Analysis
-
max time kernel
31s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 05:41
Static task
static1
Behavioral task
behavioral1
Sample
79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe
Resource
win10v2004-20241007-en
General
-
Target
79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe
-
Size
67KB
-
MD5
a10f773433ae364f24c56c35df8d4bd0
-
SHA1
65b84c380169e88dae558014b175c6dcbcb65d9e
-
SHA256
79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6c
-
SHA512
cfe17e0656055f3f5ff7c4532935577b16e36d2b9d23d2fa6af6fecead4d63b8df2f79aa80bb67979423184fde19708ded3856f0adfa1202ba53e2b62a272d84
-
SSDEEP
1536:CYzlQqvZ8lqPl4JZjKrpuM18+HNwX1cgCe8uC:7lQqLSWJ1ntGugCe8uC
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpafhpaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pinchq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Andnff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghcmedmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lheilofe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqonjmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cefpmiji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djddbkck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chahin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kemjieol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecabfpff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qiclcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjbpemb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pinchq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejmha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipgeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnllcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Micnbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oleinmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aofhcmig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdonpjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkfoikl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bilkhbcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddjbbbna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjlenm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibehna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbibfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpjboi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpdgolml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcbaop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmimpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chccfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlpdifda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakani32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkoikcaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdadbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbfehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fenedlec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clbdobpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcgppana.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llojpghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Andnff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajmbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gimmbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpegka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajfcgoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfnmhnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llojpghe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Medobp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Megkgpaq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akhopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amjkgbhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbgjbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmfoon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnlqjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igdqmeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kecpipck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpafhpaj.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2172 Hemeod32.exe 2856 Hpbilmop.exe 2776 Hkljljko.exe 3036 Hfdkoc32.exe 2928 Iolohhpc.exe 2292 Ihedan32.exe 2680 Ikembicd.exe 1736 Iglngj32.exe 576 Iipgeb32.exe 2996 Jollgl32.exe 964 Jidppaio.exe 2096 Jbmdig32.exe 1908 Jkgfgl32.exe 584 Jkjbml32.exe 2400 Kebgea32.exe 2636 Kjalch32.exe 2064 Kbmahjbk.exe 1752 Kemjieol.exe 1104 Kofnbk32.exe 1816 Lohkhjcj.exe 932 Lllkaobc.exe 788 Lheilofe.exe 2428 Lkfbmj32.exe 1692 Mpegka32.exe 3064 Mojdlm32.exe 644 Mlqakaqi.exe 1724 Meiedg32.exe 2188 Ndnbeclb.exe 2824 Nnidchqp.exe 2792 Ngahmngp.exe 2972 Njbanida.exe 2712 Obpbhk32.exe 1552 Omeged32.exe 2708 Ofmknifp.exe 1040 Oeeeeehe.exe 2076 Pclolakk.exe 3012 Pfmgmm32.exe 3000 Pmimpf32.exe 1676 Pbfehn32.exe 2100 Qipmdhcj.exe 2204 Qpjeaa32.exe 824 Ajfcgoec.exe 2544 Aelgdhei.exe 604 Amglij32.exe 1672 Adadedjq.exe 856 Aofhcmig.exe 2020 Apjbpemb.exe 2628 Bmnbjill.exe 2448 Bffgbo32.exe 2616 Blcokf32.exe 2948 Bigpdjpm.exe 2504 Bodhlane.exe 2432 Blhifemo.exe 2896 Baeanl32.exe 3004 Boiagp32.exe 2152 Cdejpg32.exe 2992 Caijik32.exe 1560 Chccfe32.exe 1532 Cpogjh32.exe 1656 Ckdlgq32.exe 1708 Clehoiam.exe 588 Cfnmhnhm.exe 2320 Cofaad32.exe 1840 Cjlenm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2396 79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe 2396 79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe 2172 Hemeod32.exe 2172 Hemeod32.exe 2856 Hpbilmop.exe 2856 Hpbilmop.exe 2776 Hkljljko.exe 2776 Hkljljko.exe 3036 Hfdkoc32.exe 3036 Hfdkoc32.exe 2928 Iolohhpc.exe 2928 Iolohhpc.exe 2292 Ihedan32.exe 2292 Ihedan32.exe 2680 Ikembicd.exe 2680 Ikembicd.exe 1736 Iglngj32.exe 1736 Iglngj32.exe 576 Iipgeb32.exe 576 Iipgeb32.exe 2996 Jollgl32.exe 2996 Jollgl32.exe 964 Jidppaio.exe 964 Jidppaio.exe 2096 Jbmdig32.exe 2096 Jbmdig32.exe 1908 Jkgfgl32.exe 1908 Jkgfgl32.exe 584 Jkjbml32.exe 584 Jkjbml32.exe 2400 Kebgea32.exe 2400 Kebgea32.exe 2636 Kjalch32.exe 2636 Kjalch32.exe 2064 Kbmahjbk.exe 2064 Kbmahjbk.exe 1752 Kemjieol.exe 1752 Kemjieol.exe 1104 Kofnbk32.exe 1104 Kofnbk32.exe 1816 Lohkhjcj.exe 1816 Lohkhjcj.exe 932 Lllkaobc.exe 932 Lllkaobc.exe 788 Lheilofe.exe 788 Lheilofe.exe 2428 Lkfbmj32.exe 2428 Lkfbmj32.exe 1692 Mpegka32.exe 1692 Mpegka32.exe 3064 Mojdlm32.exe 3064 Mojdlm32.exe 644 Mlqakaqi.exe 644 Mlqakaqi.exe 1724 Meiedg32.exe 1724 Meiedg32.exe 2188 Ndnbeclb.exe 2188 Ndnbeclb.exe 2824 Nnidchqp.exe 2824 Nnidchqp.exe 2792 Ngahmngp.exe 2792 Ngahmngp.exe 2972 Njbanida.exe 2972 Njbanida.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Iglngj32.exe Ikembicd.exe File opened for modification C:\Windows\SysWOW64\Chccfe32.exe Caijik32.exe File opened for modification C:\Windows\SysWOW64\Hejaon32.exe Hlamfh32.exe File created C:\Windows\SysWOW64\Cefpmiji.exe Clnkdc32.exe File created C:\Windows\SysWOW64\Bmdqgp32.dll Diqabd32.exe File created C:\Windows\SysWOW64\Hgfqkokb.dll Pbfehn32.exe File created C:\Windows\SysWOW64\Onpjbm32.dll Bigpdjpm.exe File opened for modification C:\Windows\SysWOW64\Clnkdc32.exe Blkoocfl.exe File created C:\Windows\SysWOW64\Pimlpcke.dll Dklkkoqf.exe File created C:\Windows\SysWOW64\Ofenhhgl.dll Ekkppkpf.exe File created C:\Windows\SysWOW64\Jajlck32.dll Fdadbd32.exe File created C:\Windows\SysWOW64\Jollgl32.exe Iipgeb32.exe File created C:\Windows\SysWOW64\Mclbkjcf.exe Micnbe32.exe File created C:\Windows\SysWOW64\Nmhhdpoh.dll Apgnpo32.exe File created C:\Windows\SysWOW64\Lidafjlk.dll Dcofqphi.exe File created C:\Windows\SysWOW64\Agnopk32.dll Enjcfm32.exe File created C:\Windows\SysWOW64\Hlgodgnk.exe Hdlkpd32.exe File created C:\Windows\SysWOW64\Pfmgmm32.exe Pclolakk.exe File created C:\Windows\SysWOW64\Fenedlec.exe Endmgb32.exe File created C:\Windows\SysWOW64\Ipjfcf32.dll Gfpkbbmo.exe File opened for modification C:\Windows\SysWOW64\Dobcekld.exe Ddmohbln.exe File created C:\Windows\SysWOW64\Ikembicd.exe Ihedan32.exe File created C:\Windows\SysWOW64\Fagcnmie.exe Fhonegbd.exe File created C:\Windows\SysWOW64\Ofhefe32.dll Lfbibfmi.exe File created C:\Windows\SysWOW64\Ncbilimn.exe Nliqoofa.exe File opened for modification C:\Windows\SysWOW64\Dhknigfq.exe Dcofqphi.exe File created C:\Windows\SysWOW64\Epaeea32.dll Fbbfmqdm.exe File opened for modification C:\Windows\SysWOW64\Mlidplcf.exe Mkihfi32.exe File created C:\Windows\SysWOW64\Akhopj32.exe Andnff32.exe File created C:\Windows\SysWOW64\Opoonh32.dll Bjbelf32.exe File created C:\Windows\SysWOW64\Jjcfbigh.dll Blfnin32.exe File created C:\Windows\SysWOW64\Edafjiqe.exe Dqcmdjjo.exe File created C:\Windows\SysWOW64\Ecfcle32.exe Eqhfoj32.exe File created C:\Windows\SysWOW64\Alpokdmi.dll Ecfcle32.exe File created C:\Windows\SysWOW64\Hdacfn32.dll Eqjceidf.exe File created C:\Windows\SysWOW64\Gmhfjm32.exe Gmejdm32.exe File created C:\Windows\SysWOW64\Eggajb32.exe Eqklhh32.exe File created C:\Windows\SysWOW64\Lfpebq32.exe Lepihndm.exe File created C:\Windows\SysWOW64\Gigjch32.exe Fhgnie32.exe File created C:\Windows\SysWOW64\Bioecdad.dll Naebmppm.exe File created C:\Windows\SysWOW64\Bpomdmqa.exe Bjbelf32.exe File opened for modification C:\Windows\SysWOW64\Cajmbd32.exe Chahin32.exe File created C:\Windows\SysWOW64\Afjgjj32.dll Dcdlpklh.exe File opened for modification C:\Windows\SysWOW64\Fkipiodd.exe Fobodn32.exe File opened for modification C:\Windows\SysWOW64\Aelgdhei.exe Ajfcgoec.exe File created C:\Windows\SysWOW64\Mlidplcf.exe Mkihfi32.exe File created C:\Windows\SysWOW64\Mabihm32.exe Mfmekd32.exe File opened for modification C:\Windows\SysWOW64\Agoodkgk.exe Amjkgbhe.exe File created C:\Windows\SysWOW64\Gfpkbbmo.exe Gmhfjm32.exe File opened for modification C:\Windows\SysWOW64\Hegdinpd.exe Geehcoaf.exe File created C:\Windows\SysWOW64\Legohm32.exe Llojpghe.exe File created C:\Windows\SysWOW64\Gminbold.dll Gmcogf32.exe File opened for modification C:\Windows\SysWOW64\Ikembicd.exe Ihedan32.exe File opened for modification C:\Windows\SysWOW64\Jidppaio.exe Jollgl32.exe File created C:\Windows\SysWOW64\Ikfffh32.exe Ihhjjm32.exe File opened for modification C:\Windows\SysWOW64\Lifoia32.exe Lpmjplag.exe File opened for modification C:\Windows\SysWOW64\Aifpcfjd.exe Qpnkjq32.exe File opened for modification C:\Windows\SysWOW64\Dgehfodh.exe Dlpdifda.exe File created C:\Windows\SysWOW64\Lplfkgmm.dll Hakani32.exe File created C:\Windows\SysWOW64\Lqakem32.dll Mpjboi32.exe File created C:\Windows\SysWOW64\Pbfehn32.exe Pmimpf32.exe File created C:\Windows\SysWOW64\Qpnkjq32.exe Qgbfen32.exe File created C:\Windows\SysWOW64\Iamnpbpo.dll Bpomdmqa.exe File created C:\Windows\SysWOW64\Hcghffen.exe Hnjonpgg.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfednma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bffgbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boiagp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihefjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpdifda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmahjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obpbhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgbfen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqqqokla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbibfmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipgab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bilkhbcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kebgea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnbeclb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omeged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjlenm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbaqfep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkipiodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnkjfcik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkljljko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lneghd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgnpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnllcoed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qahnid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqijck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqcmdjjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjmhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piipibff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clbdobpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqmjaac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpbilmop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkfbmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcffmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafdbmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diqabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqonjmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjqbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejmha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcahgjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbmgapgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdadbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlamfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcghffen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnjonpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlndj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anigaeoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdnmda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekndpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceijg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkopjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdejpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnmhnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqhfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhknigfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecabfpff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgnie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chahin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdkoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmgmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifpcfjd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkdhfdnj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmomag32.dll" Ghagjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjjjlll.dll" Kecpipck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnjdoh32.dll" Kqijck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpbhip32.dll" Ofmknifp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhknigfq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmdeaaf.dll" Pjdlkeln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chahin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnnpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djlplj32.dll" Mojmbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gibmglep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jollgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhgnie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcgppana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eggajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihedan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjalch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bffgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boiagp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peandcih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccjpfmic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iedmhlqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjlenm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcajpjoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kenamefo.dll" Aejmha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfpbaoe.dll" Kjalch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipjlgf32.dll" Mmaghc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncbilimn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lidafjlk.dll" Dcofqphi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfadeaho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcdlpklh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odiogj32.dll" Ebkpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbibfmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apgnpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enjmlgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khookdof.dll" Hnjonpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eqhfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nceeaikk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjdlkeln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiclcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bigpdjpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckanhf32.dll" Cfnmhnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mllqfhgm.dll" Jofhqiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laacmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngahmngp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jafnpd32.dll" Amglij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnpkd32.dll" Kbljmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngfepoaa.dll" Poplqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lchladlp.dll" Cemfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjamab32.dll" Kiihcmoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qiclcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkipiodd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpjeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaipao32.dll" Ajfcgoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onpjbm32.dll" Bigpdjpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Endmgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bajqcqli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkdjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nabhaq32.dll" Apjdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdman32.dll" Gbbdemnl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohkhjcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnllcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihhjjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lneghd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2396 wrote to memory of 2172 2396 79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe 29 PID 2396 wrote to memory of 2172 2396 79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe 29 PID 2396 wrote to memory of 2172 2396 79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe 29 PID 2396 wrote to memory of 2172 2396 79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe 29 PID 2172 wrote to memory of 2856 2172 Hemeod32.exe 30 PID 2172 wrote to memory of 2856 2172 Hemeod32.exe 30 PID 2172 wrote to memory of 2856 2172 Hemeod32.exe 30 PID 2172 wrote to memory of 2856 2172 Hemeod32.exe 30 PID 2856 wrote to memory of 2776 2856 Hpbilmop.exe 31 PID 2856 wrote to memory of 2776 2856 Hpbilmop.exe 31 PID 2856 wrote to memory of 2776 2856 Hpbilmop.exe 31 PID 2856 wrote to memory of 2776 2856 Hpbilmop.exe 31 PID 2776 wrote to memory of 3036 2776 Hkljljko.exe 32 PID 2776 wrote to memory of 3036 2776 Hkljljko.exe 32 PID 2776 wrote to memory of 3036 2776 Hkljljko.exe 32 PID 2776 wrote to memory of 3036 2776 Hkljljko.exe 32 PID 3036 wrote to memory of 2928 3036 Hfdkoc32.exe 33 PID 3036 wrote to memory of 2928 3036 Hfdkoc32.exe 33 PID 3036 wrote to memory of 2928 3036 Hfdkoc32.exe 33 PID 3036 wrote to memory of 2928 3036 Hfdkoc32.exe 33 PID 2928 wrote to memory of 2292 2928 Iolohhpc.exe 34 PID 2928 wrote to memory of 2292 2928 Iolohhpc.exe 34 PID 2928 wrote to memory of 2292 2928 Iolohhpc.exe 34 PID 2928 wrote to memory of 2292 2928 Iolohhpc.exe 34 PID 2292 wrote to memory of 2680 2292 Ihedan32.exe 35 PID 2292 wrote to memory of 2680 2292 Ihedan32.exe 35 PID 2292 wrote to memory of 2680 2292 Ihedan32.exe 35 PID 2292 wrote to memory of 2680 2292 Ihedan32.exe 35 PID 2680 wrote to memory of 1736 2680 Ikembicd.exe 36 PID 2680 wrote to memory of 1736 2680 Ikembicd.exe 36 PID 2680 wrote to memory of 1736 2680 Ikembicd.exe 36 PID 2680 wrote to memory of 1736 2680 Ikembicd.exe 36 PID 1736 wrote to memory of 576 1736 Iglngj32.exe 37 PID 1736 wrote to memory of 576 1736 Iglngj32.exe 37 PID 1736 wrote to memory of 576 1736 Iglngj32.exe 37 PID 1736 wrote to memory of 576 1736 Iglngj32.exe 37 PID 576 wrote to memory of 2996 576 Iipgeb32.exe 38 PID 576 wrote to memory of 2996 576 Iipgeb32.exe 38 PID 576 wrote to memory of 2996 576 Iipgeb32.exe 38 PID 576 wrote to memory of 2996 576 Iipgeb32.exe 38 PID 2996 wrote to memory of 964 2996 Jollgl32.exe 39 PID 2996 wrote to memory of 964 2996 Jollgl32.exe 39 PID 2996 wrote to memory of 964 2996 Jollgl32.exe 39 PID 2996 wrote to memory of 964 2996 Jollgl32.exe 39 PID 964 wrote to memory of 2096 964 Jidppaio.exe 40 PID 964 wrote to memory of 2096 964 Jidppaio.exe 40 PID 964 wrote to memory of 2096 964 Jidppaio.exe 40 PID 964 wrote to memory of 2096 964 Jidppaio.exe 40 PID 2096 wrote to memory of 1908 2096 Jbmdig32.exe 41 PID 2096 wrote to memory of 1908 2096 Jbmdig32.exe 41 PID 2096 wrote to memory of 1908 2096 Jbmdig32.exe 41 PID 2096 wrote to memory of 1908 2096 Jbmdig32.exe 41 PID 1908 wrote to memory of 584 1908 Jkgfgl32.exe 42 PID 1908 wrote to memory of 584 1908 Jkgfgl32.exe 42 PID 1908 wrote to memory of 584 1908 Jkgfgl32.exe 42 PID 1908 wrote to memory of 584 1908 Jkgfgl32.exe 42 PID 584 wrote to memory of 2400 584 Jkjbml32.exe 43 PID 584 wrote to memory of 2400 584 Jkjbml32.exe 43 PID 584 wrote to memory of 2400 584 Jkjbml32.exe 43 PID 584 wrote to memory of 2400 584 Jkjbml32.exe 43 PID 2400 wrote to memory of 2636 2400 Kebgea32.exe 44 PID 2400 wrote to memory of 2636 2400 Kebgea32.exe 44 PID 2400 wrote to memory of 2636 2400 Kebgea32.exe 44 PID 2400 wrote to memory of 2636 2400 Kebgea32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe"C:\Users\Admin\AppData\Local\Temp\79af774e93a340d75e71a5bde448126e863bac428741bf47b8e80e6bd2e45c6cN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Hemeod32.exeC:\Windows\system32\Hemeod32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Hpbilmop.exeC:\Windows\system32\Hpbilmop.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Hkljljko.exeC:\Windows\system32\Hkljljko.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Iolohhpc.exeC:\Windows\system32\Iolohhpc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Ihedan32.exeC:\Windows\system32\Ihedan32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Ikembicd.exeC:\Windows\system32\Ikembicd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Iglngj32.exeC:\Windows\system32\Iglngj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Iipgeb32.exeC:\Windows\system32\Iipgeb32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Jollgl32.exeC:\Windows\system32\Jollgl32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Jidppaio.exeC:\Windows\system32\Jidppaio.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Jkgfgl32.exeC:\Windows\system32\Jkgfgl32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Jkjbml32.exeC:\Windows\system32\Jkjbml32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Kebgea32.exeC:\Windows\system32\Kebgea32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Kjalch32.exeC:\Windows\system32\Kjalch32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Kbmahjbk.exeC:\Windows\system32\Kbmahjbk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Kemjieol.exeC:\Windows\system32\Kemjieol.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Kofnbk32.exeC:\Windows\system32\Kofnbk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1104 -
C:\Windows\SysWOW64\Lohkhjcj.exeC:\Windows\system32\Lohkhjcj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Lllkaobc.exeC:\Windows\system32\Lllkaobc.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Lheilofe.exeC:\Windows\system32\Lheilofe.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:788 -
C:\Windows\SysWOW64\Lkfbmj32.exeC:\Windows\system32\Lkfbmj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Mpegka32.exeC:\Windows\system32\Mpegka32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Mojdlm32.exeC:\Windows\system32\Mojdlm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:644 -
C:\Windows\SysWOW64\Meiedg32.exeC:\Windows\system32\Meiedg32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Ndnbeclb.exeC:\Windows\system32\Ndnbeclb.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Nnidchqp.exeC:\Windows\system32\Nnidchqp.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Ngahmngp.exeC:\Windows\system32\Ngahmngp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Njbanida.exeC:\Windows\system32\Njbanida.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Omeged32.exeC:\Windows\system32\Omeged32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Oeeeeehe.exeC:\Windows\system32\Oeeeeehe.exe36⤵
- Executes dropped EXE
PID:1040 -
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Pmimpf32.exeC:\Windows\system32\Pmimpf32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Pbfehn32.exeC:\Windows\system32\Pbfehn32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Qipmdhcj.exeC:\Windows\system32\Qipmdhcj.exe41⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Ajfcgoec.exeC:\Windows\system32\Ajfcgoec.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Aelgdhei.exeC:\Windows\system32\Aelgdhei.exe44⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Amglij32.exeC:\Windows\system32\Amglij32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:604 -
C:\Windows\SysWOW64\Adadedjq.exeC:\Windows\system32\Adadedjq.exe46⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Aofhcmig.exeC:\Windows\system32\Aofhcmig.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Apjbpemb.exeC:\Windows\system32\Apjbpemb.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Bmnbjill.exeC:\Windows\system32\Bmnbjill.exe49⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Bffgbo32.exeC:\Windows\system32\Bffgbo32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2448 -
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe51⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Bigpdjpm.exeC:\Windows\system32\Bigpdjpm.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe53⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Blhifemo.exeC:\Windows\system32\Blhifemo.exe54⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Baeanl32.exeC:\Windows\system32\Baeanl32.exe55⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Cdejpg32.exeC:\Windows\system32\Cdejpg32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Caijik32.exeC:\Windows\system32\Caijik32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Chccfe32.exeC:\Windows\system32\Chccfe32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Cpogjh32.exeC:\Windows\system32\Cpogjh32.exe60⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Ckdlgq32.exeC:\Windows\system32\Ckdlgq32.exe61⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe62⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Cfnmhnhm.exeC:\Windows\system32\Cfnmhnhm.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Cofaad32.exeC:\Windows\system32\Cofaad32.exe64⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Cjlenm32.exeC:\Windows\system32\Cjlenm32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Dbgjbo32.exeC:\Windows\system32\Dbgjbo32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2136 -
C:\Windows\SysWOW64\Dhaboi32.exeC:\Windows\system32\Dhaboi32.exe67⤵PID:2536
-
C:\Windows\SysWOW64\Dcffmb32.exeC:\Windows\system32\Dcffmb32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Dnpgmp32.exeC:\Windows\system32\Dnpgmp32.exe69⤵PID:1744
-
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe70⤵PID:804
-
C:\Windows\SysWOW64\Dkdhfdnj.exeC:\Windows\system32\Dkdhfdnj.exe71⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Dqqqokla.exeC:\Windows\system32\Dqqqokla.exe72⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Djiegp32.exeC:\Windows\system32\Djiegp32.exe73⤵PID:2520
-
C:\Windows\SysWOW64\Dqcmdjjo.exeC:\Windows\system32\Dqcmdjjo.exe74⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2960 -
C:\Windows\SysWOW64\Edafjiqe.exeC:\Windows\system32\Edafjiqe.exe75⤵PID:2836
-
C:\Windows\SysWOW64\Eqhfoj32.exeC:\Windows\system32\Eqhfoj32.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Ecfcle32.exeC:\Windows\system32\Ecfcle32.exe77⤵
- Drops file in System32 directory
PID:1372 -
C:\Windows\SysWOW64\Eqjceidf.exeC:\Windows\system32\Eqjceidf.exe78⤵
- Drops file in System32 directory
PID:2728 -
C:\Windows\SysWOW64\Ebkpma32.exeC:\Windows\system32\Ebkpma32.exe79⤵
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Epopff32.exeC:\Windows\system32\Epopff32.exe80⤵PID:236
-
C:\Windows\SysWOW64\Eelinm32.exeC:\Windows\system32\Eelinm32.exe81⤵PID:1704
-
C:\Windows\SysWOW64\Endmgb32.exeC:\Windows\system32\Endmgb32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Fenedlec.exeC:\Windows\system32\Fenedlec.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe84⤵
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Fhonegbd.exeC:\Windows\system32\Fhonegbd.exe85⤵
- Drops file in System32 directory
PID:3040 -
C:\Windows\SysWOW64\Fagcnmie.exeC:\Windows\system32\Fagcnmie.exe86⤵PID:320
-
C:\Windows\SysWOW64\Fajpdmgb.exeC:\Windows\system32\Fajpdmgb.exe87⤵PID:1332
-
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe88⤵
- Modifies registry class
PID:2052 -
C:\Windows\SysWOW64\Fpoleilj.exeC:\Windows\system32\Fpoleilj.exe89⤵PID:2772
-
C:\Windows\SysWOW64\Fjdqbbkp.exeC:\Windows\system32\Fjdqbbkp.exe90⤵PID:2148
-
C:\Windows\SysWOW64\Gbpegdik.exeC:\Windows\system32\Gbpegdik.exe91⤵PID:2068
-
C:\Windows\SysWOW64\Gmejdm32.exeC:\Windows\system32\Gmejdm32.exe92⤵
- Drops file in System32 directory
PID:1324 -
C:\Windows\SysWOW64\Gmhfjm32.exeC:\Windows\system32\Gmhfjm32.exe93⤵
- Drops file in System32 directory
PID:912 -
C:\Windows\SysWOW64\Gfpkbbmo.exeC:\Windows\system32\Gfpkbbmo.exe94⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Ghagjj32.exeC:\Windows\system32\Ghagjj32.exe95⤵
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Gokpgd32.exeC:\Windows\system32\Gokpgd32.exe96⤵PID:2452
-
C:\Windows\SysWOW64\Geehcoaf.exeC:\Windows\system32\Geehcoaf.exe97⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Hegdinpd.exeC:\Windows\system32\Hegdinpd.exe98⤵PID:2388
-
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Hejaon32.exeC:\Windows\system32\Hejaon32.exe100⤵PID:1548
-
C:\Windows\SysWOW64\Hhhmki32.exeC:\Windows\system32\Hhhmki32.exe101⤵PID:904
-
C:\Windows\SysWOW64\Hdonpjbi.exeC:\Windows\system32\Hdonpjbi.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1624 -
C:\Windows\SysWOW64\Hnjonpgg.exeC:\Windows\system32\Hnjonpgg.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe104⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Hnllcoed.exeC:\Windows\system32\Hnllcoed.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Icidlf32.exeC:\Windows\system32\Icidlf32.exe106⤵PID:1508
-
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:540 -
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe108⤵
- Drops file in System32 directory
- Modifies registry class
PID:2552 -
C:\Windows\SysWOW64\Ikfffh32.exeC:\Windows\system32\Ikfffh32.exe109⤵PID:3048
-
C:\Windows\SysWOW64\Ihjfolmn.exeC:\Windows\system32\Ihjfolmn.exe110⤵PID:2568
-
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe111⤵PID:1440
-
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:972 -
C:\Windows\SysWOW64\Jknlfg32.exeC:\Windows\system32\Jknlfg32.exe113⤵PID:1792
-
C:\Windows\SysWOW64\Jnlhbb32.exeC:\Windows\system32\Jnlhbb32.exe114⤵
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe115⤵PID:2872
-
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe116⤵PID:2884
-
C:\Windows\SysWOW64\Jfijmdbh.exeC:\Windows\system32\Jfijmdbh.exe117⤵PID:2696
-
C:\Windows\SysWOW64\Jqonjmbn.exeC:\Windows\system32\Jqonjmbn.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe119⤵PID:1416
-
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2232 -
C:\Windows\SysWOW64\Jcpglhpo.exeC:\Windows\system32\Jcpglhpo.exe121⤵PID:3052
-
C:\Windows\SysWOW64\Jfnchd32.exeC:\Windows\system32\Jfnchd32.exe122⤵PID:1412
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-