Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22-01-2025 18:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe
-
Size
96KB
-
MD5
1e48b608045e2aee510e0be4e199dc67
-
SHA1
7660a84109657d267ba53ef7adcf19bb092d96fe
-
SHA256
11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b
-
SHA512
946a16d92132d46dc4216b58da8ba6b9e92d876cc8543bd3751b5ef24c7d4c6e65b31bf0bb130af9406c5bdca611bb49c78762681322c5568ec1efa3c16d5e86
-
SSDEEP
1536:foZ2IeulXBHK6gPkh7QzcTOp/m3+sGmTMu2Ly7RZObZUUWaegPYAC:yPi8FQzcKkYmoyClUUWaen
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpcnbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgeabi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaamhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nadoiccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmolp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipameehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbinad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kehgkgha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadidabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcacochk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nokqidll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbginomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmiljb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcmjpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eamgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjboeenh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodahk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfklepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgacaaij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdokceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biakbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfcfob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmgblphf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpagbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhaobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eheblj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfando32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbjjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khglkqfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pppnia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfnaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hghhngjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnfbcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npiiafpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjibgdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdehpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgeenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbmgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efdmohmm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebemnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiimfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjeholco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Podpoffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjlmjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iplnpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eagiho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccfoehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdoeipjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapfmg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebmjihqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpegka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gllnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajdego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daplmimi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcegdnna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lddagi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpoaheja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbijcgbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidppaio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acadchoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhleaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekipgb32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x0003000000020c48-7138.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 3064 Dbdagg32.exe 2900 Dgqion32.exe 2716 Eddjhb32.exe 2076 Empomd32.exe 2976 Ebappk32.exe 2004 Elieipej.exe 2212 Fpgnoo32.exe 1644 Fipbhd32.exe 2420 Fcichb32.exe 2396 Fdlpnamm.exe 2084 Fdnlcakk.exe 264 Fmfalg32.exe 2156 Gllnnc32.exe 2608 Gipngg32.exe 2340 Ghekhd32.exe 828 Gampaipe.exe 788 Gekhgh32.exe 804 Gkhaooec.exe 568 Hkjnenbp.exe 1356 Hganjo32.exe 1816 Hdeoccgn.exe 1352 Hkogpn32.exe 2588 Hehhqk32.exe 2624 Hoalia32.exe 864 Hekefkig.exe 2332 Ioefdpne.exe 2828 Iadbqlmh.exe 2800 Igcgnbim.exe 2672 Inplqlng.exe 2724 Jjfmem32.exe 2172 Jqpebg32.exe 1996 Jcandb32.exe 2000 Jmibmhoj.exe 1652 Jmlobg32.exe 1372 Jfddkmch.exe 3008 Kolhdbjh.exe 1948 Keiqlihp.exe 868 Kbmafngi.exe 2160 Lpoaheja.exe 2168 Liibgkoo.exe 2236 Lbagpp32.exe 2460 Mebpakbq.exe 2128 Maiqfl32.exe 816 Mpnngi32.exe 2552 Mkdbea32.exe 1812 Mcofid32.exe 2208 Miiofn32.exe 2432 Mcacochk.exe 284 Nikkkn32.exe 1056 Ncdpdcfh.exe 1768 Ninhamne.exe 2892 Nokqidll.exe 1560 Nipefmkb.exe 3028 Nommodjj.exe 2688 Ndjfgkha.exe 2216 Noojdc32.exe 2476 Nanfqo32.exe 2952 Noagjc32.exe 2512 Oapcfo32.exe 2372 Ogmkne32.exe 700 Oabplobe.exe 2204 Occlcg32.exe 1060 Onipqp32.exe 952 Ocfiif32.exe -
Loads dropped DLL 64 IoCs
pid Process 2824 11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe 2824 11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe 3064 Dbdagg32.exe 3064 Dbdagg32.exe 2900 Dgqion32.exe 2900 Dgqion32.exe 2716 Eddjhb32.exe 2716 Eddjhb32.exe 2076 Empomd32.exe 2076 Empomd32.exe 2976 Ebappk32.exe 2976 Ebappk32.exe 2004 Elieipej.exe 2004 Elieipej.exe 2212 Fpgnoo32.exe 2212 Fpgnoo32.exe 1644 Fipbhd32.exe 1644 Fipbhd32.exe 2420 Fcichb32.exe 2420 Fcichb32.exe 2396 Fdlpnamm.exe 2396 Fdlpnamm.exe 2084 Fdnlcakk.exe 2084 Fdnlcakk.exe 264 Fmfalg32.exe 264 Fmfalg32.exe 2156 Gllnnc32.exe 2156 Gllnnc32.exe 2608 Gipngg32.exe 2608 Gipngg32.exe 2340 Ghekhd32.exe 2340 Ghekhd32.exe 828 Gampaipe.exe 828 Gampaipe.exe 788 Gekhgh32.exe 788 Gekhgh32.exe 804 Gkhaooec.exe 804 Gkhaooec.exe 568 Hkjnenbp.exe 568 Hkjnenbp.exe 1356 Hganjo32.exe 1356 Hganjo32.exe 1816 Hdeoccgn.exe 1816 Hdeoccgn.exe 1352 Hkogpn32.exe 1352 Hkogpn32.exe 2588 Hehhqk32.exe 2588 Hehhqk32.exe 2624 Hoalia32.exe 2624 Hoalia32.exe 864 Hekefkig.exe 864 Hekefkig.exe 2332 Ioefdpne.exe 2332 Ioefdpne.exe 2828 Iadbqlmh.exe 2828 Iadbqlmh.exe 2800 Igcgnbim.exe 2800 Igcgnbim.exe 2672 Inplqlng.exe 2672 Inplqlng.exe 2724 Jjfmem32.exe 2724 Jjfmem32.exe 2172 Jqpebg32.exe 2172 Jqpebg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pfando32.exe Pnfipm32.exe File created C:\Windows\SysWOW64\Mflgkd32.exe Mnpbgbdd.exe File created C:\Windows\SysWOW64\Gbmiha32.dll Empomd32.exe File created C:\Windows\SysWOW64\Mlnbgj32.dll Fdnlcakk.exe File created C:\Windows\SysWOW64\Bcdpdn32.dll Nommodjj.exe File created C:\Windows\SysWOW64\Blodefdg.exe Bbgplq32.exe File created C:\Windows\SysWOW64\Kafopn32.dll Ebmjihqn.exe File created C:\Windows\SysWOW64\Moanhnka.dll Nobpmb32.exe File opened for modification C:\Windows\SysWOW64\Coiqmp32.exe Cddlpg32.exe File created C:\Windows\SysWOW64\Pficpanm.dll Dpofpg32.exe File opened for modification C:\Windows\SysWOW64\Jalmcl32.exe Ieelnkpd.exe File opened for modification C:\Windows\SysWOW64\Qakppa32.exe Qlnghj32.exe File created C:\Windows\SysWOW64\Obbbpp32.dll Qlnghj32.exe File created C:\Windows\SysWOW64\Opkpme32.exe Ojnhdn32.exe File created C:\Windows\SysWOW64\Emhqjkjh.dll Linoeccp.exe File created C:\Windows\SysWOW64\Himocb32.dll Ndjfgkha.exe File opened for modification C:\Windows\SysWOW64\Pkmmigjo.exe Pbdipa32.exe File created C:\Windows\SysWOW64\Opbjmj32.dll Kfgjdlme.exe File opened for modification C:\Windows\SysWOW64\Ncloha32.exe Nlbgkgcc.exe File created C:\Windows\SysWOW64\Iekgod32.exe Hpoofm32.exe File opened for modification C:\Windows\SysWOW64\Dihkimag.exe Dpofpg32.exe File opened for modification C:\Windows\SysWOW64\Oaeacppk.exe Omhhma32.exe File opened for modification C:\Windows\SysWOW64\Jnfbcg32.exe Jboanfmm.exe File opened for modification C:\Windows\SysWOW64\Fnmmidhm.exe Fdehpn32.exe File created C:\Windows\SysWOW64\Bbgmbfej.dll Gllpflng.exe File created C:\Windows\SysWOW64\Hmnhnk32.exe Hcfceeff.exe File opened for modification C:\Windows\SysWOW64\Pdffcn32.exe Pgbejj32.exe File created C:\Windows\SysWOW64\Bfmkge32.dll Dahobdpe.exe File created C:\Windows\SysWOW64\Ncdciq32.exe Nkmkgc32.exe File created C:\Windows\SysWOW64\Qjikefbe.dll Enlncdio.exe File created C:\Windows\SysWOW64\Logkbl32.dll Gohjnf32.exe File created C:\Windows\SysWOW64\Adhglggg.dll Cgbfcjag.exe File created C:\Windows\SysWOW64\Jmddhe32.dll Ddjphm32.exe File created C:\Windows\SysWOW64\Pmpiei32.dll Lnqkjl32.exe File created C:\Windows\SysWOW64\Dmecokhm.exe Dcpoab32.exe File created C:\Windows\SysWOW64\Ggbjag32.exe Gbeaip32.exe File created C:\Windows\SysWOW64\Jlddpkgh.exe Joqdfghn.exe File created C:\Windows\SysWOW64\Chmpbiao.dll Plildb32.exe File opened for modification C:\Windows\SysWOW64\Bkhjcing.exe Bapejd32.exe File created C:\Windows\SysWOW64\Dclgbgbh.exe Dcijmhdj.exe File created C:\Windows\SysWOW64\Cddlpg32.exe Cogdhpkp.exe File created C:\Windows\SysWOW64\Pgfnqkbe.dll Ekipgb32.exe File opened for modification C:\Windows\SysWOW64\Oiifcdhn.exe Oppbjn32.exe File opened for modification C:\Windows\SysWOW64\Amcfpl32.exe Appfggjm.exe File opened for modification C:\Windows\SysWOW64\Clbbfj32.exe Conbmfif.exe File created C:\Windows\SysWOW64\Epkglngn.dll Dgoobg32.exe File created C:\Windows\SysWOW64\Lggdfk32.exe Lbjlnd32.exe File created C:\Windows\SysWOW64\Fjecidcb.dll Dabfjp32.exe File created C:\Windows\SysWOW64\Idopmjih.dll Epdljjjm.exe File opened for modification C:\Windows\SysWOW64\Jaamhb32.exe Jlddpkgh.exe File opened for modification C:\Windows\SysWOW64\Lhpkoo32.exe Khmnio32.exe File created C:\Windows\SysWOW64\Pkegca32.dll Bdehgnqc.exe File created C:\Windows\SysWOW64\Jmnpoagb.dll Lbagpp32.exe File created C:\Windows\SysWOW64\Njljfe32.dll Mhkhgd32.exe File created C:\Windows\SysWOW64\Kopnjkfp.dll Qnalcqpm.exe File created C:\Windows\SysWOW64\Eoadpbdp.dll Pkjqcg32.exe File created C:\Windows\SysWOW64\Oeoeplfn.exe Oihdjk32.exe File opened for modification C:\Windows\SysWOW64\Ajcldpkd.exe Aakhkj32.exe File opened for modification C:\Windows\SysWOW64\Jbijcgbc.exe Jllakpdk.exe File opened for modification C:\Windows\SysWOW64\Eagiho32.exe Dgnhhq32.exe File created C:\Windows\SysWOW64\Phnkdd32.dll Fkapkq32.exe File opened for modification C:\Windows\SysWOW64\Dapnfb32.exe Dlcfnk32.exe File opened for modification C:\Windows\SysWOW64\Igngim32.exe Hbekojlp.exe File opened for modification C:\Windows\SysWOW64\Lggdfk32.exe Lbjlnd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4476 4604 WerFault.exe 859 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdaephpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbpmbndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkbfpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgcdcjpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpmljan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcandb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqanke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pembpkfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffeoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjkmijh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pinnfonh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plfjme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiqfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghjqlmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggmjkapi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbgdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmbfkhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabplobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcpoab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpgqlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miaaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdhnnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfooa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnlcakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codeih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamdlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadbqlmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdpgqgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqbifhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcocgkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffjghppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehonebqq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipameehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njipabhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicfgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgppmpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcobk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfmccfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppejmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhleaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peapmhnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndhddaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnanhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldangbhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmada32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmqigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgeabi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkhdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oophlpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khmnio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmkilbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddagi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcehngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ochenfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikoehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofqonp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgdbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limhpihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pffgonbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankckagj.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlhbgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfkgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chabmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kokppd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amcfpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdkq32.dll" Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiimci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miglkjli.dll" Jdobjgqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomgfhen.dll" Fcichb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jifkmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echoepmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kphgke32.dll" Fqnhcgma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daonbn32.dll" Pgbejj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kobhillo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnekcblk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phhmeehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imfeip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkncac32.dll" Dpphipbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljcblpk.dll" Jekaeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioefdpne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knijji32.dll" Mcpmonea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhalag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Limhpihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oecnkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjhlcioh.dll" Deonff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nnndin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnmhejjl.dll" Pbqbioeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ninhamne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baealp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehjbaooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njkdom32.dll" Dbfaopqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gohjnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifajif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keiqlihp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imfeip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjgonf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpfgke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnkpcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dajiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmjfae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofehiocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghekhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cagjqbam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joekimld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnegldo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgcpnon.dll" Epmahmcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iqgofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kopnjkfp.dll" Qnalcqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emkfmioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcfceeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiefqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkjigh32.dll" Ebemnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjikefbe.dll" Enlncdio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadged32.dll" Hocmbjhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coiqmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilceog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emqfen32.dll" Qlqdmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kimfdido.dll" Incgfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankckagj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jalmcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgbcgg32.dll" Eoecbheg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2824 wrote to memory of 3064 2824 11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe 30 PID 2824 wrote to memory of 3064 2824 11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe 30 PID 2824 wrote to memory of 3064 2824 11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe 30 PID 2824 wrote to memory of 3064 2824 11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe 30 PID 3064 wrote to memory of 2900 3064 Dbdagg32.exe 31 PID 3064 wrote to memory of 2900 3064 Dbdagg32.exe 31 PID 3064 wrote to memory of 2900 3064 Dbdagg32.exe 31 PID 3064 wrote to memory of 2900 3064 Dbdagg32.exe 31 PID 2900 wrote to memory of 2716 2900 Dgqion32.exe 32 PID 2900 wrote to memory of 2716 2900 Dgqion32.exe 32 PID 2900 wrote to memory of 2716 2900 Dgqion32.exe 32 PID 2900 wrote to memory of 2716 2900 Dgqion32.exe 32 PID 2716 wrote to memory of 2076 2716 Eddjhb32.exe 33 PID 2716 wrote to memory of 2076 2716 Eddjhb32.exe 33 PID 2716 wrote to memory of 2076 2716 Eddjhb32.exe 33 PID 2716 wrote to memory of 2076 2716 Eddjhb32.exe 33 PID 2076 wrote to memory of 2976 2076 Empomd32.exe 34 PID 2076 wrote to memory of 2976 2076 Empomd32.exe 34 PID 2076 wrote to memory of 2976 2076 Empomd32.exe 34 PID 2076 wrote to memory of 2976 2076 Empomd32.exe 34 PID 2976 wrote to memory of 2004 2976 Ebappk32.exe 35 PID 2976 wrote to memory of 2004 2976 Ebappk32.exe 35 PID 2976 wrote to memory of 2004 2976 Ebappk32.exe 35 PID 2976 wrote to memory of 2004 2976 Ebappk32.exe 35 PID 2004 wrote to memory of 2212 2004 Elieipej.exe 36 PID 2004 wrote to memory of 2212 2004 Elieipej.exe 36 PID 2004 wrote to memory of 2212 2004 Elieipej.exe 36 PID 2004 wrote to memory of 2212 2004 Elieipej.exe 36 PID 2212 wrote to memory of 1644 2212 Fpgnoo32.exe 37 PID 2212 wrote to memory of 1644 2212 Fpgnoo32.exe 37 PID 2212 wrote to memory of 1644 2212 Fpgnoo32.exe 37 PID 2212 wrote to memory of 1644 2212 Fpgnoo32.exe 37 PID 1644 wrote to memory of 2420 1644 Fipbhd32.exe 38 PID 1644 wrote to memory of 2420 1644 Fipbhd32.exe 38 PID 1644 wrote to memory of 2420 1644 Fipbhd32.exe 38 PID 1644 wrote to memory of 2420 1644 Fipbhd32.exe 38 PID 2420 wrote to memory of 2396 2420 Fcichb32.exe 39 PID 2420 wrote to memory of 2396 2420 Fcichb32.exe 39 PID 2420 wrote to memory of 2396 2420 Fcichb32.exe 39 PID 2420 wrote to memory of 2396 2420 Fcichb32.exe 39 PID 2396 wrote to memory of 2084 2396 Fdlpnamm.exe 40 PID 2396 wrote to memory of 2084 2396 Fdlpnamm.exe 40 PID 2396 wrote to memory of 2084 2396 Fdlpnamm.exe 40 PID 2396 wrote to memory of 2084 2396 Fdlpnamm.exe 40 PID 2084 wrote to memory of 264 2084 Fdnlcakk.exe 41 PID 2084 wrote to memory of 264 2084 Fdnlcakk.exe 41 PID 2084 wrote to memory of 264 2084 Fdnlcakk.exe 41 PID 2084 wrote to memory of 264 2084 Fdnlcakk.exe 41 PID 264 wrote to memory of 2156 264 Fmfalg32.exe 42 PID 264 wrote to memory of 2156 264 Fmfalg32.exe 42 PID 264 wrote to memory of 2156 264 Fmfalg32.exe 42 PID 264 wrote to memory of 2156 264 Fmfalg32.exe 42 PID 2156 wrote to memory of 2608 2156 Gllnnc32.exe 43 PID 2156 wrote to memory of 2608 2156 Gllnnc32.exe 43 PID 2156 wrote to memory of 2608 2156 Gllnnc32.exe 43 PID 2156 wrote to memory of 2608 2156 Gllnnc32.exe 43 PID 2608 wrote to memory of 2340 2608 Gipngg32.exe 44 PID 2608 wrote to memory of 2340 2608 Gipngg32.exe 44 PID 2608 wrote to memory of 2340 2608 Gipngg32.exe 44 PID 2608 wrote to memory of 2340 2608 Gipngg32.exe 44 PID 2340 wrote to memory of 828 2340 Ghekhd32.exe 45 PID 2340 wrote to memory of 828 2340 Ghekhd32.exe 45 PID 2340 wrote to memory of 828 2340 Ghekhd32.exe 45 PID 2340 wrote to memory of 828 2340 Ghekhd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe"C:\Users\Admin\AppData\Local\Temp\11e3cdbac1b988d3e2e3868f15aaac83ca8f6427ab95cd038ec1d1c9c7f5398b.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Ebappk32.exeC:\Windows\system32\Ebappk32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1644 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:788 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:568 -
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1816 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1352 -
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Hoalia32.exeC:\Windows\system32\Hoalia32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:864 -
C:\Windows\SysWOW64\Ioefdpne.exeC:\Windows\system32\Ioefdpne.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Iadbqlmh.exeC:\Windows\system32\Iadbqlmh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Inplqlng.exeC:\Windows\system32\Inplqlng.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Jjfmem32.exeC:\Windows\system32\Jjfmem32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\Jmibmhoj.exeC:\Windows\system32\Jmibmhoj.exe34⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe35⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe36⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe37⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Kbmafngi.exeC:\Windows\system32\Kbmafngi.exe39⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Lpoaheja.exeC:\Windows\system32\Lpoaheja.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Liibgkoo.exeC:\Windows\system32\Liibgkoo.exe41⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Lbagpp32.exeC:\Windows\system32\Lbagpp32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Mebpakbq.exeC:\Windows\system32\Mebpakbq.exe43⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Maiqfl32.exeC:\Windows\system32\Maiqfl32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Mpnngi32.exeC:\Windows\system32\Mpnngi32.exe45⤵
- Executes dropped EXE
PID:816 -
C:\Windows\SysWOW64\Mkdbea32.exeC:\Windows\system32\Mkdbea32.exe46⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe47⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe48⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Nikkkn32.exeC:\Windows\system32\Nikkkn32.exe50⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe51⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Ninhamne.exeC:\Windows\system32\Ninhamne.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Nokqidll.exeC:\Windows\system32\Nokqidll.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Nipefmkb.exeC:\Windows\system32\Nipefmkb.exe54⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Nommodjj.exeC:\Windows\system32\Nommodjj.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Ndjfgkha.exeC:\Windows\system32\Ndjfgkha.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Noojdc32.exeC:\Windows\system32\Noojdc32.exe57⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Nanfqo32.exeC:\Windows\system32\Nanfqo32.exe58⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe59⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Oapcfo32.exeC:\Windows\system32\Oapcfo32.exe60⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe61⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Oabplobe.exeC:\Windows\system32\Oabplobe.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:700 -
C:\Windows\SysWOW64\Occlcg32.exeC:\Windows\system32\Occlcg32.exe63⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Onipqp32.exeC:\Windows\system32\Onipqp32.exe64⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe65⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Onkmfofg.exeC:\Windows\system32\Onkmfofg.exe66⤵PID:1712
-
C:\Windows\SysWOW64\Ochenfdn.exeC:\Windows\system32\Ochenfdn.exe67⤵
- System Location Discovery: System Language Discovery
PID:736 -
C:\Windows\SysWOW64\Omqjgl32.exeC:\Windows\system32\Omqjgl32.exe68⤵PID:1956
-
C:\Windows\SysWOW64\Ojdjqp32.exeC:\Windows\system32\Ojdjqp32.exe69⤵PID:2336
-
C:\Windows\SysWOW64\Pkfghh32.exeC:\Windows\system32\Pkfghh32.exe70⤵PID:1064
-
C:\Windows\SysWOW64\Pmecbkgj.exeC:\Windows\system32\Pmecbkgj.exe71⤵PID:1968
-
C:\Windows\SysWOW64\Podpoffm.exeC:\Windows\system32\Podpoffm.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1564 -
C:\Windows\SysWOW64\Peqhgmdd.exeC:\Windows\system32\Peqhgmdd.exe73⤵PID:2804
-
C:\Windows\SysWOW64\Pkjqcg32.exeC:\Windows\system32\Pkjqcg32.exe74⤵
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Pbdipa32.exeC:\Windows\system32\Pbdipa32.exe75⤵
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Pkmmigjo.exeC:\Windows\system32\Pkmmigjo.exe76⤵PID:1172
-
C:\Windows\SysWOW64\Peeabm32.exeC:\Windows\system32\Peeabm32.exe77⤵PID:1076
-
C:\Windows\SysWOW64\Pjbjjc32.exeC:\Windows\system32\Pjbjjc32.exe78⤵PID:1924
-
C:\Windows\SysWOW64\Palbgn32.exeC:\Windows\system32\Palbgn32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3000 -
C:\Windows\SysWOW64\Qfikod32.exeC:\Windows\system32\Qfikod32.exe80⤵PID:2988
-
C:\Windows\SysWOW64\Qnpcpa32.exeC:\Windows\system32\Qnpcpa32.exe81⤵PID:2064
-
C:\Windows\SysWOW64\Qcmkhi32.exeC:\Windows\system32\Qcmkhi32.exe82⤵PID:2532
-
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe83⤵
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Qaqlbmbn.exeC:\Windows\system32\Qaqlbmbn.exe84⤵PID:2244
-
C:\Windows\SysWOW64\Ajipkb32.exeC:\Windows\system32\Ajipkb32.exe85⤵PID:2344
-
C:\Windows\SysWOW64\Acadchoo.exeC:\Windows\system32\Acadchoo.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1204 -
C:\Windows\SysWOW64\Ainmlomf.exeC:\Windows\system32\Ainmlomf.exe87⤵PID:340
-
C:\Windows\SysWOW64\Ankedf32.exeC:\Windows\system32\Ankedf32.exe88⤵PID:2596
-
C:\Windows\SysWOW64\Ahcjmkbo.exeC:\Windows\system32\Ahcjmkbo.exe89⤵PID:2944
-
C:\Windows\SysWOW64\Anmbje32.exeC:\Windows\system32\Anmbje32.exe90⤵PID:2704
-
C:\Windows\SysWOW64\Aicfgn32.exeC:\Windows\system32\Aicfgn32.exe91⤵
- System Location Discovery: System Language Discovery
PID:1420 -
C:\Windows\SysWOW64\Ajdcofop.exeC:\Windows\system32\Ajdcofop.exe92⤵PID:1804
-
C:\Windows\SysWOW64\Aejglo32.exeC:\Windows\system32\Aejglo32.exe93⤵PID:1384
-
C:\Windows\SysWOW64\Bmelpa32.exeC:\Windows\system32\Bmelpa32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe95⤵
- System Location Discovery: System Language Discovery
PID:908 -
C:\Windows\SysWOW64\Bpfebmia.exeC:\Windows\system32\Bpfebmia.exe96⤵PID:516
-
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe97⤵PID:2248
-
C:\Windows\SysWOW64\Baealp32.exeC:\Windows\system32\Baealp32.exe98⤵
- Modifies registry class
PID:956 -
C:\Windows\SysWOW64\Bknfeege.exeC:\Windows\system32\Bknfeege.exe99⤵PID:1576
-
C:\Windows\SysWOW64\Blobmm32.exeC:\Windows\system32\Blobmm32.exe100⤵PID:1392
-
C:\Windows\SysWOW64\Beggec32.exeC:\Windows\system32\Beggec32.exe101⤵PID:1588
-
C:\Windows\SysWOW64\Bopknhjd.exeC:\Windows\system32\Bopknhjd.exe102⤵PID:1580
-
C:\Windows\SysWOW64\Ciepkajj.exeC:\Windows\system32\Ciepkajj.exe103⤵PID:924
-
C:\Windows\SysWOW64\Cobhdhha.exeC:\Windows\system32\Cobhdhha.exe104⤵PID:3048
-
C:\Windows\SysWOW64\Ciglaa32.exeC:\Windows\system32\Ciglaa32.exe105⤵PID:2948
-
C:\Windows\SysWOW64\Codeih32.exeC:\Windows\system32\Codeih32.exe106⤵
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe107⤵PID:1276
-
C:\Windows\SysWOW64\Cdcjgnbc.exeC:\Windows\system32\Cdcjgnbc.exe108⤵PID:1156
-
C:\Windows\SysWOW64\Cgbfcjag.exeC:\Windows\system32\Cgbfcjag.exe109⤵
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Cagjqbam.exeC:\Windows\system32\Cagjqbam.exe110⤵
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Chabmm32.exeC:\Windows\system32\Chabmm32.exe111⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1292 -
C:\Windows\SysWOW64\Ddhcbnnn.exeC:\Windows\system32\Ddhcbnnn.exe113⤵PID:2272
-
C:\Windows\SysWOW64\Djeljd32.exeC:\Windows\system32\Djeljd32.exe114⤵PID:3032
-
C:\Windows\SysWOW64\Ddjphm32.exeC:\Windows\system32\Ddjphm32.exe115⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Dflmpebj.exeC:\Windows\system32\Dflmpebj.exe116⤵PID:2832
-
C:\Windows\SysWOW64\Dodahk32.exeC:\Windows\system32\Dodahk32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2680 -
C:\Windows\SysWOW64\Dhleaq32.exeC:\Windows\system32\Dhleaq32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Dpcnbn32.exeC:\Windows\system32\Dpcnbn32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2872 -
C:\Windows\SysWOW64\Dfpfke32.exeC:\Windows\system32\Dfpfke32.exe120⤵PID:524
-
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe121⤵PID:2488
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-