Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
22/01/2025, 09:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0d9377ef71c53fafda7c2f28d5cb60ce3ef08483dd920d99c95fced059598a52.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
0d9377ef71c53fafda7c2f28d5cb60ce3ef08483dd920d99c95fced059598a52.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
0d9377ef71c53fafda7c2f28d5cb60ce3ef08483dd920d99c95fced059598a52.exe
-
Size
96KB
-
MD5
a35d2638b1ac3d9a32cc78569d4f95e3
-
SHA1
a2f9ae99773683b11f7f5c5c8f24d8d75fd50d41
-
SHA256
0d9377ef71c53fafda7c2f28d5cb60ce3ef08483dd920d99c95fced059598a52
-
SHA512
c0ef9de3bb27ec7fd6a938a2fa9491ec593276cee88bef3e9538e1e2ac7367e8f092aa76842ea952aa8a4456b94863529ab0f29d401c8e7b53d008b4d53ab80d
-
SSDEEP
1536:wh0ZvIiSoJ5C0ko9AMZcuUTI2Ld7RZObZUUWaegPYAm:PZvC5o9AM+uodClUUWaeN
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lplmhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcnaonnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbjdkepd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlgiea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpbpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkgmko32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooeohjlh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqebnej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bealhmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Didgqhdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeanfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgkljb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnciohah.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapalb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjjbkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkhoijgo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epioiaak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjlcfgag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgpeebpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcpjjag.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apndjm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabcfm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgfdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mehhmh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Becinm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfbochc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcogjgha.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abimfcid.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmocag32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eekalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oodimaaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjdnhcbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqffoeki.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdaebfge.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjdkhmcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abajahfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqohedbo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqfofc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acgdelfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilaeeijd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edekip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egcgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enbind32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjgikh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqkoje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndghdcdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfgoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dngqll32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajalaf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adiqjlcb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccgcmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdgdcif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlgiea32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnjniid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfiogn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obkhngcf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmofpgik.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiqimm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egbaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjapdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadkgapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inoaadih.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kopjhb32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral2/files/0x0007000000023e1e-1695.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 3596 Jehmjchq.exe 5044 Jlbefm32.exe 2028 Jopabhna.exe 2008 Kifepang.exe 2856 Kocnhhlo.exe 4016 Kemfeb32.exe 1960 Khkban32.exe 964 Koeknh32.exe 1392 Keocjbai.exe 3612 Klikgl32.exe 2848 Kcccdfqb.exe 2352 Keappapf.exe 2596 Klkhml32.exe 2044 Kcepif32.exe 1932 Kedlea32.exe 5012 Klndbkep.exe 3420 Lajmkbcg.exe 3952 Liaelpdj.exe 2412 Llpahkcm.exe 4436 Lplmhj32.exe 2860 Lcjide32.exe 4864 Lpnjniid.exe 4620 Lclfjehh.exe 4860 Lcocpdfe.exe 2888 Lhkkhk32.exe 1312 Loeceeli.exe 4932 Lhnhnk32.exe 880 Mafmfqij.exe 4792 Mhpeckqg.exe 2976 Mpgmdhai.exe 4600 Mjpamn32.exe 2392 Momjed32.exe 220 Mplfog32.exe 5056 Mfiogn32.exe 1964 Mjdkhmcd.exe 4328 Mcmoab32.exe 4648 Mfkkmn32.exe 3404 Mlecjhae.exe 1820 Nocpfc32.exe 3684 Njidcl32.exe 4652 Nqclpfgl.exe 4348 Nbdiho32.exe 1884 Nhnadidg.exe 3184 Nmjmeg32.exe 2784 Nbfemnkg.exe 1748 Niqnjh32.exe 4012 Nokfgbja.exe 4256 Ncfbga32.exe 2568 Nmofpgik.exe 740 Nomclbho.exe 1500 Nfgkilok.exe 4368 Njbgik32.exe 4128 Omacef32.exe 4604 Ockkbqne.exe 388 Ojecok32.exe 844 Omcpkf32.exe 2480 Oqolldmo.exe 4428 Ocmhhplb.exe 2284 Oijqpg32.exe 4968 Oodimaaf.exe 2960 Ocpemp32.exe 3760 Ofnajk32.exe 4480 Oqcegd32.exe 1052 Obdbolog.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oljcip32.dll Aiaphc32.exe File created C:\Windows\SysWOW64\Eeanfh32.exe Dgonklmm.exe File created C:\Windows\SysWOW64\Eojmemng.dll Nbdiho32.exe File opened for modification C:\Windows\SysWOW64\Amaeca32.exe Aificcbj.exe File created C:\Windows\SysWOW64\Mhdgdcif.exe Mefkhhjb.exe File created C:\Windows\SysWOW64\Pbidoe32.exe Pmllgn32.exe File opened for modification C:\Windows\SysWOW64\Pmcbgmcg.exe Peljfpbe.exe File created C:\Windows\SysWOW64\Qmdomjai.dll Ddqbnpni.exe File created C:\Windows\SysWOW64\Bbikji32.dll Khkban32.exe File created C:\Windows\SysWOW64\Bdepfjie.exe Bmkhip32.exe File opened for modification C:\Windows\SysWOW64\Hnmlegim.exe Gjapdh32.exe File opened for modification C:\Windows\SysWOW64\Eeidggmp.exe Egfdkk32.exe File created C:\Windows\SysWOW64\Ofnajk32.exe Ocpemp32.exe File created C:\Windows\SysWOW64\Epopof32.exe Egfkfa32.exe File created C:\Windows\SysWOW64\Fqcijfml.exe Egkdapfk.exe File created C:\Windows\SysWOW64\Pggchhmd.dll Inoaadih.exe File created C:\Windows\SysWOW64\Ihnhnadp.dll Lhdnmf32.exe File opened for modification C:\Windows\SysWOW64\Ndmendmg.exe Maohbimd.exe File created C:\Windows\SysWOW64\Kcfcoaod.dll Edekip32.exe File created C:\Windows\SysWOW64\Loeceeli.exe Lhkkhk32.exe File created C:\Windows\SysWOW64\Gnohji32.dll Cpljbi32.exe File opened for modification C:\Windows\SysWOW64\Gjocoi32.exe Gcekbokj.exe File created C:\Windows\SysWOW64\Gqiklcjd.exe Gnjopgkp.exe File opened for modification C:\Windows\SysWOW64\Ooohgk32.exe Olplkp32.exe File created C:\Windows\SysWOW64\Eccfqg32.dll Cgmoidqn.exe File created C:\Windows\SysWOW64\Obdbolog.exe Oqcegd32.exe File opened for modification C:\Windows\SysWOW64\Cadpkm32.exe Ckkhocgd.exe File created C:\Windows\SysWOW64\Mmnpmb32.dll Fnjfij32.exe File created C:\Windows\SysWOW64\Djligg32.dll Kagikl32.exe File created C:\Windows\SysWOW64\Eclhil32.dll Ecmepl32.exe File created C:\Windows\SysWOW64\Kffdnh32.dll Jopabhna.exe File created C:\Windows\SysWOW64\Abajahfg.exe Apbnemgd.exe File created C:\Windows\SysWOW64\Cennecfh.dll Mecnbhle.exe File created C:\Windows\SysWOW64\Qbddkc32.exe Qpfhoh32.exe File created C:\Windows\SysWOW64\Cdpigbll.exe Cliafekj.exe File created C:\Windows\SysWOW64\Ljemccca.dll Dmfjaf32.exe File created C:\Windows\SysWOW64\Pfljelhj.dll Qpikonoo.exe File opened for modification C:\Windows\SysWOW64\Dngqll32.exe Dkidpa32.exe File opened for modification C:\Windows\SysWOW64\Fbjldh32.exe Fnopci32.exe File created C:\Windows\SysWOW64\Hcidmnge.exe Hqkhabha.exe File created C:\Windows\SysWOW64\Djmcanog.dll Lkpncb32.exe File created C:\Windows\SysWOW64\Idhfiejc.dll Amaeca32.exe File created C:\Windows\SysWOW64\Bdbcqklh.exe Badgdold.exe File opened for modification C:\Windows\SysWOW64\Gnhbjh32.exe Gkifnl32.exe File created C:\Windows\SysWOW64\Koddcagp.exe Kkihcc32.exe File opened for modification C:\Windows\SysWOW64\Lkdgoa32.exe Llagcdmo.exe File opened for modification C:\Windows\SysWOW64\Pdedfa32.exe Pbfhje32.exe File created C:\Windows\SysWOW64\Pjgikh32.exe Pcnaonnp.exe File created C:\Windows\SysWOW64\Ockkbqne.exe Omacef32.exe File opened for modification C:\Windows\SysWOW64\Pfgdpj32.exe Ppmlcpil.exe File created C:\Windows\SysWOW64\Bpqjfk32.exe Bifbjqcg.exe File opened for modification C:\Windows\SysWOW64\Hgjjilli.exe Hcnnhm32.exe File opened for modification C:\Windows\SysWOW64\Ijmopggg.exe Hccgcmoj.exe File created C:\Windows\SysWOW64\Aihonllk.exe Aelcmn32.exe File created C:\Windows\SysWOW64\Achqckch.dll Mjpamn32.exe File opened for modification C:\Windows\SysWOW64\Nomclbho.exe Nmofpgik.exe File created C:\Windows\SysWOW64\Ocpemp32.exe Oodimaaf.exe File opened for modification C:\Windows\SysWOW64\Ckkhocgd.exe Cccpnefb.exe File created C:\Windows\SysWOW64\Macagfik.dll Fnniic32.exe File opened for modification C:\Windows\SysWOW64\Llpahkcm.exe Liaelpdj.exe File created C:\Windows\SysWOW64\Dnimal32.exe Dkkaeq32.exe File opened for modification C:\Windows\SysWOW64\Hqkhabha.exe Hnmlegim.exe File opened for modification C:\Windows\SysWOW64\Mehhmh32.exe Mcjlalil.exe File opened for modification C:\Windows\SysWOW64\Ndghdcdm.exe Nbhkhgei.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11076 10932 WerFault.exe 543 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgghnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojollfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apagkfch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcenfob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkpgjpjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdncliaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Didgqhdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lalcflni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpeoeogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcbkihb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdclgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadkgapf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogipofk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obkhngcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcbgmcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhoijgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeemmojj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acgdelfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dablmkba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkcidk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhhhecc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfdic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdpka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfhfjdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibdgadgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbddkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blmakgeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkban32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofpgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epopof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnopci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjjdigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfonngah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmhhplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjjlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfakcfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oboaif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apndjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjmggnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icljjkgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkchc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockkbqne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccpnefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Digkqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcopidle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifple32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakmen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqffoeki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fddnedap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqfofc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emifgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcccdfqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpahkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piccfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diihfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egkdapfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnnhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcpkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggiqbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpnid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abngab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamhmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjopgkp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ommkjhnk.dll" Cdnlbcno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mafmfqij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkgmko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olplkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocdnhofj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aflpgq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blmakgeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckbob32.dll" Kemfeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cijdjjlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpncid32.dll" Jdempjoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nojollfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eckoebbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fddnedap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccgbdi32.dll" Hjhfeg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndpaddje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhkkhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mplfog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjgikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfbhn32.dll" Eckoebbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcagig32.dll" Gcneapab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnmlegim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjjbkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidefknb.dll" Inmelekk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keappapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apbnemgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhdlea32.dll" Abcgghde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbpfgjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlhofd32.dll" Flgfoaqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obkhngcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpmfp32.dll" Bealhmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bilhil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppogmefm.dll" Gnhbjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbjdkepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjhfeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhhhhecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 0d9377ef71c53fafda7c2f28d5cb60ce3ef08483dd920d99c95fced059598a52.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhkkhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edcenfob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmdiflch.dll" Ecoafk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejbklm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqfofc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bifkoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfgbgb32.dll" Ohdpka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acdpef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhcefhek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpoco32.dll" Molckn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhpgpboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cigcfn32.dll" Kecekkjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpfepm32.dll" Qilobnfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjdme32.dll" Kcccdfqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqinhobc.dll" Mplfog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Memfne32.dll" Egbaka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Offdof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjgikh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfqgfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdlmq32.dll" Cagmamlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpmpnej.dll" Egihkqhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnopci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiecpppf.dll" Nocpfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpljbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Didnkogg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjholemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cefojjne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klndbkep.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4456 wrote to memory of 3596 4456 0d9377ef71c53fafda7c2f28d5cb60ce3ef08483dd920d99c95fced059598a52.exe 82 PID 4456 wrote to memory of 3596 4456 0d9377ef71c53fafda7c2f28d5cb60ce3ef08483dd920d99c95fced059598a52.exe 82 PID 4456 wrote to memory of 3596 4456 0d9377ef71c53fafda7c2f28d5cb60ce3ef08483dd920d99c95fced059598a52.exe 82 PID 3596 wrote to memory of 5044 3596 Jehmjchq.exe 83 PID 3596 wrote to memory of 5044 3596 Jehmjchq.exe 83 PID 3596 wrote to memory of 5044 3596 Jehmjchq.exe 83 PID 5044 wrote to memory of 2028 5044 Jlbefm32.exe 84 PID 5044 wrote to memory of 2028 5044 Jlbefm32.exe 84 PID 5044 wrote to memory of 2028 5044 Jlbefm32.exe 84 PID 2028 wrote to memory of 2008 2028 Jopabhna.exe 85 PID 2028 wrote to memory of 2008 2028 Jopabhna.exe 85 PID 2028 wrote to memory of 2008 2028 Jopabhna.exe 85 PID 2008 wrote to memory of 2856 2008 Kifepang.exe 86 PID 2008 wrote to memory of 2856 2008 Kifepang.exe 86 PID 2008 wrote to memory of 2856 2008 Kifepang.exe 86 PID 2856 wrote to memory of 4016 2856 Kocnhhlo.exe 87 PID 2856 wrote to memory of 4016 2856 Kocnhhlo.exe 87 PID 2856 wrote to memory of 4016 2856 Kocnhhlo.exe 87 PID 4016 wrote to memory of 1960 4016 Kemfeb32.exe 88 PID 4016 wrote to memory of 1960 4016 Kemfeb32.exe 88 PID 4016 wrote to memory of 1960 4016 Kemfeb32.exe 88 PID 1960 wrote to memory of 964 1960 Khkban32.exe 89 PID 1960 wrote to memory of 964 1960 Khkban32.exe 89 PID 1960 wrote to memory of 964 1960 Khkban32.exe 89 PID 964 wrote to memory of 1392 964 Koeknh32.exe 90 PID 964 wrote to memory of 1392 964 Koeknh32.exe 90 PID 964 wrote to memory of 1392 964 Koeknh32.exe 90 PID 1392 wrote to memory of 3612 1392 Keocjbai.exe 91 PID 1392 wrote to memory of 3612 1392 Keocjbai.exe 91 PID 1392 wrote to memory of 3612 1392 Keocjbai.exe 91 PID 3612 wrote to memory of 2848 3612 Klikgl32.exe 92 PID 3612 wrote to memory of 2848 3612 Klikgl32.exe 92 PID 3612 wrote to memory of 2848 3612 Klikgl32.exe 92 PID 2848 wrote to memory of 2352 2848 Kcccdfqb.exe 93 PID 2848 wrote to memory of 2352 2848 Kcccdfqb.exe 93 PID 2848 wrote to memory of 2352 2848 Kcccdfqb.exe 93 PID 2352 wrote to memory of 2596 2352 Keappapf.exe 94 PID 2352 wrote to memory of 2596 2352 Keappapf.exe 94 PID 2352 wrote to memory of 2596 2352 Keappapf.exe 94 PID 2596 wrote to memory of 2044 2596 Klkhml32.exe 95 PID 2596 wrote to memory of 2044 2596 Klkhml32.exe 95 PID 2596 wrote to memory of 2044 2596 Klkhml32.exe 95 PID 2044 wrote to memory of 1932 2044 Kcepif32.exe 96 PID 2044 wrote to memory of 1932 2044 Kcepif32.exe 96 PID 2044 wrote to memory of 1932 2044 Kcepif32.exe 96 PID 1932 wrote to memory of 5012 1932 Kedlea32.exe 97 PID 1932 wrote to memory of 5012 1932 Kedlea32.exe 97 PID 1932 wrote to memory of 5012 1932 Kedlea32.exe 97 PID 5012 wrote to memory of 3420 5012 Klndbkep.exe 98 PID 5012 wrote to memory of 3420 5012 Klndbkep.exe 98 PID 5012 wrote to memory of 3420 5012 Klndbkep.exe 98 PID 3420 wrote to memory of 3952 3420 Lajmkbcg.exe 99 PID 3420 wrote to memory of 3952 3420 Lajmkbcg.exe 99 PID 3420 wrote to memory of 3952 3420 Lajmkbcg.exe 99 PID 3952 wrote to memory of 2412 3952 Liaelpdj.exe 100 PID 3952 wrote to memory of 2412 3952 Liaelpdj.exe 100 PID 3952 wrote to memory of 2412 3952 Liaelpdj.exe 100 PID 2412 wrote to memory of 4436 2412 Llpahkcm.exe 101 PID 2412 wrote to memory of 4436 2412 Llpahkcm.exe 101 PID 2412 wrote to memory of 4436 2412 Llpahkcm.exe 101 PID 4436 wrote to memory of 2860 4436 Lplmhj32.exe 102 PID 4436 wrote to memory of 2860 4436 Lplmhj32.exe 102 PID 4436 wrote to memory of 2860 4436 Lplmhj32.exe 102 PID 2860 wrote to memory of 4864 2860 Lcjide32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d9377ef71c53fafda7c2f28d5cb60ce3ef08483dd920d99c95fced059598a52.exe"C:\Users\Admin\AppData\Local\Temp\0d9377ef71c53fafda7c2f28d5cb60ce3ef08483dd920d99c95fced059598a52.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\Jehmjchq.exeC:\Windows\system32\Jehmjchq.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\SysWOW64\Jlbefm32.exeC:\Windows\system32\Jlbefm32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Jopabhna.exeC:\Windows\system32\Jopabhna.exe4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Kifepang.exeC:\Windows\system32\Kifepang.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Kocnhhlo.exeC:\Windows\system32\Kocnhhlo.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Kemfeb32.exeC:\Windows\system32\Kemfeb32.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\Khkban32.exeC:\Windows\system32\Khkban32.exe8⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Koeknh32.exeC:\Windows\system32\Koeknh32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Keocjbai.exeC:\Windows\system32\Keocjbai.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Klikgl32.exeC:\Windows\system32\Klikgl32.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Windows\SysWOW64\Kcccdfqb.exeC:\Windows\system32\Kcccdfqb.exe12⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Keappapf.exeC:\Windows\system32\Keappapf.exe13⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Klkhml32.exeC:\Windows\system32\Klkhml32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Kcepif32.exeC:\Windows\system32\Kcepif32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Kedlea32.exeC:\Windows\system32\Kedlea32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Klndbkep.exeC:\Windows\system32\Klndbkep.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5012 -
C:\Windows\SysWOW64\Lajmkbcg.exeC:\Windows\system32\Lajmkbcg.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Liaelpdj.exeC:\Windows\system32\Liaelpdj.exe19⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Windows\SysWOW64\Llpahkcm.exeC:\Windows\system32\Llpahkcm.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Lplmhj32.exeC:\Windows\system32\Lplmhj32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436 -
C:\Windows\SysWOW64\Lcjide32.exeC:\Windows\system32\Lcjide32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Lpnjniid.exeC:\Windows\system32\Lpnjniid.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4864 -
C:\Windows\SysWOW64\Lclfjehh.exeC:\Windows\system32\Lclfjehh.exe24⤵
- Executes dropped EXE
PID:4620 -
C:\Windows\SysWOW64\Lcocpdfe.exeC:\Windows\system32\Lcocpdfe.exe25⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Lhkkhk32.exeC:\Windows\system32\Lhkkhk32.exe26⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Loeceeli.exeC:\Windows\system32\Loeceeli.exe27⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Lhnhnk32.exeC:\Windows\system32\Lhnhnk32.exe28⤵
- Executes dropped EXE
PID:4932 -
C:\Windows\SysWOW64\Mafmfqij.exeC:\Windows\system32\Mafmfqij.exe29⤵
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Mhpeckqg.exeC:\Windows\system32\Mhpeckqg.exe30⤵
- Executes dropped EXE
PID:4792 -
C:\Windows\SysWOW64\Mpgmdhai.exeC:\Windows\system32\Mpgmdhai.exe31⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Mjpamn32.exeC:\Windows\system32\Mjpamn32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4600 -
C:\Windows\SysWOW64\Momjed32.exeC:\Windows\system32\Momjed32.exe33⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Mplfog32.exeC:\Windows\system32\Mplfog32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:220 -
C:\Windows\SysWOW64\Mfiogn32.exeC:\Windows\system32\Mfiogn32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:5056 -
C:\Windows\SysWOW64\Mjdkhmcd.exeC:\Windows\system32\Mjdkhmcd.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Mcmoab32.exeC:\Windows\system32\Mcmoab32.exe37⤵
- Executes dropped EXE
PID:4328 -
C:\Windows\SysWOW64\Mfkkmn32.exeC:\Windows\system32\Mfkkmn32.exe38⤵
- Executes dropped EXE
PID:4648 -
C:\Windows\SysWOW64\Mlecjhae.exeC:\Windows\system32\Mlecjhae.exe39⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Nocpfc32.exeC:\Windows\system32\Nocpfc32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Njidcl32.exeC:\Windows\system32\Njidcl32.exe41⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Nqclpfgl.exeC:\Windows\system32\Nqclpfgl.exe42⤵
- Executes dropped EXE
PID:4652 -
C:\Windows\SysWOW64\Nbdiho32.exeC:\Windows\system32\Nbdiho32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4348 -
C:\Windows\SysWOW64\Nhnadidg.exeC:\Windows\system32\Nhnadidg.exe44⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Nmjmeg32.exeC:\Windows\system32\Nmjmeg32.exe45⤵
- Executes dropped EXE
PID:3184 -
C:\Windows\SysWOW64\Nbfemnkg.exeC:\Windows\system32\Nbfemnkg.exe46⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Niqnjh32.exeC:\Windows\system32\Niqnjh32.exe47⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Nokfgbja.exeC:\Windows\system32\Nokfgbja.exe48⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Ncfbga32.exeC:\Windows\system32\Ncfbga32.exe49⤵
- Executes dropped EXE
PID:4256 -
C:\Windows\SysWOW64\Nmofpgik.exeC:\Windows\system32\Nmofpgik.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Nomclbho.exeC:\Windows\system32\Nomclbho.exe51⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Nfgkilok.exeC:\Windows\system32\Nfgkilok.exe52⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Njbgik32.exeC:\Windows\system32\Njbgik32.exe53⤵
- Executes dropped EXE
PID:4368 -
C:\Windows\SysWOW64\Omacef32.exeC:\Windows\system32\Omacef32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4128 -
C:\Windows\SysWOW64\Ockkbqne.exeC:\Windows\system32\Ockkbqne.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Windows\SysWOW64\Ojecok32.exeC:\Windows\system32\Ojecok32.exe56⤵
- Executes dropped EXE
PID:388 -
C:\Windows\SysWOW64\Omcpkf32.exeC:\Windows\system32\Omcpkf32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Oqolldmo.exeC:\Windows\system32\Oqolldmo.exe58⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ocmhhplb.exeC:\Windows\system32\Ocmhhplb.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4428 -
C:\Windows\SysWOW64\Oijqpg32.exeC:\Windows\system32\Oijqpg32.exe60⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Oodimaaf.exeC:\Windows\system32\Oodimaaf.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4968 -
C:\Windows\SysWOW64\Ocpemp32.exeC:\Windows\system32\Ocpemp32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Ofnajk32.exeC:\Windows\system32\Ofnajk32.exe63⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Oqcegd32.exeC:\Windows\system32\Oqcegd32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4480 -
C:\Windows\SysWOW64\Obdbolog.exeC:\Windows\system32\Obdbolog.exe65⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Ojljpi32.exeC:\Windows\system32\Ojljpi32.exe66⤵PID:5016
-
C:\Windows\SysWOW64\Omjfle32.exeC:\Windows\system32\Omjfle32.exe67⤵PID:3712
-
C:\Windows\SysWOW64\Ocdnhofj.exeC:\Windows\system32\Ocdnhofj.exe68⤵
- Modifies registry class
PID:3932 -
C:\Windows\SysWOW64\Ojnfei32.exeC:\Windows\system32\Ojnfei32.exe69⤵PID:1832
-
C:\Windows\SysWOW64\Pqhobced.exeC:\Windows\system32\Pqhobced.exe70⤵PID:4908
-
C:\Windows\SysWOW64\Ppkonp32.exeC:\Windows\system32\Ppkonp32.exe71⤵PID:5000
-
C:\Windows\SysWOW64\Pjqckikd.exeC:\Windows\system32\Pjqckikd.exe72⤵PID:1224
-
C:\Windows\SysWOW64\Piccfe32.exeC:\Windows\system32\Piccfe32.exe73⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\Ppmlcpil.exeC:\Windows\system32\Ppmlcpil.exe74⤵
- Drops file in System32 directory
PID:3704 -
C:\Windows\SysWOW64\Pfgdpj32.exeC:\Windows\system32\Pfgdpj32.exe75⤵PID:2400
-
C:\Windows\SysWOW64\Pifple32.exeC:\Windows\system32\Pifple32.exe76⤵
- System Location Discovery: System Language Discovery
PID:4352 -
C:\Windows\SysWOW64\Pamhmb32.exeC:\Windows\system32\Pamhmb32.exe77⤵
- System Location Discovery: System Language Discovery
PID:4112 -
C:\Windows\SysWOW64\Ppphipgi.exeC:\Windows\system32\Ppphipgi.exe78⤵PID:2728
-
C:\Windows\SysWOW64\Pfjqei32.exeC:\Windows\system32\Pfjqei32.exe79⤵PID:2300
-
C:\Windows\SysWOW64\Pcnaonnp.exeC:\Windows\system32\Pcnaonnp.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\Pjgikh32.exeC:\Windows\system32\Pjgikh32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Paaahbmi.exeC:\Windows\system32\Paaahbmi.exe82⤵PID:3892
-
C:\Windows\SysWOW64\Qjjfag32.exeC:\Windows\system32\Qjjfag32.exe83⤵PID:4088
-
C:\Windows\SysWOW64\Qadnna32.exeC:\Windows\system32\Qadnna32.exe84⤵PID:4460
-
C:\Windows\SysWOW64\Qfqgfh32.exeC:\Windows\system32\Qfqgfh32.exe85⤵
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Qjlcfgag.exeC:\Windows\system32\Qjlcfgag.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4180 -
C:\Windows\SysWOW64\Qpikonoo.exeC:\Windows\system32\Qpikonoo.exe87⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Aiaphc32.exeC:\Windows\system32\Aiaphc32.exe88⤵
- Drops file in System32 directory
PID:3904 -
C:\Windows\SysWOW64\Ammlhbnh.exeC:\Windows\system32\Ammlhbnh.exe89⤵PID:4308
-
C:\Windows\SysWOW64\Acgdelfe.exeC:\Windows\system32\Acgdelfe.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Ajalaf32.exeC:\Windows\system32\Ajalaf32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Amohnb32.exeC:\Windows\system32\Amohnb32.exe92⤵PID:3012
-
C:\Windows\SysWOW64\Apndjm32.exeC:\Windows\system32\Apndjm32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2744 -
C:\Windows\SysWOW64\Adiqjlcb.exeC:\Windows\system32\Adiqjlcb.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4400 -
C:\Windows\SysWOW64\Aificcbj.exeC:\Windows\system32\Aificcbj.exe95⤵
- Drops file in System32 directory
PID:2948 -
C:\Windows\SysWOW64\Amaeca32.exeC:\Windows\system32\Amaeca32.exe96⤵
- Drops file in System32 directory
PID:2312 -
C:\Windows\SysWOW64\Adlmpl32.exeC:\Windows\system32\Adlmpl32.exe97⤵PID:3516
-
C:\Windows\SysWOW64\Afjjlg32.exeC:\Windows\system32\Afjjlg32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Amdbiahp.exeC:\Windows\system32\Amdbiahp.exe99⤵PID:4372
-
C:\Windows\SysWOW64\Aapnip32.exeC:\Windows\system32\Aapnip32.exe100⤵PID:2232
-
C:\Windows\SysWOW64\Apbnemgd.exeC:\Windows\system32\Apbnemgd.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1248 -
C:\Windows\SysWOW64\Abajahfg.exeC:\Windows\system32\Abajahfg.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4880 -
C:\Windows\SysWOW64\Ajhbbegj.exeC:\Windows\system32\Ajhbbegj.exe103⤵PID:512
-
C:\Windows\SysWOW64\Apekklea.exeC:\Windows\system32\Apekklea.exe104⤵PID:2276
-
C:\Windows\SysWOW64\Abcgghde.exeC:\Windows\system32\Abcgghde.exe105⤵
- Modifies registry class
PID:4624 -
C:\Windows\SysWOW64\Bimocbla.exeC:\Windows\system32\Bimocbla.exe106⤵PID:552
-
C:\Windows\SysWOW64\Badgdold.exeC:\Windows\system32\Badgdold.exe107⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Bdbcqklh.exeC:\Windows\system32\Bdbcqklh.exe108⤵PID:3164
-
C:\Windows\SysWOW64\Bjmlme32.exeC:\Windows\system32\Bjmlme32.exe109⤵PID:2084
-
C:\Windows\SysWOW64\Bmkhip32.exeC:\Windows\system32\Bmkhip32.exe110⤵
- Drops file in System32 directory
PID:2100 -
C:\Windows\SysWOW64\Bdepfjie.exeC:\Windows\system32\Bdepfjie.exe111⤵PID:4276
-
C:\Windows\SysWOW64\Bbhqbg32.exeC:\Windows\system32\Bbhqbg32.exe112⤵PID:2340
-
C:\Windows\SysWOW64\Bjohcdab.exeC:\Windows\system32\Bjohcdab.exe113⤵PID:4500
-
C:\Windows\SysWOW64\Baiqpo32.exeC:\Windows\system32\Baiqpo32.exe114⤵PID:688
-
C:\Windows\SysWOW64\Bbjmggnm.exeC:\Windows\system32\Bbjmggnm.exe115⤵
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Bkaehdoo.exeC:\Windows\system32\Bkaehdoo.exe116⤵PID:1244
-
C:\Windows\SysWOW64\Bakmen32.exeC:\Windows\system32\Bakmen32.exe117⤵
- System Location Discovery: System Language Discovery
PID:5100 -
C:\Windows\SysWOW64\Bfhfne32.exeC:\Windows\system32\Bfhfne32.exe118⤵PID:936
-
C:\Windows\SysWOW64\Bifbjqcg.exeC:\Windows\system32\Bifbjqcg.exe119⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Bpqjfk32.exeC:\Windows\system32\Bpqjfk32.exe120⤵PID:5020
-
C:\Windows\SysWOW64\Cbofbf32.exeC:\Windows\system32\Cbofbf32.exe121⤵PID:1060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-