Analysis
-
max time kernel
92s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19-09-2024 10:47
Behavioral task
behavioral1
Sample
640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
General
-
Target
640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6N.exe
-
Size
320KB
-
MD5
cae546f5401b9cdda740082950184f20
-
SHA1
632df2a57cba24c98ccb2071add5596643228d7a
-
SHA256
640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6
-
SHA512
41ad8703b68fc2a5331f772eeb958935cc382430b8e6f17378fa703095640e378ee6466b77521cbf23a2a44b48798bca13cf9d65735298c0a38929a9b8e786c3
-
SSDEEP
3072:69HCY6qcVbUdAmlfpgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4YfK:69i/dmp1+fIyG5jZkCwi8s
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnegod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkkfdmpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbedmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iegjnkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabegpbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phklcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jephgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcdgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meafpibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcpglhpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlkdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giogonlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegjnkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llnepb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnmpcmpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfedlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnojjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhcankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfgoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dckdio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjkbfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgogbano.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fallil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejfnfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqcaoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjikh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgdpnqfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdldmokn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdiaqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elnagijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmnloih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbmhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peooek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgeckn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbandfkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecibjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oappof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekgfkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppohf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpppbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qafboi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fomndhng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljjnpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkbfmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efoobkej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpbokop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deanooeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blklfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jookedhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfadeaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbnqfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfppije.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgnie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqeqhlii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boggkicf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaokhdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blplkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoflpbmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmaaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifloeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obopobhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napibq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coidpiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aagadh32.exe -
Executes dropped EXE 64 IoCs
pid Process 2144 Bclcfnih.exe 2876 Bmegodpi.exe 2164 Bikhce32.exe 2804 Bbdmljln.exe 2712 Cmgpcg32.exe 2680 Cipnng32.exe 2476 Dhggdcgh.exe 2940 Dendcg32.exe 2020 Dadehh32.exe 832 Elcpdeam.exe 2464 Eleliepj.exe 1992 Fgcgebhd.exe 2256 Fkapkq32.exe 2440 Gqcaoghl.exe 2432 Gccjpb32.exe 1620 Gdjpcj32.exe 1668 Henjnica.exe 2096 Hgobpd32.exe 1932 Hpjgdf32.exe 1568 Imqdcjkd.exe 548 Ieligmho.exe 956 Iagchmjn.exe 3064 Jalmcl32.exe 2492 Jdmfdgbj.exe 1244 Jpcfih32.exe 2332 Jpfcohfk.exe 1588 Kphpdhdh.exe 2920 Khcdijac.exe 2664 Kopikdgn.exe 2828 Kobfqc32.exe 2220 Kngcbpjc.exe 2616 Lgphke32.exe 1608 Lfedlb32.exe 1268 Lfgaaa32.exe 2932 Ljejgp32.exe 2528 Lflklaoc.exe 908 Mfngbq32.exe 1100 Mqhhbn32.exe 2312 Mqjehngm.exe 2456 Mdhnnl32.exe 236 Mmcbbo32.exe 864 Mjgclcjh.exe 1812 Nfncad32.exe 2372 Npfhjifm.exe 1528 Niombolm.exe 1616 Neemgp32.exe 1096 Npkaei32.exe 1204 Nehjmppo.exe 3024 Nbljfdoh.exe 3040 Odmgnl32.exe 2844 Oaaghp32.exe 2916 Omhhma32.exe 2632 Ojlife32.exe 3056 Oddmokoo.exe 2532 Oiqegb32.exe 688 Olobcm32.exe 2544 Obijpgcf.exe 2732 Pbkgegad.exe 1640 Pbnckg32.exe 1744 Phklcn32.exe 2072 Pdamhocm.exe 2232 Plheil32.exe 2168 Pddinn32.exe 1456 Pmlngdhk.exe -
Loads dropped DLL 64 IoCs
pid Process 2720 640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6N.exe 2720 640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6N.exe 2144 Bclcfnih.exe 2144 Bclcfnih.exe 2876 Bmegodpi.exe 2876 Bmegodpi.exe 2164 Bikhce32.exe 2164 Bikhce32.exe 2804 Bbdmljln.exe 2804 Bbdmljln.exe 2712 Cmgpcg32.exe 2712 Cmgpcg32.exe 2680 Cipnng32.exe 2680 Cipnng32.exe 2476 Dhggdcgh.exe 2476 Dhggdcgh.exe 2940 Dendcg32.exe 2940 Dendcg32.exe 2020 Dadehh32.exe 2020 Dadehh32.exe 832 Elcpdeam.exe 832 Elcpdeam.exe 2464 Eleliepj.exe 2464 Eleliepj.exe 1992 Fgcgebhd.exe 1992 Fgcgebhd.exe 2256 Fkapkq32.exe 2256 Fkapkq32.exe 2440 Gqcaoghl.exe 2440 Gqcaoghl.exe 2432 Gccjpb32.exe 2432 Gccjpb32.exe 1620 Gdjpcj32.exe 1620 Gdjpcj32.exe 1668 Henjnica.exe 1668 Henjnica.exe 2096 Hgobpd32.exe 2096 Hgobpd32.exe 1932 Hpjgdf32.exe 1932 Hpjgdf32.exe 1568 Imqdcjkd.exe 1568 Imqdcjkd.exe 548 Ieligmho.exe 548 Ieligmho.exe 956 Iagchmjn.exe 956 Iagchmjn.exe 3064 Jalmcl32.exe 3064 Jalmcl32.exe 2492 Jdmfdgbj.exe 2492 Jdmfdgbj.exe 1244 Jpcfih32.exe 1244 Jpcfih32.exe 2332 Jpfcohfk.exe 2332 Jpfcohfk.exe 1588 Kphpdhdh.exe 1588 Kphpdhdh.exe 2920 Khcdijac.exe 2920 Khcdijac.exe 2664 Kopikdgn.exe 2664 Kopikdgn.exe 2828 Kobfqc32.exe 2828 Kobfqc32.exe 2220 Kngcbpjc.exe 2220 Kngcbpjc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fdbgia32.exe Flkohc32.exe File created C:\Windows\SysWOW64\Jjlacoca.dll Fdbgia32.exe File created C:\Windows\SysWOW64\Kmlbeoba.dll Ieiegf32.exe File opened for modification C:\Windows\SysWOW64\Ikkmho32.exe Iijdfc32.exe File created C:\Windows\SysWOW64\Apglgfde.exe Amfcfk32.exe File created C:\Windows\SysWOW64\Amiioj32.exe Aendjh32.exe File created C:\Windows\SysWOW64\Ekeingln.dll Abkqle32.exe File opened for modification C:\Windows\SysWOW64\Cgpjin32.exe Cngfqi32.exe File created C:\Windows\SysWOW64\Ajlikd32.dll Oaonfncb.exe File opened for modification C:\Windows\SysWOW64\Bkqnchgo.exe Bakjfp32.exe File opened for modification C:\Windows\SysWOW64\Hekfpo32.exe Hnanceem.exe File created C:\Windows\SysWOW64\Lgkbjb32.dll Fknido32.exe File created C:\Windows\SysWOW64\Lkpoqm32.dll Mbcofobg.exe File created C:\Windows\SysWOW64\Bgcbjeaq.dll Nifmqm32.exe File created C:\Windows\SysWOW64\Ldngqqjh.exe Kgjgglko.exe File opened for modification C:\Windows\SysWOW64\Lfgaaa32.exe Lfedlb32.exe File opened for modification C:\Windows\SysWOW64\Qfganb32.exe Qjqqianh.exe File created C:\Windows\SysWOW64\Eecipl32.dll Eibbqmhd.exe File opened for modification C:\Windows\SysWOW64\Oecpeqdo.exe Opghmjfg.exe File created C:\Windows\SysWOW64\Gmdimeom.dll Onmkhlph.exe File opened for modification C:\Windows\SysWOW64\Onmgeb32.exe Oedclm32.exe File opened for modification C:\Windows\SysWOW64\Piiekp32.exe Pfjiod32.exe File created C:\Windows\SysWOW64\Ifoncgpc.exe Indiodbh.exe File created C:\Windows\SysWOW64\Chmgna32.dll Ojlmgg32.exe File opened for modification C:\Windows\SysWOW64\Dgehfodh.exe Dnmdmj32.exe File opened for modification C:\Windows\SysWOW64\Dljoac32.exe Djkcgpaa.exe File opened for modification C:\Windows\SysWOW64\Nfncad32.exe Mjgclcjh.exe File opened for modification C:\Windows\SysWOW64\Dfdqpdja.exe Dkolblkk.exe File opened for modification C:\Windows\SysWOW64\Memonbnl.exe Lejbhbpn.exe File created C:\Windows\SysWOW64\Qgeckn32.exe Qnlobhne.exe File opened for modification C:\Windows\SysWOW64\Daoeeo32.exe Ddkdkk32.exe File created C:\Windows\SysWOW64\Iceiibef.exe Iiodliep.exe File opened for modification C:\Windows\SysWOW64\Jboanfmm.exe Jfhqiegh.exe File opened for modification C:\Windows\SysWOW64\Pnpfckmc.exe Pbienj32.exe File created C:\Windows\SysWOW64\Cgmiba32.exe Cgklma32.exe File created C:\Windows\SysWOW64\Iobbfggm.exe Iejnna32.exe File created C:\Windows\SysWOW64\Hcqldm32.dll Jqeqhlii.exe File created C:\Windows\SysWOW64\Fdlhbc32.dll Jephgi32.exe File opened for modification C:\Windows\SysWOW64\Iefeaj32.exe Iceiibef.exe File created C:\Windows\SysWOW64\Gfbjnb32.dll Iijdfc32.exe File created C:\Windows\SysWOW64\Pfneilmi.dll Jlckoh32.exe File created C:\Windows\SysWOW64\Fimebgei.dll Mjknab32.exe File created C:\Windows\SysWOW64\Ehpeibla.dll Nlcpjj32.exe File opened for modification C:\Windows\SysWOW64\Gninpg32.exe Gkjbcl32.exe File created C:\Windows\SysWOW64\Llfkmdlc.dll Ddkdkk32.exe File opened for modification C:\Windows\SysWOW64\Hgbhibio.exe Hbepplkh.exe File created C:\Windows\SysWOW64\Bjpgin32.dll Hojeka32.exe File created C:\Windows\SysWOW64\Ipdaao32.dll Pkjkdfjk.exe File created C:\Windows\SysWOW64\Acgkjoea.dll Mfpdim32.exe File opened for modification C:\Windows\SysWOW64\Ndfbia32.exe Nknmplji.exe File opened for modification C:\Windows\SysWOW64\Oofpgolq.exe Omgckcmm.exe File created C:\Windows\SysWOW64\Jnpioe32.dll Fmkpchmp.exe File created C:\Windows\SysWOW64\Pamdpnhj.dll Iljjabfh.exe File created C:\Windows\SysWOW64\Mmgoqg32.exe Mqqolfik.exe File created C:\Windows\SysWOW64\Hekfpo32.exe Hnanceem.exe File created C:\Windows\SysWOW64\Degdgl32.dll Pbcfie32.exe File created C:\Windows\SysWOW64\Hdapggln.exe Hoegoqng.exe File created C:\Windows\SysWOW64\Jceahq32.dll Nmkbfmpf.exe File created C:\Windows\SysWOW64\Onmgeb32.exe Oedclm32.exe File opened for modification C:\Windows\SysWOW64\Ggekhhle.exe Gddbfm32.exe File created C:\Windows\SysWOW64\Hemeod32.exe Hifdjcif.exe File created C:\Windows\SysWOW64\Odcqbapk.dll Mamjchoa.exe File opened for modification C:\Windows\SysWOW64\Iklajp32.exe Idaimfjf.exe File opened for modification C:\Windows\SysWOW64\Emceag32.exe Ekeiel32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhboidoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foencfda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcflbpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldngqqjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnmpcmpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqplmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aieihpgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmcmcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdlqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qafboi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moahdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjdia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmdmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqenfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blplkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmjjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoqjhiie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhfbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajladp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiaddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fholmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbdge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emceag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilggefh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idncdgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbpml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhnahl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnicddki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klocba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkpchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcnpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljolodf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giiibqdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnbpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afcbgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aendjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjbbbna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclcfnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giikkehc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bknani32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbnckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbbfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdoblckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anppiikk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lebemmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngajeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oebffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipgeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idaimfjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occgce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neemgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilneef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cohlnkeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjbml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbckeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pockoeeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cefbfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmnbbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipnng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flbehbqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdebladb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qganapgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aekenl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moahdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlmjjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjgol32.dll" Bdbfpafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmkla32.dll" Edgkap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cckhlhcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikbmocbm.dll" Deanooeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cipcii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dncilhik.dll" Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifeam32.dll" Bfliqmjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdapggln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gegbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bncboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caccbb32.dll" Qbiamm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmkpchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omqnfiip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmfcmcce.dll" Oeqmek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinldeif.dll" Pdhflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kobfqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obdjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpjacd32.dll" Gddbfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmbgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehkgnpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaonfncb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjqlid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibjing32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbfcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knhoig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfbia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Albgko32.dll" Kmbgnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poohno32.dll" Momckfid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpfmageg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flkohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egebiche.dll" Piiekp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obniel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fknido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djhjhdem.dll" Pokndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcodcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfpndkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgihphj.dll" Kkbbqjgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omeged32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbfehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qagfmnle.dll" Pgklcaqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdfmccfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjkmfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccakij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgnidjl.dll" Aebllocg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iehnnddk.dll" Mcmnbbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ombkhdcj.dll" Pjkpckob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpcmojia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfqgld32.dll" Pnphlc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Biiljjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkapdb32.dll" Eilfoapg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nclcgoia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omhhma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdkejjnc.dll" Oedclm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjbml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfdqpdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elhhkb32.dll" Ifoncgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naconeen.dll" Aipbidbj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjknab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbnckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndhfppje.dll" Emceag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhgnbehe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2144 2720 640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6N.exe 29 PID 2720 wrote to memory of 2144 2720 640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6N.exe 29 PID 2720 wrote to memory of 2144 2720 640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6N.exe 29 PID 2720 wrote to memory of 2144 2720 640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6N.exe 29 PID 2144 wrote to memory of 2876 2144 Bclcfnih.exe 30 PID 2144 wrote to memory of 2876 2144 Bclcfnih.exe 30 PID 2144 wrote to memory of 2876 2144 Bclcfnih.exe 30 PID 2144 wrote to memory of 2876 2144 Bclcfnih.exe 30 PID 2876 wrote to memory of 2164 2876 Bmegodpi.exe 31 PID 2876 wrote to memory of 2164 2876 Bmegodpi.exe 31 PID 2876 wrote to memory of 2164 2876 Bmegodpi.exe 31 PID 2876 wrote to memory of 2164 2876 Bmegodpi.exe 31 PID 2164 wrote to memory of 2804 2164 Bikhce32.exe 32 PID 2164 wrote to memory of 2804 2164 Bikhce32.exe 32 PID 2164 wrote to memory of 2804 2164 Bikhce32.exe 32 PID 2164 wrote to memory of 2804 2164 Bikhce32.exe 32 PID 2804 wrote to memory of 2712 2804 Bbdmljln.exe 33 PID 2804 wrote to memory of 2712 2804 Bbdmljln.exe 33 PID 2804 wrote to memory of 2712 2804 Bbdmljln.exe 33 PID 2804 wrote to memory of 2712 2804 Bbdmljln.exe 33 PID 2712 wrote to memory of 2680 2712 Cmgpcg32.exe 34 PID 2712 wrote to memory of 2680 2712 Cmgpcg32.exe 34 PID 2712 wrote to memory of 2680 2712 Cmgpcg32.exe 34 PID 2712 wrote to memory of 2680 2712 Cmgpcg32.exe 34 PID 2680 wrote to memory of 2476 2680 Cipnng32.exe 35 PID 2680 wrote to memory of 2476 2680 Cipnng32.exe 35 PID 2680 wrote to memory of 2476 2680 Cipnng32.exe 35 PID 2680 wrote to memory of 2476 2680 Cipnng32.exe 35 PID 2476 wrote to memory of 2940 2476 Dhggdcgh.exe 36 PID 2476 wrote to memory of 2940 2476 Dhggdcgh.exe 36 PID 2476 wrote to memory of 2940 2476 Dhggdcgh.exe 36 PID 2476 wrote to memory of 2940 2476 Dhggdcgh.exe 36 PID 2940 wrote to memory of 2020 2940 Dendcg32.exe 37 PID 2940 wrote to memory of 2020 2940 Dendcg32.exe 37 PID 2940 wrote to memory of 2020 2940 Dendcg32.exe 37 PID 2940 wrote to memory of 2020 2940 Dendcg32.exe 37 PID 2020 wrote to memory of 832 2020 Dadehh32.exe 38 PID 2020 wrote to memory of 832 2020 Dadehh32.exe 38 PID 2020 wrote to memory of 832 2020 Dadehh32.exe 38 PID 2020 wrote to memory of 832 2020 Dadehh32.exe 38 PID 832 wrote to memory of 2464 832 Elcpdeam.exe 39 PID 832 wrote to memory of 2464 832 Elcpdeam.exe 39 PID 832 wrote to memory of 2464 832 Elcpdeam.exe 39 PID 832 wrote to memory of 2464 832 Elcpdeam.exe 39 PID 2464 wrote to memory of 1992 2464 Eleliepj.exe 40 PID 2464 wrote to memory of 1992 2464 Eleliepj.exe 40 PID 2464 wrote to memory of 1992 2464 Eleliepj.exe 40 PID 2464 wrote to memory of 1992 2464 Eleliepj.exe 40 PID 1992 wrote to memory of 2256 1992 Fgcgebhd.exe 41 PID 1992 wrote to memory of 2256 1992 Fgcgebhd.exe 41 PID 1992 wrote to memory of 2256 1992 Fgcgebhd.exe 41 PID 1992 wrote to memory of 2256 1992 Fgcgebhd.exe 41 PID 2256 wrote to memory of 2440 2256 Fkapkq32.exe 42 PID 2256 wrote to memory of 2440 2256 Fkapkq32.exe 42 PID 2256 wrote to memory of 2440 2256 Fkapkq32.exe 42 PID 2256 wrote to memory of 2440 2256 Fkapkq32.exe 42 PID 2440 wrote to memory of 2432 2440 Gqcaoghl.exe 43 PID 2440 wrote to memory of 2432 2440 Gqcaoghl.exe 43 PID 2440 wrote to memory of 2432 2440 Gqcaoghl.exe 43 PID 2440 wrote to memory of 2432 2440 Gqcaoghl.exe 43 PID 2432 wrote to memory of 1620 2432 Gccjpb32.exe 44 PID 2432 wrote to memory of 1620 2432 Gccjpb32.exe 44 PID 2432 wrote to memory of 1620 2432 Gccjpb32.exe 44 PID 2432 wrote to memory of 1620 2432 Gccjpb32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6N.exe"C:\Users\Admin\AppData\Local\Temp\640087b8f62f6db453e51987d468ec03d4f75218f80a306bec8d5d8a17fdc6e6N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Bclcfnih.exeC:\Windows\system32\Bclcfnih.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Bmegodpi.exeC:\Windows\system32\Bmegodpi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Bikhce32.exeC:\Windows\system32\Bikhce32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Bbdmljln.exeC:\Windows\system32\Bbdmljln.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Dhggdcgh.exeC:\Windows\system32\Dhggdcgh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Dendcg32.exeC:\Windows\system32\Dendcg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Dadehh32.exeC:\Windows\system32\Dadehh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Elcpdeam.exeC:\Windows\system32\Elcpdeam.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Eleliepj.exeC:\Windows\system32\Eleliepj.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Gqcaoghl.exeC:\Windows\system32\Gqcaoghl.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Gccjpb32.exeC:\Windows\system32\Gccjpb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Henjnica.exeC:\Windows\system32\Henjnica.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Hgobpd32.exeC:\Windows\system32\Hgobpd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Hpjgdf32.exeC:\Windows\system32\Hpjgdf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Imqdcjkd.exeC:\Windows\system32\Imqdcjkd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Ieligmho.exeC:\Windows\system32\Ieligmho.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Iagchmjn.exeC:\Windows\system32\Iagchmjn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:956 -
C:\Windows\SysWOW64\Jalmcl32.exeC:\Windows\system32\Jalmcl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Jdmfdgbj.exeC:\Windows\system32\Jdmfdgbj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Jpcfih32.exeC:\Windows\system32\Jpcfih32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1244 -
C:\Windows\SysWOW64\Jpfcohfk.exeC:\Windows\system32\Jpfcohfk.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2332 -
C:\Windows\SysWOW64\Kphpdhdh.exeC:\Windows\system32\Kphpdhdh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Kopikdgn.exeC:\Windows\system32\Kopikdgn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Kobfqc32.exeC:\Windows\system32\Kobfqc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2828 -
C:\Windows\SysWOW64\Kngcbpjc.exeC:\Windows\system32\Kngcbpjc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Lgphke32.exeC:\Windows\system32\Lgphke32.exe33⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Lfedlb32.exeC:\Windows\system32\Lfedlb32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Lfgaaa32.exeC:\Windows\system32\Lfgaaa32.exe35⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Ljejgp32.exeC:\Windows\system32\Ljejgp32.exe36⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Lflklaoc.exeC:\Windows\system32\Lflklaoc.exe37⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Mfngbq32.exeC:\Windows\system32\Mfngbq32.exe38⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Mqhhbn32.exeC:\Windows\system32\Mqhhbn32.exe39⤵
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Mqjehngm.exeC:\Windows\system32\Mqjehngm.exe40⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Mdhnnl32.exeC:\Windows\system32\Mdhnnl32.exe41⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Mmcbbo32.exeC:\Windows\system32\Mmcbbo32.exe42⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Mjgclcjh.exeC:\Windows\system32\Mjgclcjh.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:864 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe44⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Npfhjifm.exeC:\Windows\system32\Npfhjifm.exe45⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Niombolm.exeC:\Windows\system32\Niombolm.exe46⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Neemgp32.exeC:\Windows\system32\Neemgp32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe48⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe49⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe50⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Odmgnl32.exeC:\Windows\system32\Odmgnl32.exe51⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe52⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Omhhma32.exeC:\Windows\system32\Omhhma32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Ojlife32.exeC:\Windows\system32\Ojlife32.exe54⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Oddmokoo.exeC:\Windows\system32\Oddmokoo.exe55⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Oiqegb32.exeC:\Windows\system32\Oiqegb32.exe56⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Olobcm32.exeC:\Windows\system32\Olobcm32.exe57⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe58⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Pbkgegad.exeC:\Windows\system32\Pbkgegad.exe59⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Pbnckg32.exeC:\Windows\system32\Pbnckg32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Phklcn32.exeC:\Windows\system32\Phklcn32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Pdamhocm.exeC:\Windows\system32\Pdamhocm.exe62⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Plheil32.exeC:\Windows\system32\Plheil32.exe63⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Pddinn32.exeC:\Windows\system32\Pddinn32.exe64⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Pmlngdhk.exeC:\Windows\system32\Pmlngdhk.exe65⤵
- Executes dropped EXE
PID:1456 -
C:\Windows\SysWOW64\Qgdbpi32.exeC:\Windows\system32\Qgdbpi32.exe66⤵PID:600
-
C:\Windows\SysWOW64\Qdhcinme.exeC:\Windows\system32\Qdhcinme.exe67⤵PID:944
-
C:\Windows\SysWOW64\Qlcgmpkp.exeC:\Windows\system32\Qlcgmpkp.exe68⤵PID:2980
-
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe69⤵PID:2180
-
C:\Windows\SysWOW64\Alfdcp32.exeC:\Windows\system32\Alfdcp32.exe70⤵PID:2928
-
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe71⤵PID:2840
-
C:\Windows\SysWOW64\Alknnodh.exeC:\Windows\system32\Alknnodh.exe72⤵PID:2780
-
C:\Windows\SysWOW64\Afcbgd32.exeC:\Windows\system32\Afcbgd32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Abjcleqm.exeC:\Windows\system32\Abjcleqm.exe74⤵PID:2648
-
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe75⤵PID:1756
-
C:\Windows\SysWOW64\Bqopmbed.exeC:\Windows\system32\Bqopmbed.exe76⤵PID:2856
-
C:\Windows\SysWOW64\Bkddjkej.exeC:\Windows\system32\Bkddjkej.exe77⤵PID:2736
-
C:\Windows\SysWOW64\Bokcom32.exeC:\Windows\system32\Bokcom32.exe78⤵PID:896
-
C:\Windows\SysWOW64\Ckbccnji.exeC:\Windows\system32\Ckbccnji.exe79⤵PID:1752
-
C:\Windows\SysWOW64\Ciknhb32.exeC:\Windows\system32\Ciknhb32.exe80⤵PID:1708
-
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe81⤵
- Drops file in System32 directory
PID:580 -
C:\Windows\SysWOW64\Cgpjin32.exeC:\Windows\system32\Cgpjin32.exe82⤵PID:524
-
C:\Windows\SysWOW64\Dedkbb32.exeC:\Windows\system32\Dedkbb32.exe83⤵PID:2100
-
C:\Windows\SysWOW64\Dpmlcpdm.exeC:\Windows\system32\Dpmlcpdm.exe84⤵PID:2412
-
C:\Windows\SysWOW64\Dmalmdcg.exeC:\Windows\system32\Dmalmdcg.exe85⤵PID:1168
-
C:\Windows\SysWOW64\Dckdio32.exeC:\Windows\system32\Dckdio32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Dmcibdad.exeC:\Windows\system32\Dmcibdad.exe87⤵PID:2960
-
C:\Windows\SysWOW64\Dflnkjhe.exeC:\Windows\system32\Dflnkjhe.exe88⤵PID:2776
-
C:\Windows\SysWOW64\Dbcnpk32.exeC:\Windows\system32\Dbcnpk32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Ehpgha32.exeC:\Windows\system32\Ehpgha32.exe90⤵PID:1988
-
C:\Windows\SysWOW64\Ehbcnajn.exeC:\Windows\system32\Ehbcnajn.exe91⤵PID:2112
-
C:\Windows\SysWOW64\Edidcb32.exeC:\Windows\system32\Edidcb32.exe92⤵PID:3028
-
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe93⤵PID:2320
-
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe94⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Emceag32.exeC:\Windows\system32\Emceag32.exe95⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Ekgfkl32.exeC:\Windows\system32\Ekgfkl32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2324 -
C:\Windows\SysWOW64\Epdncb32.exeC:\Windows\system32\Epdncb32.exe97⤵PID:952
-
C:\Windows\SysWOW64\Flkohc32.exeC:\Windows\system32\Flkohc32.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Fdbgia32.exeC:\Windows\system32\Fdbgia32.exe99⤵
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Fmjkbfnh.exeC:\Windows\system32\Fmjkbfnh.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1460 -
C:\Windows\SysWOW64\Fialggcl.exeC:\Windows\system32\Fialggcl.exe101⤵PID:1516
-
C:\Windows\SysWOW64\Fcjqpm32.exeC:\Windows\system32\Fcjqpm32.exe102⤵PID:2824
-
C:\Windows\SysWOW64\Flbehbqm.exeC:\Windows\system32\Flbehbqm.exe103⤵
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe104⤵PID:2832
-
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe105⤵PID:2064
-
C:\Windows\SysWOW64\Gdbchd32.exeC:\Windows\system32\Gdbchd32.exe106⤵PID:1092
-
C:\Windows\SysWOW64\Gklkdn32.exeC:\Windows\system32\Gklkdn32.exe107⤵PID:1476
-
C:\Windows\SysWOW64\Gcgpiq32.exeC:\Windows\system32\Gcgpiq32.exe108⤵PID:2136
-
C:\Windows\SysWOW64\Gdfmccfm.exeC:\Windows\system32\Gdfmccfm.exe109⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe110⤵PID:2508
-
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe111⤵PID:1000
-
C:\Windows\SysWOW64\Hcnfjpib.exeC:\Windows\system32\Hcnfjpib.exe112⤵PID:1332
-
C:\Windows\SysWOW64\Hoegoqng.exeC:\Windows\system32\Hoegoqng.exe113⤵
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Hdapggln.exeC:\Windows\system32\Hdapggln.exe114⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Hbepplkh.exeC:\Windows\system32\Hbepplkh.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Hgbhibio.exeC:\Windows\system32\Hgbhibio.exe116⤵PID:2672
-
C:\Windows\SysWOW64\Hefibg32.exeC:\Windows\system32\Hefibg32.exe117⤵PID:2688
-
C:\Windows\SysWOW64\Ieiegf32.exeC:\Windows\system32\Ieiegf32.exe118⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Imdjlida.exeC:\Windows\system32\Imdjlida.exe119⤵PID:2564
-
C:\Windows\SysWOW64\Ifloeo32.exeC:\Windows\system32\Ifloeo32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2260 -
C:\Windows\SysWOW64\Iglkoaad.exeC:\Windows\system32\Iglkoaad.exe121⤵PID:2148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-