exe44⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Mfngbq32.exeC:\Windows\system32\Mfngbq32.exe45⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Moflkfca.exeC:\Windows\system32\Moflkfca.exe46⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Mdcdcmai.exeC:\Windows\system32\Mdcdcmai.exe47⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe48⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe49⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Mkpieggc.exeC:\Windows\system32\Mkpieggc.exe50⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Mmafmo32.exeC:\Windows\system32\Mmafmo32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2668 -
C:\Windows\SysWOW64\Mjeffc32.exeC:\Windows\system32\Mjeffc32.exe52⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe53⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe54⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Nqakim32.exeC:\Windows\system32\Nqakim32.exe55⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe56⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Ncbdjhnf.exeC:\Windows\system32\Ncbdjhnf.exe57⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1036 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe59⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Nalnmahf.exeC:\Windows\system32\Nalnmahf.exe60⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Nicfnn32.exeC:\Windows\system32\Nicfnn32.exe61⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe62⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Oldooi32.exeC:\Windows\system32\Oldooi32.exe63⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe64⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe65⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe66⤵PID:236
-
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe67⤵PID:2524
-
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe68⤵PID:1240
-
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe69⤵PID:304
-
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe70⤵PID:928
-
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe71⤵PID:816
-
C:\Windows\SysWOW64\Ppogok32.exeC:\Windows\system32\Ppogok32.exe72⤵PID:364
-
C:\Windows\SysWOW64\Paqdgcfl.exeC:\Windows\system32\Paqdgcfl.exe73⤵PID:2320
-
C:\Windows\SysWOW64\Plfhdlfb.exeC:\Windows\system32\Plfhdlfb.exe74⤵PID:2236
-
C:\Windows\SysWOW64\Peolmb32.exeC:\Windows\system32\Peolmb32.exe75⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe76⤵PID:2972
-
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe77⤵PID:2756
-
C:\Windows\SysWOW64\Ppjjcogn.exeC:\Windows\system32\Ppjjcogn.exe78⤵
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe79⤵PID:2364
-
C:\Windows\SysWOW64\Qajfmbna.exeC:\Windows\system32\Qajfmbna.exe80⤵PID:3048
-
C:\Windows\SysWOW64\Qckcdj32.exeC:\Windows\system32\Qckcdj32.exe81⤵PID:3056
-
C:\Windows\SysWOW64\Qnagbc32.exeC:\Windows\system32\Qnagbc32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Qpocno32.exeC:\Windows\system32\Qpocno32.exe83⤵PID:1184
-
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe84⤵PID:2700
-
C:\Windows\SysWOW64\Apapcnaf.exeC:\Windows\system32\Apapcnaf.exe85⤵PID:1544
-
C:\Windows\SysWOW64\Aenileon.exeC:\Windows\system32\Aenileon.exe86⤵PID:2612
-
C:\Windows\SysWOW64\Alhaho32.exeC:\Windows\system32\Alhaho32.exe87⤵PID:1428
-
C:\Windows\SysWOW64\Aaeiqf32.exeC:\Windows\system32\Aaeiqf32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe89⤵PID:2276
-
C:\Windows\SysWOW64\Aagfffbo.exeC:\Windows\system32\Aagfffbo.exe90⤵PID:1612
-
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe91⤵PID:3032
-
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe92⤵
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Ahdkhp32.exeC:\Windows\system32\Ahdkhp32.exe93⤵PID:2804
-
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe94⤵
- Modifies registry class
PID:2356 -
C:\Windows\SysWOW64\Bqopmbed.exeC:\Windows\system32\Bqopmbed.exe95⤵PID:2820
-
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe96⤵PID:1120
-
C:\Windows\SysWOW64\Bdmhcp32.exeC:\Windows\system32\Bdmhcp32.exe97⤵PID:2000
-
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe98⤵PID:2344
-
C:\Windows\SysWOW64\Bmhmgbif.exeC:\Windows\system32\Bmhmgbif.exe99⤵
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\Bjlnaghp.exeC:\Windows\system32\Bjlnaghp.exe100⤵PID:612
-
C:\Windows\SysWOW64\Bmjjmbgc.exeC:\Windows\system32\Bmjjmbgc.exe101⤵PID:2196
-
C:\Windows\SysWOW64\Bcdbjl32.exeC:\Windows\system32\Bcdbjl32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Biakbc32.exeC:\Windows\system32\Biakbc32.exe103⤵
- Drops file in System32 directory
PID:2144 -
C:\Windows\SysWOW64\Bbjoki32.exeC:\Windows\system32\Bbjoki32.exe104⤵PID:2572
-
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe105⤵PID:2884
-
C:\Windows\SysWOW64\Ccileljk.exeC:\Windows\system32\Ccileljk.exe106⤵
- Drops file in System32 directory
PID:2444 -
C:\Windows\SysWOW64\Cejhld32.exeC:\Windows\system32\Cejhld32.exe107⤵PID:2736
-
C:\Windows\SysWOW64\Cncmei32.exeC:\Windows\system32\Cncmei32.exe108⤵
- Drops file in System32 directory
PID:2284 -
C:\Windows\SysWOW64\Dpmlcpdm.exeC:\Windows\system32\Dpmlcpdm.exe109⤵PID:1500
-
C:\Windows\SysWOW64\Dlfina32.exeC:\Windows\system32\Dlfina32.exe110⤵PID:2396
-
C:\Windows\SysWOW64\Eecgafkj.exeC:\Windows\system32\Eecgafkj.exe111⤵PID:892
-
C:\Windows\SysWOW64\Eolljk32.exeC:\Windows\system32\Eolljk32.exe112⤵PID:1756
-
C:\Windows\SysWOW64\Elpldp32.exeC:\Windows\system32\Elpldp32.exe113⤵PID:1560
-
C:\Windows\SysWOW64\Eehqme32.exeC:\Windows\system32\Eehqme32.exe114⤵PID:2152
-
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe115⤵PID:2460
-
C:\Windows\SysWOW64\Edmnnakm.exeC:\Windows\system32\Edmnnakm.exe116⤵PID:2292
-
C:\Windows\SysWOW64\Eijffhjd.exeC:\Windows\system32\Eijffhjd.exe117⤵PID:2608
-
C:\Windows\SysWOW64\Fdpjcaij.exeC:\Windows\system32\Fdpjcaij.exe118⤵PID:2952
-
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe119⤵PID:2860
-
C:\Windows\SysWOW64\Fgqcel32.exeC:\Windows\system32\Fgqcel32.exe120⤵PID:1232
-
C:\Windows\SysWOW64\Folhio32.exeC:\Windows\system32\Folhio32.exe121⤵PID:3036
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-