Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16-01-2025 01:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe
-
Size
96KB
-
MD5
bbf1c00ea7e970054b22763958338843
-
SHA1
502210ca82e144f3139995abc65ad41781fc5ff2
-
SHA256
77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5
-
SHA512
0d269af73ae8bf920183e41e66c75f67b254b9f67ef00cc44e1eed1866eefd357293dd17fb3c476f41cbfc30f0022f9055a7db980d05bdefa9f7b83ffcbc71e5
-
SSDEEP
3072:7CaiT6OoC4RAuPiX+lsDufBnEnDQEnKClUUWaef:7VQU2OlsDufBoXKCWUM
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaeegh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmfgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcecbq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eckpkamb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neklbppb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diibag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlaeonld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liklhmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcgdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcjbna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpgobc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldhdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnndan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epbfmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgmfchei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbnflo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafbadcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkofjijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeidgbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajjfkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkomjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbdmeoob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajgbkbjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdlkiepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lahmbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjdjklek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifoqjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agdmdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdnild32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgahoel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhobddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekhacbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idiaii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opkccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plaimk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjnan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdgqimc.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 8 IoCs
resource yara_rule behavioral1/files/0x000400000001e128-3513.dat family_bruteratel behavioral1/files/0x0003000000020e13-6681.dat family_bruteratel behavioral1/files/0x0003000000020f10-7081.dat family_bruteratel behavioral1/files/0x0003000000021664-10992.dat family_bruteratel behavioral1/files/0x0003000000021919-12406.dat family_bruteratel behavioral1/files/0x000300000002192a-12425.dat family_bruteratel behavioral1/files/0x0003000000021a48-12915.dat family_bruteratel behavioral1/files/0x0003000000021f6b-14927.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2908 Libicbma.exe 1260 Mlaeonld.exe 2560 Mbkmlh32.exe 1700 Mffimglk.exe 2440 Mbmjah32.exe 2864 Mhjbjopf.exe 2380 Mlfojn32.exe 1192 Mencccop.exe 1544 Mhloponc.exe 1872 Maedhd32.exe 2760 Mdcpdp32.exe 2428 Moidahcn.exe 1780 Magqncba.exe 2156 Nhaikn32.exe 2244 Nibebfpl.exe 1080 Nckjkl32.exe 3052 Nkbalifo.exe 1624 Ndjfeo32.exe 952 Ngibaj32.exe 1696 Nmbknddp.exe 1956 Npagjpcd.exe 1092 Ngkogj32.exe 1688 Niikceid.exe 3020 Nhllob32.exe 3036 Ncbplk32.exe 1632 Nhohda32.exe 2548 Oohqqlei.exe 2984 Ollajp32.exe 580 Okoafmkm.exe 2892 Oeeecekc.exe 2180 Odhfob32.exe 2004 Okdkal32.exe 2300 Onbgmg32.exe 1996 Ogkkfmml.exe 824 Ojigbhlp.exe 1832 Odoloalf.exe 1680 Ogmhkmki.exe 1360 Pkidlk32.exe 2268 Pmjqcc32.exe 236 Pqemdbaj.exe 656 Pgpeal32.exe 540 Pqhijbog.exe 956 Pgbafl32.exe 2976 Pfdabino.exe 1436 Pqjfoa32.exe 2352 Piekcd32.exe 2952 Pmagdbci.exe 2552 Pkdgpo32.exe 796 Poocpnbm.exe 2604 Pfikmh32.exe 2968 Pdlkiepd.exe 3004 Pmccjbaf.exe 2424 Poapfn32.exe 1552 Pndpajgd.exe 1256 Qflhbhgg.exe 2416 Qeohnd32.exe 1708 Qgmdjp32.exe 2164 Qngmgjeb.exe 1764 Qqeicede.exe 1404 Qeaedd32.exe 2920 Qgoapp32.exe 2368 Qkkmqnck.exe 884 Aniimjbo.exe 1912 Aaheie32.exe -
Loads dropped DLL 64 IoCs
pid Process 2716 77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe 2716 77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe 2908 Libicbma.exe 2908 Libicbma.exe 1260 Mlaeonld.exe 1260 Mlaeonld.exe 2560 Mbkmlh32.exe 2560 Mbkmlh32.exe 1700 Mffimglk.exe 1700 Mffimglk.exe 2440 Mbmjah32.exe 2440 Mbmjah32.exe 2864 Mhjbjopf.exe 2864 Mhjbjopf.exe 2380 Mlfojn32.exe 2380 Mlfojn32.exe 1192 Mencccop.exe 1192 Mencccop.exe 1544 Mhloponc.exe 1544 Mhloponc.exe 1872 Maedhd32.exe 1872 Maedhd32.exe 2760 Mdcpdp32.exe 2760 Mdcpdp32.exe 2428 Moidahcn.exe 2428 Moidahcn.exe 1780 Magqncba.exe 1780 Magqncba.exe 2156 Nhaikn32.exe 2156 Nhaikn32.exe 2244 Nibebfpl.exe 2244 Nibebfpl.exe 1080 Nckjkl32.exe 1080 Nckjkl32.exe 3052 Nkbalifo.exe 3052 Nkbalifo.exe 1624 Ndjfeo32.exe 1624 Ndjfeo32.exe 952 Ngibaj32.exe 952 Ngibaj32.exe 1696 Nmbknddp.exe 1696 Nmbknddp.exe 1956 Npagjpcd.exe 1956 Npagjpcd.exe 1092 Ngkogj32.exe 1092 Ngkogj32.exe 1688 Niikceid.exe 1688 Niikceid.exe 3020 Nhllob32.exe 3020 Nhllob32.exe 3036 Ncbplk32.exe 3036 Ncbplk32.exe 1632 Nhohda32.exe 1632 Nhohda32.exe 2548 Oohqqlei.exe 2548 Oohqqlei.exe 2984 Ollajp32.exe 2984 Ollajp32.exe 580 Okoafmkm.exe 580 Okoafmkm.exe 2892 Oeeecekc.exe 2892 Oeeecekc.exe 2180 Odhfob32.exe 2180 Odhfob32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oemegc32.exe Oaaifdhb.exe File created C:\Windows\SysWOW64\Qmgibqjc.exe Qjhmfekp.exe File created C:\Windows\SysWOW64\Kghpoa32.exe Jnpkflne.exe File created C:\Windows\SysWOW64\Mngjeamd.exe Mlhnifmq.exe File created C:\Windows\SysWOW64\Ingkfk32.dll Aopahjll.exe File created C:\Windows\SysWOW64\Pmpbdm32.exe Process not Found File created C:\Windows\SysWOW64\Ogdjhp32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Chkmkacq.exe Cdoajb32.exe File opened for modification C:\Windows\SysWOW64\Jepmgj32.exe Jniefm32.exe File created C:\Windows\SysWOW64\Cgnadk32.dll Ljieppcb.exe File created C:\Windows\SysWOW64\Pkmlmbcd.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fhdmph32.exe Process not Found File created C:\Windows\SysWOW64\Iaeegh32.exe Iinmfk32.exe File created C:\Windows\SysWOW64\Fphoebme.dll Cmmagpef.exe File opened for modification C:\Windows\SysWOW64\Eobchk32.exe Eldglp32.exe File created C:\Windows\SysWOW64\Bgefgpha.dll Process not Found File created C:\Windows\SysWOW64\Onbgmg32.exe Okdkal32.exe File created C:\Windows\SysWOW64\Mclcijfd.exe Mamgmofp.exe File opened for modification C:\Windows\SysWOW64\Fbdlkj32.exe Fofpoo32.exe File created C:\Windows\SysWOW64\Clnoge32.dll Meabakda.exe File created C:\Windows\SysWOW64\Lilfnc32.dll Ogiaif32.exe File created C:\Windows\SysWOW64\Fkiolmdc.dll Fgnadkic.exe File opened for modification C:\Windows\SysWOW64\Hfhcoj32.exe Hcigco32.exe File created C:\Windows\SysWOW64\Dgknkf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Abphal32.exe Acmhepko.exe File created C:\Windows\SysWOW64\Nkegeg32.exe Nlbgikia.exe File created C:\Windows\SysWOW64\Bleoal32.dll Hjofdi32.exe File opened for modification C:\Windows\SysWOW64\Klhgfq32.exe Process not Found File created C:\Windows\SysWOW64\Pmjaohol.exe Process not Found File created C:\Windows\SysWOW64\Ehfenf32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Clalod32.exe Chfpoeja.exe File created C:\Windows\SysWOW64\Dqkhngff.dll Gnmifk32.exe File opened for modification C:\Windows\SysWOW64\Kljabgnh.exe Kjleflod.exe File opened for modification C:\Windows\SysWOW64\Dphmloih.exe Dogpdg32.exe File created C:\Windows\SysWOW64\Emagacdm.exe Eggndi32.exe File opened for modification C:\Windows\SysWOW64\Eibgpnjk.exe Process not Found File opened for modification C:\Windows\SysWOW64\Emdeok32.exe Process not Found File created C:\Windows\SysWOW64\Kiglka32.dll Mcnpojca.exe File created C:\Windows\SysWOW64\Pdldnomh.exe Pmdmmalf.exe File created C:\Windows\SysWOW64\Gplaplgi.dll Mhonngce.exe File opened for modification C:\Windows\SysWOW64\Ndmecgba.exe Npaich32.exe File created C:\Windows\SysWOW64\Bigkel32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dchmkkkj.exe Dkadjn32.exe File created C:\Windows\SysWOW64\Mlhnifmq.exe Meoell32.exe File created C:\Windows\SysWOW64\Ppcbgkka.exe Omefkplm.exe File created C:\Windows\SysWOW64\Fijbkbjk.dll Hmmbqegc.exe File opened for modification C:\Windows\SysWOW64\Lpflkb32.exe Process not Found File created C:\Windows\SysWOW64\Dfhdnn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ndjfeo32.exe Nkbalifo.exe File opened for modification C:\Windows\SysWOW64\Obmnna32.exe Process not Found File created C:\Windows\SysWOW64\Aglfmjon.dll Process not Found File created C:\Windows\SysWOW64\Jmgfca32.dll Process not Found File created C:\Windows\SysWOW64\Pdioqoen.dll Process not Found File created C:\Windows\SysWOW64\Dokggo32.dll Process not Found File created C:\Windows\SysWOW64\Gmbfggdo.exe Gjdjklek.exe File created C:\Windows\SysWOW64\Fmnopp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mobomnoq.exe Process not Found File created C:\Windows\SysWOW64\Gfbliabl.dll Process not Found File created C:\Windows\SysWOW64\Faphfl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Akcldl32.exe Aggpdnpj.exe File opened for modification C:\Windows\SysWOW64\Aigmnqgm.exe Aapemc32.exe File created C:\Windows\SysWOW64\Loqhnifk.dll Ipokcdjn.exe File opened for modification C:\Windows\SysWOW64\Kdbbgdjj.exe Knhjjj32.exe File created C:\Windows\SysWOW64\Iakino32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4416 6416 Process not Found 1656 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apoooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpcikdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmecmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbiiog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnqqgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjnan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgbji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphidanj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjglkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnpkmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libicbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljcllqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcghof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aboaff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhejnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ionefb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egokonjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnolfon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpbdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daacecfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmhideol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngneph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beejng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cemjae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ednbncmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoolael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Candgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfbdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbdea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijclol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqlicclo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmgclfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baojapfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippdgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnljqic.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjckino.dll" Jpbalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amcpie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiokbjgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgckfd32.dll" Bibpad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbdmeoob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkjaa32.dll" Amcbankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjlheehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjfigdn.dll" Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfjgooni.dll" Endjaief.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnkakl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdfkqifa.dll" Mnbpjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbbfep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbeded32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppcbgkka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldikdp32.dll" Dhiomn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpemm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmkkio32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgdcgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blgdjk32.dll" Egokonjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcgapdeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkhdkgnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcamkjba.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdpkmjnb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dchhemih.dll" Jgqpkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knhhaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qblodoke.dll" Oiakgcnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcbabpcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diijaiep.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opjqff32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afiglkle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlpklbcl.dll" Kdpcikdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgiepced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmhamoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fejhndnn.dll" Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqnlhpfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhjcic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfdjdfc.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocajj32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooclji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdoomf32.dll" Fqlicclo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flhmfbim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmpdlac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgfhjcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modcdaml.dll" Findhdcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhpglecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acblbcob.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Konndhmb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2908 2716 77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe 30 PID 2716 wrote to memory of 2908 2716 77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe 30 PID 2716 wrote to memory of 2908 2716 77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe 30 PID 2716 wrote to memory of 2908 2716 77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe 30 PID 2908 wrote to memory of 1260 2908 Libicbma.exe 31 PID 2908 wrote to memory of 1260 2908 Libicbma.exe 31 PID 2908 wrote to memory of 1260 2908 Libicbma.exe 31 PID 2908 wrote to memory of 1260 2908 Libicbma.exe 31 PID 1260 wrote to memory of 2560 1260 Mlaeonld.exe 32 PID 1260 wrote to memory of 2560 1260 Mlaeonld.exe 32 PID 1260 wrote to memory of 2560 1260 Mlaeonld.exe 32 PID 1260 wrote to memory of 2560 1260 Mlaeonld.exe 32 PID 2560 wrote to memory of 1700 2560 Mbkmlh32.exe 33 PID 2560 wrote to memory of 1700 2560 Mbkmlh32.exe 33 PID 2560 wrote to memory of 1700 2560 Mbkmlh32.exe 33 PID 2560 wrote to memory of 1700 2560 Mbkmlh32.exe 33 PID 1700 wrote to memory of 2440 1700 Mffimglk.exe 34 PID 1700 wrote to memory of 2440 1700 Mffimglk.exe 34 PID 1700 wrote to memory of 2440 1700 Mffimglk.exe 34 PID 1700 wrote to memory of 2440 1700 Mffimglk.exe 34 PID 2440 wrote to memory of 2864 2440 Mbmjah32.exe 35 PID 2440 wrote to memory of 2864 2440 Mbmjah32.exe 35 PID 2440 wrote to memory of 2864 2440 Mbmjah32.exe 35 PID 2440 wrote to memory of 2864 2440 Mbmjah32.exe 35 PID 2864 wrote to memory of 2380 2864 Mhjbjopf.exe 36 PID 2864 wrote to memory of 2380 2864 Mhjbjopf.exe 36 PID 2864 wrote to memory of 2380 2864 Mhjbjopf.exe 36 PID 2864 wrote to memory of 2380 2864 Mhjbjopf.exe 36 PID 2380 wrote to memory of 1192 2380 Mlfojn32.exe 37 PID 2380 wrote to memory of 1192 2380 Mlfojn32.exe 37 PID 2380 wrote to memory of 1192 2380 Mlfojn32.exe 37 PID 2380 wrote to memory of 1192 2380 Mlfojn32.exe 37 PID 1192 wrote to memory of 1544 1192 Mencccop.exe 38 PID 1192 wrote to memory of 1544 1192 Mencccop.exe 38 PID 1192 wrote to memory of 1544 1192 Mencccop.exe 38 PID 1192 wrote to memory of 1544 1192 Mencccop.exe 38 PID 1544 wrote to memory of 1872 1544 Mhloponc.exe 39 PID 1544 wrote to memory of 1872 1544 Mhloponc.exe 39 PID 1544 wrote to memory of 1872 1544 Mhloponc.exe 39 PID 1544 wrote to memory of 1872 1544 Mhloponc.exe 39 PID 1872 wrote to memory of 2760 1872 Maedhd32.exe 40 PID 1872 wrote to memory of 2760 1872 Maedhd32.exe 40 PID 1872 wrote to memory of 2760 1872 Maedhd32.exe 40 PID 1872 wrote to memory of 2760 1872 Maedhd32.exe 40 PID 2760 wrote to memory of 2428 2760 Mdcpdp32.exe 41 PID 2760 wrote to memory of 2428 2760 Mdcpdp32.exe 41 PID 2760 wrote to memory of 2428 2760 Mdcpdp32.exe 41 PID 2760 wrote to memory of 2428 2760 Mdcpdp32.exe 41 PID 2428 wrote to memory of 1780 2428 Moidahcn.exe 42 PID 2428 wrote to memory of 1780 2428 Moidahcn.exe 42 PID 2428 wrote to memory of 1780 2428 Moidahcn.exe 42 PID 2428 wrote to memory of 1780 2428 Moidahcn.exe 42 PID 1780 wrote to memory of 2156 1780 Magqncba.exe 43 PID 1780 wrote to memory of 2156 1780 Magqncba.exe 43 PID 1780 wrote to memory of 2156 1780 Magqncba.exe 43 PID 1780 wrote to memory of 2156 1780 Magqncba.exe 43 PID 2156 wrote to memory of 2244 2156 Nhaikn32.exe 44 PID 2156 wrote to memory of 2244 2156 Nhaikn32.exe 44 PID 2156 wrote to memory of 2244 2156 Nhaikn32.exe 44 PID 2156 wrote to memory of 2244 2156 Nhaikn32.exe 44 PID 2244 wrote to memory of 1080 2244 Nibebfpl.exe 45 PID 2244 wrote to memory of 1080 2244 Nibebfpl.exe 45 PID 2244 wrote to memory of 1080 2244 Nibebfpl.exe 45 PID 2244 wrote to memory of 1080 2244 Nibebfpl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe"C:\Users\Admin\AppData\Local\Temp\77160605228e1423548c1356aa9941adfaa3d6f95af149035c5e02d4e3b37db5.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Libicbma.exeC:\Windows\system32\Libicbma.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Mffimglk.exeC:\Windows\system32\Mffimglk.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Mhloponc.exeC:\Windows\system32\Mhloponc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Maedhd32.exeC:\Windows\system32\Maedhd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Moidahcn.exeC:\Windows\system32\Moidahcn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Magqncba.exeC:\Windows\system32\Magqncba.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1080 -
C:\Windows\SysWOW64\Nkbalifo.exeC:\Windows\system32\Nkbalifo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1624 -
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1092 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3036 -
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Okoafmkm.exeC:\Windows\system32\Okoafmkm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Oeeecekc.exeC:\Windows\system32\Oeeecekc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe34⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe35⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe36⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe37⤵
- Executes dropped EXE
PID:1832 -
C:\Windows\SysWOW64\Ogmhkmki.exeC:\Windows\system32\Ogmhkmki.exe38⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe39⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe40⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe41⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Pgpeal32.exeC:\Windows\system32\Pgpeal32.exe42⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe43⤵
- Executes dropped EXE
PID:540 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe44⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe45⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Pqjfoa32.exeC:\Windows\system32\Pqjfoa32.exe46⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe47⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Pmagdbci.exeC:\Windows\system32\Pmagdbci.exe48⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe49⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe50⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe51⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe53⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe54⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Pndpajgd.exeC:\Windows\system32\Pndpajgd.exe55⤵
- Executes dropped EXE
PID:1552 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe56⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Qeohnd32.exeC:\Windows\system32\Qeohnd32.exe57⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe58⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe59⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe60⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe61⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe62⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe63⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe64⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe65⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe66⤵PID:1952
-
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe67⤵PID:2700
-
C:\Windows\SysWOW64\Akmjfn32.exeC:\Windows\system32\Akmjfn32.exe68⤵PID:480
-
C:\Windows\SysWOW64\Amnfnfgg.exeC:\Windows\system32\Amnfnfgg.exe69⤵PID:1984
-
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe70⤵PID:2276
-
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe71⤵PID:2588
-
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe72⤵PID:2420
-
C:\Windows\SysWOW64\Amqccfed.exeC:\Windows\system32\Amqccfed.exe73⤵PID:1724
-
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe74⤵
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe75⤵PID:2060
-
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe76⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe77⤵PID:2448
-
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe78⤵
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe79⤵PID:1216
-
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe80⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe81⤵PID:2744
-
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe82⤵PID:988
-
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe83⤵PID:2712
-
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe84⤵PID:1860
-
C:\Windows\SysWOW64\Apdhjq32.exeC:\Windows\system32\Apdhjq32.exe85⤵PID:1716
-
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe86⤵PID:2392
-
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe87⤵PID:1196
-
C:\Windows\SysWOW64\Aeqabgoj.exeC:\Windows\system32\Aeqabgoj.exe88⤵PID:2800
-
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe89⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe90⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe91⤵PID:3012
-
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe92⤵PID:1776
-
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe93⤵PID:904
-
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe94⤵PID:1856
-
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe95⤵PID:2600
-
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1416 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe97⤵PID:1568
-
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe98⤵PID:1876
-
C:\Windows\SysWOW64\Bonoflae.exeC:\Windows\system32\Bonoflae.exe99⤵PID:2728
-
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe100⤵PID:2024
-
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe101⤵PID:2936
-
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe102⤵PID:1692
-
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe103⤵PID:444
-
C:\Windows\SysWOW64\Baohhgnf.exeC:\Windows\system32\Baohhgnf.exe104⤵PID:1472
-
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe105⤵PID:2328
-
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe106⤵PID:1920
-
C:\Windows\SysWOW64\Bobhal32.exeC:\Windows\system32\Bobhal32.exe107⤵PID:1896
-
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe108⤵PID:1048
-
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe109⤵PID:1364
-
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe110⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Chkmkacq.exeC:\Windows\system32\Chkmkacq.exe111⤵PID:2928
-
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe112⤵PID:2056
-
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe113⤵PID:1512
-
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe114⤵PID:876
-
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe115⤵PID:2236
-
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe116⤵PID:2580
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe117⤵PID:2148
-
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe118⤵PID:1836
-
C:\Windows\SysWOW64\Clmbddgp.exeC:\Windows\system32\Clmbddgp.exe119⤵PID:2032
-
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe120⤵PID:2508
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe121⤵PID:836
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-