Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-11-2024 09:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201N.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201N.exe
-
Size
96KB
-
MD5
69a6d32a79bcb943ffe1bc430e1a7180
-
SHA1
14f5ee0a9a5d8ea7ad839443d85ea0469ecd7e78
-
SHA256
bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201
-
SHA512
5dbe879aa73d177dbbe9d754e15d4a33e30bb3234cc3799042dc49b162abdaf97cb13c0bb748846236f64930fcb6f6c67c68540992785804c4944df9a5a6a6cb
-
SSDEEP
1536:PHIaNnqEh9CL80VZbCnIw52LcQ7RZObZUUWaegPYA:znqEHCL8UZbcyfClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdekgjno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjallg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gljpncgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohagbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ackkppma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hghillnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bccmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpdqdkie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbnbpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfglep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oidiekdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpbdmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnbnpkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjmoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgmigeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdoajb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cicpch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbhmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpgajgeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhiei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpjfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmobhmnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fennoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meoell32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqonbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmbng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjlgfaco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kohnoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjokokha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dahgni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecpjfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkibhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 6 IoCs
resource yara_rule behavioral1/files/0x000500000001a5e0-590.dat family_bruteratel behavioral1/files/0x0003000000020c21-5938.dat family_bruteratel behavioral1/files/0x000300000002129c-9212.dat family_bruteratel behavioral1/files/0x0003000000021467-10453.dat family_bruteratel behavioral1/files/0x000300000002146b-10461.dat family_bruteratel behavioral1/files/0x0003000000021930-12635.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2872 Mhloponc.exe 2864 Mkklljmg.exe 2852 Mmihhelk.exe 2740 Mpjqiq32.exe 2568 Naimccpo.exe 1484 Nckjkl32.exe 2052 Ndjfeo32.exe 2772 Nekbmgcn.exe 2540 Nodgel32.exe 3000 Niikceid.exe 2556 Nadpgggp.exe 2996 Nhohda32.exe 1192 Oagmmgdm.exe 2240 Ollajp32.exe 1232 Ookmfk32.exe 1984 Olonpp32.exe 1924 Oalfhf32.exe 776 Ohendqhd.exe 1548 Oopfakpa.exe 900 Ogkkfmml.exe 2164 Oappcfmb.exe 1208 Odoloalf.exe 2112 Ogmhkmki.exe 1600 Pngphgbf.exe 880 Pmjqcc32.exe 2808 Pcdipnqn.exe 1588 Pmlmic32.exe 2816 Pcfefmnk.exe 2792 Pmojocel.exe 2528 Pomfkndo.exe 684 Pjbjhgde.exe 536 Pmagdbci.exe 1796 Pkfceo32.exe 2352 Pndpajgd.exe 3020 Qkhpkoen.exe 2968 Qngmgjeb.exe 2516 Qqeicede.exe 2508 Aniimjbo.exe 1576 Acfaeq32.exe 2060 Aganeoip.exe 2204 Afgkfl32.exe 1132 Annbhi32.exe 1272 Ackkppma.exe 1364 Ajecmj32.exe 2760 Afkdakjb.exe 2908 Aijpnfif.exe 2392 Acpdko32.exe 1368 Afnagk32.exe 1496 Bmhideol.exe 1568 Bpfeppop.exe 2260 Becnhgmg.exe 2676 Bhajdblk.exe 2800 Bphbeplm.exe 1044 Bbgnak32.exe 1788 Bajomhbl.exe 2608 Biafnecn.exe 3060 Blobjaba.exe 2304 Balkchpi.exe 1968 Bdkgocpm.exe 2264 Blaopqpo.exe 2140 Bhhpeafc.exe 2220 Bfkpqn32.exe 964 Bkglameg.exe 1336 Cdoajb32.exe -
Loads dropped DLL 64 IoCs
pid Process 2876 bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201N.exe 2876 bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201N.exe 2872 Mhloponc.exe 2872 Mhloponc.exe 2864 Mkklljmg.exe 2864 Mkklljmg.exe 2852 Mmihhelk.exe 2852 Mmihhelk.exe 2740 Mpjqiq32.exe 2740 Mpjqiq32.exe 2568 Naimccpo.exe 2568 Naimccpo.exe 1484 Nckjkl32.exe 1484 Nckjkl32.exe 2052 Ndjfeo32.exe 2052 Ndjfeo32.exe 2772 Nekbmgcn.exe 2772 Nekbmgcn.exe 2540 Nodgel32.exe 2540 Nodgel32.exe 3000 Niikceid.exe 3000 Niikceid.exe 2556 Nadpgggp.exe 2556 Nadpgggp.exe 2996 Nhohda32.exe 2996 Nhohda32.exe 1192 Oagmmgdm.exe 1192 Oagmmgdm.exe 2240 Ollajp32.exe 2240 Ollajp32.exe 1232 Ookmfk32.exe 1232 Ookmfk32.exe 1984 Olonpp32.exe 1984 Olonpp32.exe 1924 Oalfhf32.exe 1924 Oalfhf32.exe 776 Ohendqhd.exe 776 Ohendqhd.exe 1548 Oopfakpa.exe 1548 Oopfakpa.exe 900 Ogkkfmml.exe 900 Ogkkfmml.exe 2164 Oappcfmb.exe 2164 Oappcfmb.exe 1208 Odoloalf.exe 1208 Odoloalf.exe 2112 Ogmhkmki.exe 2112 Ogmhkmki.exe 1600 Pngphgbf.exe 1600 Pngphgbf.exe 880 Pmjqcc32.exe 880 Pmjqcc32.exe 2808 Pcdipnqn.exe 2808 Pcdipnqn.exe 1588 Pmlmic32.exe 1588 Pmlmic32.exe 2816 Pcfefmnk.exe 2816 Pcfefmnk.exe 2792 Pmojocel.exe 2792 Pmojocel.exe 2528 Pomfkndo.exe 2528 Pomfkndo.exe 684 Pjbjhgde.exe 684 Pjbjhgde.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bajqfq32.exe Bnldjekl.exe File created C:\Windows\SysWOW64\Mdceqkca.dll Process not Found File created C:\Windows\SysWOW64\Kbdmeoob.exe Kofaicon.exe File created C:\Windows\SysWOW64\Cbjfpgpa.dll Emgioakg.exe File opened for modification C:\Windows\SysWOW64\Gqaafn32.exe Gnbejb32.exe File created C:\Windows\SysWOW64\Jkbolo32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Djlfma32.exe Process not Found File created C:\Windows\SysWOW64\Bjallg32.exe Bcgdom32.exe File opened for modification C:\Windows\SysWOW64\Ciaefa32.exe Cbgmigeq.exe File created C:\Windows\SysWOW64\Oekjjl32.exe Obmnna32.exe File created C:\Windows\SysWOW64\Chnlno32.dll Gkoobhhg.exe File opened for modification C:\Windows\SysWOW64\Jfcqgpfi.exe Jcedkd32.exe File opened for modification C:\Windows\SysWOW64\Aficjnpm.exe Akcomepg.exe File created C:\Windows\SysWOW64\Hmomml32.exe Hhbdee32.exe File opened for modification C:\Windows\SysWOW64\Eldglp32.exe Eiekpd32.exe File created C:\Windows\SysWOW64\Ecnoijbd.exe Eldglp32.exe File opened for modification C:\Windows\SysWOW64\Piicpk32.exe Obokcqhk.exe File created C:\Windows\SysWOW64\Nflpljfn.dll Efqbglen.exe File created C:\Windows\SysWOW64\Cidddj32.exe Process not Found File created C:\Windows\SysWOW64\Gqaafn32.exe Gnbejb32.exe File created C:\Windows\SysWOW64\Dcoaml32.dll Process not Found File created C:\Windows\SysWOW64\Ciifbchf.exe Bbonei32.exe File created C:\Windows\SysWOW64\Gcheib32.exe Gbfiaj32.exe File created C:\Windows\SysWOW64\Ehpcehcj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jcedkd32.exe Jpfhoi32.exe File opened for modification C:\Windows\SysWOW64\Fggmldfp.exe Process not Found File created C:\Windows\SysWOW64\Odoloalf.exe Oappcfmb.exe File opened for modification C:\Windows\SysWOW64\Gcgnnlle.exe Gmmfaa32.exe File opened for modification C:\Windows\SysWOW64\Jliaac32.exe Jmfafgbd.exe File created C:\Windows\SysWOW64\Pkcbnanl.exe Pdjjag32.exe File opened for modification C:\Windows\SysWOW64\Ipcibkff.dll Enbnkigh.exe File opened for modification C:\Windows\SysWOW64\Bnfddp32.exe Bkhhhd32.exe File opened for modification C:\Windows\SysWOW64\Phcpgm32.exe Peedka32.exe File opened for modification C:\Windows\SysWOW64\Gkalhgfd.exe Gaihob32.exe File created C:\Windows\SysWOW64\Qkghgpfi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Flnlkgjq.exe Process not Found File created C:\Windows\SysWOW64\Keeeje32.exe Process not Found File created C:\Windows\SysWOW64\Ecpjfq32.exe Elfaifaq.exe File created C:\Windows\SysWOW64\Hkojbh32.dll Oehklddp.exe File opened for modification C:\Windows\SysWOW64\Mjaddn32.exe Lhpglecl.exe File created C:\Windows\SysWOW64\Annbhi32.exe Afgkfl32.exe File created C:\Windows\SysWOW64\Nomqhi32.dll Pkljdj32.exe File created C:\Windows\SysWOW64\Eimllb32.dll Debadpeg.exe File created C:\Windows\SysWOW64\Lclknm32.dll Process not Found File created C:\Windows\SysWOW64\Ifbgfk32.dll Ogmhkmki.exe File created C:\Windows\SysWOW64\Depbfhpe.exe Dbafjlaa.exe File opened for modification C:\Windows\SysWOW64\Ikldqile.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kindeddf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kjllab32.exe Kgnpeg32.exe File created C:\Windows\SysWOW64\Dogpdg32.exe Dklddhka.exe File created C:\Windows\SysWOW64\Jhbold32.exe Jedcpi32.exe File opened for modification C:\Windows\SysWOW64\Alnalh32.exe Ajpepm32.exe File created C:\Windows\SysWOW64\Qaqnkafa.exe Qobbofgn.exe File opened for modification C:\Windows\SysWOW64\Hbnmienj.exe Hnbaif32.exe File created C:\Windows\SysWOW64\Pocdjfob.dll Process not Found File created C:\Windows\SysWOW64\Pgejcl32.dll Process not Found File created C:\Windows\SysWOW64\Fchopn32.dll Process not Found File created C:\Windows\SysWOW64\Kablnadm.exe Process not Found File created C:\Windows\SysWOW64\Hbmmlqlp.dll Process not Found File opened for modification C:\Windows\SysWOW64\Mmakmp32.exe Mjcoqdoc.exe File created C:\Windows\SysWOW64\Bnfeag32.dll Bjallg32.exe File created C:\Windows\SysWOW64\Gbqahmoc.dll Phcpgm32.exe File created C:\Windows\SysWOW64\Ojojafnk.dll Iefcfe32.exe File created C:\Windows\SysWOW64\Bipalg32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 3352 5496 Process not Found 1382 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imoilo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Depbfhpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imahkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcpbigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhloponc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccpoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkleabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcpgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbnhmjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demofaol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ommfga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilabmedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigpli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcdopc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifaciae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnlnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heikgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmahg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offmipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bchfhfeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejjbbkpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjdfjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbohehoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfeppop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmijmnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphjcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkofjijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpdeogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfdkoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acfmcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edaalk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcajhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkpqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giiglhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ookmfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjmpbopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lflplbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmbqhif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbdee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okojkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgmigeq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjbeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Heokmmgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnmcfeia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmbqhif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmnfdoq.dll" Mihdgkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgifkl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dahgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alihaioe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibigbjj.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkjdopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaeafklf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekaggl32.dll" Kjleflod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khdecggq.dll" Ndqkleln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpebakpc.dll" Ckcepj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gghkdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihmpobck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hibeif32.dll" Oagmmgdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dacpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdmagqq.dll" Cmjbhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejjbbkpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcghof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcgjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lainhkdi.dll" Odbeilbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkejjlpp.dll" Dmmmfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knnpkl32.dll" Ihbcmaje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nncojg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gihniioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohkaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll" Pkcbnanl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cinfhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgbfamff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlfga32.dll" Odoloalf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klcdfdcb.dll" Mfjann32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meffhnal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkjmoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aidphq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnbejb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkihdioa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egmojnlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idcacc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khcomhbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lghlndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjfpafmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjbafi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ampjoj32.dll" Mkaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mleeaj32.dll" Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlbboiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bncaekhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adcdbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnaooi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 2872 2876 bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201N.exe 30 PID 2876 wrote to memory of 2872 2876 bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201N.exe 30 PID 2876 wrote to memory of 2872 2876 bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201N.exe 30 PID 2876 wrote to memory of 2872 2876 bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201N.exe 30 PID 2872 wrote to memory of 2864 2872 Mhloponc.exe 31 PID 2872 wrote to memory of 2864 2872 Mhloponc.exe 31 PID 2872 wrote to memory of 2864 2872 Mhloponc.exe 31 PID 2872 wrote to memory of 2864 2872 Mhloponc.exe 31 PID 2864 wrote to memory of 2852 2864 Mkklljmg.exe 32 PID 2864 wrote to memory of 2852 2864 Mkklljmg.exe 32 PID 2864 wrote to memory of 2852 2864 Mkklljmg.exe 32 PID 2864 wrote to memory of 2852 2864 Mkklljmg.exe 32 PID 2852 wrote to memory of 2740 2852 Mmihhelk.exe 33 PID 2852 wrote to memory of 2740 2852 Mmihhelk.exe 33 PID 2852 wrote to memory of 2740 2852 Mmihhelk.exe 33 PID 2852 wrote to memory of 2740 2852 Mmihhelk.exe 33 PID 2740 wrote to memory of 2568 2740 Mpjqiq32.exe 34 PID 2740 wrote to memory of 2568 2740 Mpjqiq32.exe 34 PID 2740 wrote to memory of 2568 2740 Mpjqiq32.exe 34 PID 2740 wrote to memory of 2568 2740 Mpjqiq32.exe 34 PID 2568 wrote to memory of 1484 2568 Naimccpo.exe 35 PID 2568 wrote to memory of 1484 2568 Naimccpo.exe 35 PID 2568 wrote to memory of 1484 2568 Naimccpo.exe 35 PID 2568 wrote to memory of 1484 2568 Naimccpo.exe 35 PID 1484 wrote to memory of 2052 1484 Nckjkl32.exe 36 PID 1484 wrote to memory of 2052 1484 Nckjkl32.exe 36 PID 1484 wrote to memory of 2052 1484 Nckjkl32.exe 36 PID 1484 wrote to memory of 2052 1484 Nckjkl32.exe 36 PID 2052 wrote to memory of 2772 2052 Ndjfeo32.exe 37 PID 2052 wrote to memory of 2772 2052 Ndjfeo32.exe 37 PID 2052 wrote to memory of 2772 2052 Ndjfeo32.exe 37 PID 2052 wrote to memory of 2772 2052 Ndjfeo32.exe 37 PID 2772 wrote to memory of 2540 2772 Nekbmgcn.exe 38 PID 2772 wrote to memory of 2540 2772 Nekbmgcn.exe 38 PID 2772 wrote to memory of 2540 2772 Nekbmgcn.exe 38 PID 2772 wrote to memory of 2540 2772 Nekbmgcn.exe 38 PID 2540 wrote to memory of 3000 2540 Nodgel32.exe 39 PID 2540 wrote to memory of 3000 2540 Nodgel32.exe 39 PID 2540 wrote to memory of 3000 2540 Nodgel32.exe 39 PID 2540 wrote to memory of 3000 2540 Nodgel32.exe 39 PID 3000 wrote to memory of 2556 3000 Niikceid.exe 40 PID 3000 wrote to memory of 2556 3000 Niikceid.exe 40 PID 3000 wrote to memory of 2556 3000 Niikceid.exe 40 PID 3000 wrote to memory of 2556 3000 Niikceid.exe 40 PID 2556 wrote to memory of 2996 2556 Nadpgggp.exe 41 PID 2556 wrote to memory of 2996 2556 Nadpgggp.exe 41 PID 2556 wrote to memory of 2996 2556 Nadpgggp.exe 41 PID 2556 wrote to memory of 2996 2556 Nadpgggp.exe 41 PID 2996 wrote to memory of 1192 2996 Nhohda32.exe 42 PID 2996 wrote to memory of 1192 2996 Nhohda32.exe 42 PID 2996 wrote to memory of 1192 2996 Nhohda32.exe 42 PID 2996 wrote to memory of 1192 2996 Nhohda32.exe 42 PID 1192 wrote to memory of 2240 1192 Oagmmgdm.exe 43 PID 1192 wrote to memory of 2240 1192 Oagmmgdm.exe 43 PID 1192 wrote to memory of 2240 1192 Oagmmgdm.exe 43 PID 1192 wrote to memory of 2240 1192 Oagmmgdm.exe 43 PID 2240 wrote to memory of 1232 2240 Ollajp32.exe 44 PID 2240 wrote to memory of 1232 2240 Ollajp32.exe 44 PID 2240 wrote to memory of 1232 2240 Ollajp32.exe 44 PID 2240 wrote to memory of 1232 2240 Ollajp32.exe 44 PID 1232 wrote to memory of 1984 1232 Ookmfk32.exe 45 PID 1232 wrote to memory of 1984 1232 Ookmfk32.exe 45 PID 1232 wrote to memory of 1984 1232 Ookmfk32.exe 45 PID 1232 wrote to memory of 1984 1232 Ookmfk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201N.exe"C:\Users\Admin\AppData\Local\Temp\bdde9862c8d76bd5dad526eb85e7a4f6dad320f951b09d9cb0c26eb71d6a2201N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Mkklljmg.exeC:\Windows\system32\Mkklljmg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Naimccpo.exeC:\Windows\system32\Naimccpo.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Oagmmgdm.exeC:\Windows\system32\Oagmmgdm.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Oopfakpa.exeC:\Windows\system32\Oopfakpa.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:900 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1208 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Pngphgbf.exeC:\Windows\system32\Pngphgbf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Pcfefmnk.exeC:\Windows\system32\Pcfefmnk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2792 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe33⤵
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe34⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe35⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Qkhpkoen.exeC:\Windows\system32\Qkhpkoen.exe36⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe37⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe38⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe39⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe40⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe41⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe43⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Ackkppma.exeC:\Windows\system32\Ackkppma.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe45⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe46⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe47⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe48⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe49⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe50⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe52⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe53⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe54⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe55⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe56⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe57⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe58⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe59⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe60⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe61⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe62⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2220 -
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe64⤵
- Executes dropped EXE
PID:964 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe66⤵PID:2572
-
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe67⤵PID:1780
-
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe68⤵PID:1276
-
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe69⤵PID:1040
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe70⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe71⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe72⤵PID:2664
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe73⤵
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe74⤵PID:1732
-
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe75⤵PID:2532
-
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe76⤵PID:3012
-
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe78⤵PID:552
-
C:\Windows\SysWOW64\Cophko32.exeC:\Windows\system32\Cophko32.exe79⤵PID:2888
-
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe80⤵PID:840
-
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe81⤵PID:1344
-
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe82⤵PID:1760
-
C:\Windows\SysWOW64\Dcnqanhd.exeC:\Windows\system32\Dcnqanhd.exe83⤵PID:1048
-
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe84⤵PID:2324
-
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe85⤵PID:2824
-
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe86⤵PID:1704
-
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe87⤵PID:1584
-
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe88⤵PID:3044
-
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe89⤵PID:1980
-
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\Djqoll32.exeC:\Windows\system32\Djqoll32.exe91⤵PID:3024
-
C:\Windows\SysWOW64\Dahgni32.exeC:\Windows\system32\Dahgni32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe93⤵PID:1032
-
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe94⤵PID:1084
-
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe95⤵PID:976
-
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe96⤵PID:2600
-
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe97⤵PID:2356
-
C:\Windows\SysWOW64\Enqdhj32.exeC:\Windows\system32\Enqdhj32.exe98⤵PID:888
-
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe99⤵PID:2924
-
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe100⤵PID:2844
-
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe101⤵PID:1388
-
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe102⤵
- Drops file in System32 directory
PID:708 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2580 -
C:\Windows\SysWOW64\Ebcjamoh.exeC:\Windows\system32\Ebcjamoh.exe104⤵PID:1332
-
C:\Windows\SysWOW64\Ejjbbkpj.exeC:\Windows\system32\Ejjbbkpj.exe105⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Ehmbng32.exeC:\Windows\system32\Ehmbng32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2460 -
C:\Windows\SysWOW64\Ekknjcfh.exeC:\Windows\system32\Ekknjcfh.exe107⤵PID:692
-
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe108⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Ehoocgeb.exeC:\Windows\system32\Ehoocgeb.exe109⤵PID:300
-
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe110⤵PID:1512
-
C:\Windows\SysWOW64\Ebgclm32.exeC:\Windows\system32\Ebgclm32.exe111⤵PID:1036
-
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe112⤵PID:2812
-
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe113⤵PID:1644
-
C:\Windows\SysWOW64\Fokdfajl.exeC:\Windows\system32\Fokdfajl.exe114⤵PID:2180
-
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe115⤵PID:2764
-
C:\Windows\SysWOW64\Fkbdkb32.exeC:\Windows\system32\Fkbdkb32.exe116⤵PID:2644
-
C:\Windows\SysWOW64\Fnqqgm32.exeC:\Windows\system32\Fnqqgm32.exe117⤵PID:3032
-
C:\Windows\SysWOW64\Fdjidgfa.exeC:\Windows\system32\Fdjidgfa.exe118⤵PID:2380
-
C:\Windows\SysWOW64\Fcmiod32.exeC:\Windows\system32\Fcmiod32.exe119⤵PID:1828
-
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe120⤵PID:2396
-
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe121⤵PID:1816
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-