Analysis
-
max time kernel
112s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02-11-2024 11:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9baN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9baN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9baN.exe
-
Size
96KB
-
MD5
dc1a0c01d6f7810e578bc2ff1fe13f90
-
SHA1
2811b9bd4e4569e0c2a0694c3c401247c8bc1fd0
-
SHA256
edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9ba
-
SHA512
12035103eb3772f4b2c267004eedaddc5d1cb7b4f1c0255b350aa29f26b08be46045ff4402cb17efa98daa366a77dadc10fb40d54489adf5685c23453e247fc3
-
SSDEEP
1536:uMhlp+QiuBxoe2CWyfp9xL+n2L17RZObZUUWaegPYA:uTQiujoeVTp+M1ClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbojjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnqjkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clilmbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfaqfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafofkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kapaaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljplkonl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhalngad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhgccbhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqinhcoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icoepohq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfojpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anpooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qldjdlgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfaqfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkclf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eepmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egpena32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hplphd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pimkbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjfhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljbipolj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcacochk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhqhmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naimepkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahelebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhaooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icoepohq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkopndcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkmmigjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihnjmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqnhmgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhalngad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcmoie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdcjgnbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gimaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iafofkkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpgce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbipolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bahelebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnhhge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbihc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poacighp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjgei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apilcoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnmjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbffjmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghidcceo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplphd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alofnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdinnqon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dboglhna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdeoccgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ongckp32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2636 Ockinl32.exe 2676 Ojeakfnd.exe 2820 Oqojhp32.exe 2584 Pjhnqfla.exe 2648 Ppdfimji.exe 1908 Pglojj32.exe 1084 Pimkbbpi.exe 2740 Ppgcol32.exe 2940 Pbepkh32.exe 2708 Pcdldknm.exe 2936 Pbglpg32.exe 2132 Plpqim32.exe 604 Pfeeff32.exe 2344 Pidaba32.exe 1772 Qnqjkh32.exe 2144 Qifnhaho.exe 1532 Qldjdlgb.exe 688 Qbobaf32.exe 2504 Qaablcej.exe 3004 Qhkkim32.exe 3012 Ajjgei32.exe 1732 Aadobccg.exe 2996 Adblnnbk.exe 992 Afqhjj32.exe 2088 Amjpgdik.exe 2656 Apilcoho.exe 2488 Ammmlcgi.exe 2780 Adgein32.exe 2748 Afeaei32.exe 2532 Adiaommc.exe 3044 Afgnkilf.exe 2460 Aldfcpjn.exe 1600 Abnopj32.exe 1920 Bpboinpd.exe 2896 Bbqkeioh.exe 2908 Bikcbc32.exe 2932 Blipno32.exe 2244 Bogljj32.exe 1680 Beadgdli.exe 1568 Bojipjcj.exe 1408 Bahelebm.exe 272 Blniinac.exe 1760 Boleejag.exe 1576 Bakaaepk.exe 872 Bdinnqon.exe 1040 Bhdjno32.exe 2948 Camnge32.exe 1840 Cppobaeb.exe 2388 Chggdoee.exe 2792 Cgjgol32.exe 2680 Cjhckg32.exe 2796 Cncolfcl.exe 1736 Cdngip32.exe 2560 Cglcek32.exe 2712 Cjjpag32.exe 556 Cnflae32.exe 1924 Clilmbhd.exe 2616 Cdpdnpif.exe 3052 Cgnpjkhj.exe 1848 Cfaqfh32.exe 1448 Cnhhge32.exe 2072 Clkicbfa.exe 2356 Cceapl32.exe 1436 Cfcmlg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2196 edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9baN.exe 2196 edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9baN.exe 2636 Ockinl32.exe 2636 Ockinl32.exe 2676 Ojeakfnd.exe 2676 Ojeakfnd.exe 2820 Oqojhp32.exe 2820 Oqojhp32.exe 2584 Pjhnqfla.exe 2584 Pjhnqfla.exe 2648 Ppdfimji.exe 2648 Ppdfimji.exe 1908 Pglojj32.exe 1908 Pglojj32.exe 1084 Pimkbbpi.exe 1084 Pimkbbpi.exe 2740 Ppgcol32.exe 2740 Ppgcol32.exe 2940 Pbepkh32.exe 2940 Pbepkh32.exe 2708 Pcdldknm.exe 2708 Pcdldknm.exe 2936 Pbglpg32.exe 2936 Pbglpg32.exe 2132 Plpqim32.exe 2132 Plpqim32.exe 604 Pfeeff32.exe 604 Pfeeff32.exe 2344 Pidaba32.exe 2344 Pidaba32.exe 1772 Qnqjkh32.exe 1772 Qnqjkh32.exe 2144 Qifnhaho.exe 2144 Qifnhaho.exe 1532 Qldjdlgb.exe 1532 Qldjdlgb.exe 688 Qbobaf32.exe 688 Qbobaf32.exe 2504 Qaablcej.exe 2504 Qaablcej.exe 3004 Qhkkim32.exe 3004 Qhkkim32.exe 3012 Ajjgei32.exe 3012 Ajjgei32.exe 1732 Aadobccg.exe 1732 Aadobccg.exe 2996 Adblnnbk.exe 2996 Adblnnbk.exe 992 Afqhjj32.exe 992 Afqhjj32.exe 2088 Amjpgdik.exe 2088 Amjpgdik.exe 2656 Apilcoho.exe 2656 Apilcoho.exe 2488 Ammmlcgi.exe 2488 Ammmlcgi.exe 2780 Adgein32.exe 2780 Adgein32.exe 2748 Afeaei32.exe 2748 Afeaei32.exe 2532 Adiaommc.exe 2532 Adiaommc.exe 3044 Afgnkilf.exe 3044 Afgnkilf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Oabplobe.exe Ongckp32.exe File created C:\Windows\SysWOW64\Abinjdad.exe Apkbnibq.exe File created C:\Windows\SysWOW64\Pnfpjc32.exe Podpoffm.exe File created C:\Windows\SysWOW64\Qcjoci32.exe Palbgn32.exe File created C:\Windows\SysWOW64\Cnfnahkp.dll Chhpgn32.exe File created C:\Windows\SysWOW64\Coindgbi.exe Cgbfcjag.exe File created C:\Windows\SysWOW64\Icaipj32.dll Bpboinpd.exe File created C:\Windows\SysWOW64\Camnge32.exe Bhdjno32.exe File created C:\Windows\SysWOW64\Nljhhi32.exe Nikkkn32.exe File created C:\Windows\SysWOW64\Bhdjno32.exe Bdinnqon.exe File opened for modification C:\Windows\SysWOW64\Epnkip32.exe Ejabqi32.exe File opened for modification C:\Windows\SysWOW64\Habili32.exe Hocmpm32.exe File opened for modification C:\Windows\SysWOW64\Pildgl32.exe Pfnhkq32.exe File created C:\Windows\SysWOW64\Aicfgn32.exe Aalofa32.exe File opened for modification C:\Windows\SysWOW64\Cnflae32.exe Cjjpag32.exe File created C:\Windows\SysWOW64\Emdhhdqb.exe Ejfllhao.exe File opened for modification C:\Windows\SysWOW64\Ikocoa32.exe Ihpgce32.exe File created C:\Windows\SysWOW64\Goapjnoo.exe Glbdnbpk.exe File created C:\Windows\SysWOW64\Mebpakbq.exe Mbdcepcm.exe File created C:\Windows\SysWOW64\Nkfkidmk.exe Nhhominh.exe File created C:\Windows\SysWOW64\Eccjnnqk.dll Pbglpg32.exe File created C:\Windows\SysWOW64\Ecnpdnho.exe Ekghcq32.exe File opened for modification C:\Windows\SysWOW64\Gfabkl32.exe Gbffjmmp.exe File created C:\Windows\SysWOW64\Pigklmqc.exe Ojdjqp32.exe File created C:\Windows\SysWOW64\Gaklhb32.dll Qjgcecja.exe File created C:\Windows\SysWOW64\Kgocef32.dll Hgoadp32.exe File created C:\Windows\SysWOW64\Pdjlfgfl.dll Iemalkgd.exe File created C:\Windows\SysWOW64\Pajeanhf.exe Pbgefa32.exe File opened for modification C:\Windows\SysWOW64\Acohnhab.exe Qaqlbmbn.exe File created C:\Windows\SysWOW64\Clilmbhd.exe Cnflae32.exe File created C:\Windows\SysWOW64\Fcphaglh.dll Doqkpl32.exe File created C:\Windows\SysWOW64\Edhnbelc.dll Hocmpm32.exe File created C:\Windows\SysWOW64\Klndom32.dll Hgckoofa.exe File opened for modification C:\Windows\SysWOW64\Baqhapdj.exe Bobleeef.exe File created C:\Windows\SysWOW64\Fjckelfm.exe Fheoiqgi.exe File created C:\Windows\SysWOW64\Qojagi32.dll Gidhbgag.exe File created C:\Windows\SysWOW64\Hocmpm32.exe Gkhaooec.exe File created C:\Windows\SysWOW64\Adblnnbk.exe Aadobccg.exe File created C:\Windows\SysWOW64\Efoied32.dll Aldfcpjn.exe File created C:\Windows\SysWOW64\Ongckp32.exe Okhgod32.exe File created C:\Windows\SysWOW64\Qijdqp32.exe Qjgcecja.exe File created C:\Windows\SysWOW64\Lldpji32.dll Pimkbbpi.exe File created C:\Windows\SysWOW64\Dboglhna.exe Doqkpl32.exe File created C:\Windows\SysWOW64\Jqeomfgc.exe Jinfli32.exe File created C:\Windows\SysWOW64\Aooglmid.dll Kfacdqhf.exe File opened for modification C:\Windows\SysWOW64\Ogaeieoj.exe Odcimipf.exe File created C:\Windows\SysWOW64\Aceakpbh.dll Chmibmlo.exe File opened for modification C:\Windows\SysWOW64\Chggdoee.exe Cppobaeb.exe File opened for modification C:\Windows\SysWOW64\Coladm32.exe Chbihc32.exe File opened for modification C:\Windows\SysWOW64\Ecgjdong.exe Dqinhcoc.exe File created C:\Windows\SysWOW64\Feipbefb.exe Fnogfk32.exe File created C:\Windows\SysWOW64\Hbbilmqm.dll Jndflk32.exe File created C:\Windows\SysWOW64\Anfdhfiq.dll Bobleeef.exe File created C:\Windows\SysWOW64\Jpdihq32.dll Goapjnoo.exe File opened for modification C:\Windows\SysWOW64\Kkalcdao.exe Jibpghbk.exe File opened for modification C:\Windows\SysWOW64\Kmklak32.exe Kjmoeo32.exe File created C:\Windows\SysWOW64\Bogljj32.exe Blipno32.exe File created C:\Windows\SysWOW64\Bojipjcj.exe Beadgdli.exe File opened for modification C:\Windows\SysWOW64\Ebappk32.exe Ecnpdnho.exe File created C:\Windows\SysWOW64\Dafikqcd.dll Aicfgn32.exe File opened for modification C:\Windows\SysWOW64\Jcleiclo.exe Jqnhmgmk.exe File opened for modification C:\Windows\SysWOW64\Naimepkp.exe Nokqidll.exe File opened for modification C:\Windows\SysWOW64\Alofnj32.exe Aeenapck.exe File opened for modification C:\Windows\SysWOW64\Iadbqlmh.exe Ioefdpne.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdhhdqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maiqfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nloachkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceickb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckkenikc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blniinac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fappgflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iohbjpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcajceke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhapocoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momapqgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjafkpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnnnbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcjoci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qghgigkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amglgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbjdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklepmal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlpnamm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljmbknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebappk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibillk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmgfgham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmndfnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nokqidll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pildgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpchfdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcichb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Golgon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpehd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjldp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhocfnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndgeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbobaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oomjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biccfalm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollqllod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkkim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgqion32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jndflk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kepgmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plpqim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgcecja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afndjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgcol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adiaommc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnflae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidhbgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlbbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdcepcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimkbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkojoghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnngi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfagemej.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qojagi32.dll" Gidhbgag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecjgio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ammmlcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoied32.dll" Aldfcpjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bikcbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clilmbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmmlbi32.dll" Jcleiclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cccdlddl.dll" Llhocfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojoligof.dll" Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iohbjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bidjckae.dll" Qldjdlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejfllhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnmcojmg.dll" Enhaeldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llmhgcfd.dll" Fdnlcakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nckopjfk.dll" Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnhhge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Donojm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepcmgbf.dll" Gekhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjdjbd32.dll" Habili32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igeddb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbiphidl.dll" Bmnofp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppgcol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbkdpnil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjdgpcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhalbm32.dll" Dhiphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igkdaemk.dll" Cglcek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbmiha32.dll" Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnjdf32.dll" Ikocoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbpnkm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjiljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhnkcm32.dll" Blipno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hplphd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbhhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbpnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpnngi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Camnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhonm32.dll" Ongckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jafjpdlm.dll" Anpooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hakhbifq.dll" Cofaog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apilcoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkoop32.dll" Chggdoee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fipbhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhapocoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aemmee32.dll" Qaqlbmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afgnkilf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pokkfdac.dll" Noojdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll" Faijggao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpqlnhfp.dll" Jbfkeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkfggj32.dll" Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fopknnaa.dll" Bdinnqon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bobleeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqcfncko.dll" Inplqlng.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhfjpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnpcpa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnjalhpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecgjdong.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2196 wrote to memory of 2636 2196 edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9baN.exe 30 PID 2196 wrote to memory of 2636 2196 edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9baN.exe 30 PID 2196 wrote to memory of 2636 2196 edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9baN.exe 30 PID 2196 wrote to memory of 2636 2196 edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9baN.exe 30 PID 2636 wrote to memory of 2676 2636 Ockinl32.exe 31 PID 2636 wrote to memory of 2676 2636 Ockinl32.exe 31 PID 2636 wrote to memory of 2676 2636 Ockinl32.exe 31 PID 2636 wrote to memory of 2676 2636 Ockinl32.exe 31 PID 2676 wrote to memory of 2820 2676 Ojeakfnd.exe 32 PID 2676 wrote to memory of 2820 2676 Ojeakfnd.exe 32 PID 2676 wrote to memory of 2820 2676 Ojeakfnd.exe 32 PID 2676 wrote to memory of 2820 2676 Ojeakfnd.exe 32 PID 2820 wrote to memory of 2584 2820 Oqojhp32.exe 33 PID 2820 wrote to memory of 2584 2820 Oqojhp32.exe 33 PID 2820 wrote to memory of 2584 2820 Oqojhp32.exe 33 PID 2820 wrote to memory of 2584 2820 Oqojhp32.exe 33 PID 2584 wrote to memory of 2648 2584 Pjhnqfla.exe 34 PID 2584 wrote to memory of 2648 2584 Pjhnqfla.exe 34 PID 2584 wrote to memory of 2648 2584 Pjhnqfla.exe 34 PID 2584 wrote to memory of 2648 2584 Pjhnqfla.exe 34 PID 2648 wrote to memory of 1908 2648 Ppdfimji.exe 35 PID 2648 wrote to memory of 1908 2648 Ppdfimji.exe 35 PID 2648 wrote to memory of 1908 2648 Ppdfimji.exe 35 PID 2648 wrote to memory of 1908 2648 Ppdfimji.exe 35 PID 1908 wrote to memory of 1084 1908 Pglojj32.exe 36 PID 1908 wrote to memory of 1084 1908 Pglojj32.exe 36 PID 1908 wrote to memory of 1084 1908 Pglojj32.exe 36 PID 1908 wrote to memory of 1084 1908 Pglojj32.exe 36 PID 1084 wrote to memory of 2740 1084 Pimkbbpi.exe 37 PID 1084 wrote to memory of 2740 1084 Pimkbbpi.exe 37 PID 1084 wrote to memory of 2740 1084 Pimkbbpi.exe 37 PID 1084 wrote to memory of 2740 1084 Pimkbbpi.exe 37 PID 2740 wrote to memory of 2940 2740 Ppgcol32.exe 38 PID 2740 wrote to memory of 2940 2740 Ppgcol32.exe 38 PID 2740 wrote to memory of 2940 2740 Ppgcol32.exe 38 PID 2740 wrote to memory of 2940 2740 Ppgcol32.exe 38 PID 2940 wrote to memory of 2708 2940 Pbepkh32.exe 39 PID 2940 wrote to memory of 2708 2940 Pbepkh32.exe 39 PID 2940 wrote to memory of 2708 2940 Pbepkh32.exe 39 PID 2940 wrote to memory of 2708 2940 Pbepkh32.exe 39 PID 2708 wrote to memory of 2936 2708 Pcdldknm.exe 40 PID 2708 wrote to memory of 2936 2708 Pcdldknm.exe 40 PID 2708 wrote to memory of 2936 2708 Pcdldknm.exe 40 PID 2708 wrote to memory of 2936 2708 Pcdldknm.exe 40 PID 2936 wrote to memory of 2132 2936 Pbglpg32.exe 41 PID 2936 wrote to memory of 2132 2936 Pbglpg32.exe 41 PID 2936 wrote to memory of 2132 2936 Pbglpg32.exe 41 PID 2936 wrote to memory of 2132 2936 Pbglpg32.exe 41 PID 2132 wrote to memory of 604 2132 Plpqim32.exe 42 PID 2132 wrote to memory of 604 2132 Plpqim32.exe 42 PID 2132 wrote to memory of 604 2132 Plpqim32.exe 42 PID 2132 wrote to memory of 604 2132 Plpqim32.exe 42 PID 604 wrote to memory of 2344 604 Pfeeff32.exe 43 PID 604 wrote to memory of 2344 604 Pfeeff32.exe 43 PID 604 wrote to memory of 2344 604 Pfeeff32.exe 43 PID 604 wrote to memory of 2344 604 Pfeeff32.exe 43 PID 2344 wrote to memory of 1772 2344 Pidaba32.exe 44 PID 2344 wrote to memory of 1772 2344 Pidaba32.exe 44 PID 2344 wrote to memory of 1772 2344 Pidaba32.exe 44 PID 2344 wrote to memory of 1772 2344 Pidaba32.exe 44 PID 1772 wrote to memory of 2144 1772 Qnqjkh32.exe 45 PID 1772 wrote to memory of 2144 1772 Qnqjkh32.exe 45 PID 1772 wrote to memory of 2144 1772 Qnqjkh32.exe 45 PID 1772 wrote to memory of 2144 1772 Qnqjkh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9baN.exe"C:\Users\Admin\AppData\Local\Temp\edfe9810f16c9dc8f05b8dccf5ce3efa467d9a9516077e80b3735d64bd51a9baN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Ojeakfnd.exeC:\Windows\system32\Ojeakfnd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Oqojhp32.exeC:\Windows\system32\Oqojhp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Pjhnqfla.exeC:\Windows\system32\Pjhnqfla.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Pglojj32.exeC:\Windows\system32\Pglojj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Pimkbbpi.exeC:\Windows\system32\Pimkbbpi.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ppgcol32.exeC:\Windows\system32\Ppgcol32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Pbepkh32.exeC:\Windows\system32\Pbepkh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Pbglpg32.exeC:\Windows\system32\Pbglpg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Pfeeff32.exeC:\Windows\system32\Pfeeff32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\Pidaba32.exeC:\Windows\system32\Pidaba32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Qnqjkh32.exeC:\Windows\system32\Qnqjkh32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Qifnhaho.exeC:\Windows\system32\Qifnhaho.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:688 -
C:\Windows\SysWOW64\Qaablcej.exeC:\Windows\system32\Qaablcej.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Qhkkim32.exeC:\Windows\system32\Qhkkim32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Ajjgei32.exeC:\Windows\system32\Ajjgei32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Aadobccg.exeC:\Windows\system32\Aadobccg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Adblnnbk.exeC:\Windows\system32\Adblnnbk.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Amjpgdik.exeC:\Windows\system32\Amjpgdik.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Ammmlcgi.exeC:\Windows\system32\Ammmlcgi.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Adgein32.exeC:\Windows\system32\Adgein32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Afeaei32.exeC:\Windows\system32\Afeaei32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Adiaommc.exeC:\Windows\system32\Adiaommc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Afgnkilf.exeC:\Windows\system32\Afgnkilf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Aldfcpjn.exeC:\Windows\system32\Aldfcpjn.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Abnopj32.exeC:\Windows\system32\Abnopj32.exe34⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Bpboinpd.exeC:\Windows\system32\Bpboinpd.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1920 -
C:\Windows\SysWOW64\Bbqkeioh.exeC:\Windows\system32\Bbqkeioh.exe36⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Bikcbc32.exeC:\Windows\system32\Bikcbc32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Blipno32.exeC:\Windows\system32\Blipno32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2932 -
C:\Windows\SysWOW64\Bogljj32.exeC:\Windows\system32\Bogljj32.exe39⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Beadgdli.exeC:\Windows\system32\Beadgdli.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1680 -
C:\Windows\SysWOW64\Bojipjcj.exeC:\Windows\system32\Bojipjcj.exe41⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Bahelebm.exeC:\Windows\system32\Bahelebm.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Blniinac.exeC:\Windows\system32\Blniinac.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:272 -
C:\Windows\SysWOW64\Boleejag.exeC:\Windows\system32\Boleejag.exe44⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Bakaaepk.exeC:\Windows\system32\Bakaaepk.exe45⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Bhdjno32.exeC:\Windows\system32\Bhdjno32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1040 -
C:\Windows\SysWOW64\Camnge32.exeC:\Windows\system32\Camnge32.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Cppobaeb.exeC:\Windows\system32\Cppobaeb.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Chggdoee.exeC:\Windows\system32\Chggdoee.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe51⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe52⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe53⤵
- Executes dropped EXE
PID:2796 -
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe54⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Cjjpag32.exeC:\Windows\system32\Cjjpag32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2712 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\Clilmbhd.exeC:\Windows\system32\Clilmbhd.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1924 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe59⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Cfaqfh32.exeC:\Windows\system32\Cfaqfh32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Cnhhge32.exeC:\Windows\system32\Cnhhge32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe63⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe64⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe65⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1648 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe67⤵PID:2384
-
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe68⤵PID:2768
-
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe69⤵PID:2404
-
C:\Windows\SysWOW64\Dkbbinig.exeC:\Windows\system32\Dkbbinig.exe70⤵PID:1516
-
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe71⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe72⤵PID:2552
-
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe74⤵PID:2760
-
C:\Windows\SysWOW64\Doqkpl32.exeC:\Windows\system32\Doqkpl32.exe75⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1076 -
C:\Windows\SysWOW64\Dfkclf32.exeC:\Windows\system32\Dfkclf32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2892 -
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe79⤵PID:2628
-
C:\Windows\SysWOW64\Dnfhqi32.exeC:\Windows\system32\Dnfhqi32.exe80⤵PID:2232
-
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe81⤵PID:2364
-
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe82⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe83⤵PID:1860
-
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe84⤵PID:1728
-
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe85⤵PID:1672
-
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe86⤵PID:2316
-
C:\Windows\SysWOW64\Dgqion32.exeC:\Windows\system32\Dgqion32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe88⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Dnjalhpp.exeC:\Windows\system32\Dnjalhpp.exe89⤵
- Modifies registry class
PID:752 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe91⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Efffpjmk.exeC:\Windows\system32\Efffpjmk.exe92⤵PID:2596
-
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe95⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Efhcej32.exeC:\Windows\system32\Efhcej32.exe96⤵PID:2040
-
C:\Windows\SysWOW64\Eifobe32.exeC:\Windows\system32\Eifobe32.exe97⤵PID:1464
-
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe98⤵PID:3068
-
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe99⤵PID:996
-
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe100⤵PID:1632
-
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Emdhhdqb.exeC:\Windows\system32\Emdhhdqb.exe102⤵
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Ekghcq32.exeC:\Windows\system32\Ekghcq32.exe103⤵
- Drops file in System32 directory
PID:1168 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe104⤵
- Drops file in System32 directory
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Ebappk32.exeC:\Windows\system32\Ebappk32.exe105⤵
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:480 -
C:\Windows\SysWOW64\Emgdmc32.exeC:\Windows\system32\Emgdmc32.exe107⤵PID:1996
-
C:\Windows\SysWOW64\Epeajo32.exeC:\Windows\system32\Epeajo32.exe108⤵PID:2052
-
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe109⤵
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Eebibf32.exeC:\Windows\system32\Eebibf32.exe110⤵
- System Location Discovery: System Language Discovery
PID:572 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe112⤵PID:2700
-
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe113⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe114⤵
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe115⤵PID:2988
-
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2928 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe117⤵
- System Location Discovery: System Language Discovery
PID:588 -
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe118⤵
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe119⤵PID:896
-
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe120⤵
- Drops file in System32 directory
PID:1644 -
C:\Windows\SysWOW64\Feipbefb.exeC:\Windows\system32\Feipbefb.exe121⤵PID:2400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-