Analysis
-
max time kernel
92s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
10/11/2024, 13:53
Static task
static1
Behavioral task
behavioral1
Sample
d57f37a6eda3b39ff4050337dc2750cc2127635dc97c83188da631e752e2a5d4N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
d57f37a6eda3b39ff4050337dc2750cc2127635dc97c83188da631e752e2a5d4N.exe
Resource
win10v2004-20241007-en
General
-
Target
d57f37a6eda3b39ff4050337dc2750cc2127635dc97c83188da631e752e2a5d4N.exe
-
Size
64KB
-
MD5
a1a888b9ffbdbe85fd6f1bef58e98620
-
SHA1
d619f9a1212c9dc057cc1487513eb9518109345c
-
SHA256
d57f37a6eda3b39ff4050337dc2750cc2127635dc97c83188da631e752e2a5d4
-
SHA512
2288ff40ca6680d446836854575fb620a38b19afcfc75f2bee4de0b943245b2e1227d747098d5b80c020a6159941c359bb1dad076a7e9f64ca5cb58e90c49397
-
SSDEEP
1536:UOhQokxpOfYAurW5/WAKCZ2sQ6OX8UwwPnBm:UBOYa5eAT9BOXXwwfBm
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgmoidqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igcmokcn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moifeodh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mclhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncekmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfbcjdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqnceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamadpbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkfqcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceoijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklffnpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijlcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddaiifae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faqini32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjapdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nollbldc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odkapb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkcenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckdin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dckfnd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdqmije.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggpgcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khhoah32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlfkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfmjf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgkjoek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khbibm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liaelpdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlnnii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhennjma.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnaonnp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abjdqi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aamadpbl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekbgfp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khmogmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpbcii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkfbcj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdkplc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klhdmf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecnbhle.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncailbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcgokmko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdgdcif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgflaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Didgqhdk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edekip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khpllmoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjdkhmcd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hapalb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iannnphl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lelhajbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noefam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kojdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daeibkpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kecekkjh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laalak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnpepeo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpfhoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpeoeogm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqlofeoa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amfooafm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ammlhbnh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccfmcedp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcqjnmam.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 4484 Kejipb32.exe 4068 Kldblmmk.exe 2716 Kbnjig32.exe 1372 Kemfeb32.exe 964 Klgoalkh.exe 1392 Kcqgnfbe.exe 3996 Keocjbai.exe 4900 Khmogmal.exe 980 Koggcg32.exe 2544 Kafcpc32.exe 2880 Khpllmoj.exe 1932 Kojdig32.exe 844 Kedlea32.exe 2272 Khbibm32.exe 1812 Lchmoe32.exe 3636 Liaelpdj.exe 1484 Lplmhj32.exe 1148 Lehfqqjn.exe 2396 Llbnmk32.exe 2004 Lclfjehh.exe 4296 Ljfogo32.exe 2468 Lppgciga.exe 2244 Lcocpdfe.exe 2024 Lemolpei.exe 2976 Lhkkhk32.exe 4600 Lpbcii32.exe 4396 Lfplap32.exe 3140 Lhnhnk32.exe 848 Lpepoh32.exe 3448 Mfbigo32.exe 624 Mllaci32.exe 1532 Mojmpe32.exe 4960 Mbhilp32.exe 884 Mjpamn32.exe 3684 Mlnnii32.exe 4348 Momjed32.exe 4552 Mbkfap32.exe 2732 Mhennjma.exe 3756 Mplfog32.exe 4704 Mcjbkc32.exe 3080 Mbmcgpcb.exe 1444 Mjdkhmcd.exe 4556 Mqnceg32.exe 3084 Mcmoab32.exe 4168 Mfkkmn32.exe 4456 Mhihii32.exe 1472 Nocpfc32.exe 2100 Nbblbo32.exe 1672 Nhldoifj.exe 2688 Nqclpfgl.exe 1068 Ncailbfp.exe 4408 Nfpehmec.exe 3508 Nhnadidg.exe 4308 Nqeiefei.exe 512 Ncdeaa32.exe 1064 Njnnnllj.exe 2996 Nmljjgkm.exe 3220 Nokfgbja.exe 3304 Njpjdkig.exe 808 Nmofpgik.exe 2744 Nomclbho.exe 3404 Nfgkilok.exe 4816 Niegehno.exe 4500 Oqlofeoa.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bplbfi32.dll Fjnjhk32.exe File created C:\Windows\SysWOW64\Ihcmlffl.dll Nkgmko32.exe File created C:\Windows\SysWOW64\Ofknjegj.exe Ooaemk32.exe File created C:\Windows\SysWOW64\Lhkkhk32.exe Lemolpei.exe File created C:\Windows\SysWOW64\Iggdcadi.dll Hjfiphmo.exe File created C:\Windows\SysWOW64\Liielgja.dll Khbibm32.exe File created C:\Windows\SysWOW64\Hjjbkg32.exe Hglfol32.exe File opened for modification C:\Windows\SysWOW64\Acfmjf32.exe Aloeii32.exe File opened for modification C:\Windows\SysWOW64\Didgqhdk.exe Dehkpj32.exe File created C:\Windows\SysWOW64\Iiiaamhk.dll Dldqbc32.exe File created C:\Windows\SysWOW64\Kilapi32.dll Qbggkiob.exe File created C:\Windows\SysWOW64\Ppmlcpil.exe Pmopgdjh.exe File created C:\Windows\SysWOW64\Efbmoj32.dll Qeqcao32.exe File created C:\Windows\SysWOW64\Dboionhi.exe Dldqbc32.exe File created C:\Windows\SysWOW64\Dbaedmff.exe Dlgmhc32.exe File created C:\Windows\SysWOW64\Ekagcb32.dll Ojljpi32.exe File opened for modification C:\Windows\SysWOW64\Ncdeaa32.exe Nqeiefei.exe File created C:\Windows\SysWOW64\Almkhfia.dll Gjapdh32.exe File created C:\Windows\SysWOW64\Koddcagp.exe Kkihcc32.exe File created C:\Windows\SysWOW64\Djmcanog.dll Kecekkjh.exe File opened for modification C:\Windows\SysWOW64\Mcgokmko.exe Molckn32.exe File created C:\Windows\SysWOW64\Qpfhoh32.exe Qkjlniel.exe File created C:\Windows\SysWOW64\Fchdlj32.exe Flnlopko.exe File created C:\Windows\SysWOW64\Mcmoab32.exe Mqnceg32.exe File created C:\Windows\SysWOW64\Dokimi32.dll Abjdqi32.exe File opened for modification C:\Windows\SysWOW64\Apbnemgd.exe Amdbiahp.exe File created C:\Windows\SysWOW64\Bpnnakmf.exe Bkaehdoo.exe File created C:\Windows\SysWOW64\Chlgepnk.dll Nccngkqa.exe File opened for modification C:\Windows\SysWOW64\Cefojjne.exe Cdebbb32.exe File created C:\Windows\SysWOW64\Ljjmbjjh.dll Dgonklmm.exe File created C:\Windows\SysWOW64\Kedlea32.exe Kojdig32.exe File opened for modification C:\Windows\SysWOW64\Mllaci32.exe Mfbigo32.exe File created C:\Windows\SysWOW64\Mhennjma.exe Mbkfap32.exe File opened for modification C:\Windows\SysWOW64\Ajcigf32.exe Ablafi32.exe File created C:\Windows\SysWOW64\Pljcbp32.dll Epopof32.exe File opened for modification C:\Windows\SysWOW64\Encphk32.exe Ecmlkb32.exe File created C:\Windows\SysWOW64\Hadkgapf.exe Hjjbkg32.exe File created C:\Windows\SysWOW64\Kbdijjic.dll Ohlfkp32.exe File opened for modification C:\Windows\SysWOW64\Khbibm32.exe Kedlea32.exe File created C:\Windows\SysWOW64\Ilbbbk32.dll Fcankkhd.exe File opened for modification C:\Windows\SysWOW64\Aijlcl32.exe Aeopcmbp.exe File opened for modification C:\Windows\SysWOW64\Ojecok32.exe Ockkbqne.exe File opened for modification C:\Windows\SysWOW64\Pkhoijgo.exe Pijbmnhk.exe File created C:\Windows\SysWOW64\Nmofpgik.exe Njpjdkig.exe File opened for modification C:\Windows\SysWOW64\Oiojkffd.exe Ojljpi32.exe File opened for modification C:\Windows\SysWOW64\Pfjqei32.exe Pckdin32.exe File opened for modification C:\Windows\SysWOW64\Pcnaonnp.exe Paoebbol.exe File created C:\Windows\SysWOW64\Hjfiphmo.exe Hclacn32.exe File created C:\Windows\SysWOW64\Iimchq32.dll Kkihcc32.exe File created C:\Windows\SysWOW64\Lplmhj32.exe Liaelpdj.exe File created C:\Windows\SysWOW64\Lbodjj32.dll Nqeiefei.exe File created C:\Windows\SysWOW64\Kefiolgp.dll Abajahfg.exe File opened for modification C:\Windows\SysWOW64\Ekmnkpfo.exe Egbaka32.exe File created C:\Windows\SysWOW64\Ppogmefm.dll Gkifnl32.exe File created C:\Windows\SysWOW64\Feghnleb.dll Laalak32.exe File created C:\Windows\SysWOW64\Cmddei32.exe Cemldk32.exe File opened for modification C:\Windows\SysWOW64\Lplmhj32.exe Liaelpdj.exe File created C:\Windows\SysWOW64\Obbeimaj.exe Oodimaaf.exe File created C:\Windows\SysWOW64\Lbgfdo32.exe Kecekkjh.exe File created C:\Windows\SysWOW64\Mahbna32.dll Pbpjpdao.exe File opened for modification C:\Windows\SysWOW64\Lcocpdfe.exe Lppgciga.exe File opened for modification C:\Windows\SysWOW64\Abcgghde.exe Adpgkk32.exe File opened for modification C:\Windows\SysWOW64\Bbedlg32.exe Badgdold.exe File opened for modification C:\Windows\SysWOW64\Dancal32.exe Ddjbhg32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10324 9896 WerFault.exe 500 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofpgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acgdelfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamadpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhoah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbfhje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmjhhlmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhdgdcif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfdppdop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kojdig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmhhplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmopgdjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paoebbol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dckfnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhaiqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naaehhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijbmnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pblhokip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diihfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfiphmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokamcok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llagcdmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgddqbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbefioqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eefhahob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kedlea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpamn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnnnllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddaiifae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddbhfdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiijbeac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjkfhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfpehmec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhqbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdaebfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhnjjbqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pomeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aloeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlbcmdco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpeoeogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kafcpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcocpdfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqclpfgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qafkca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Badgdold.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amckokdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddqbnpni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmoab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbedlg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgmhpbbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ennfmkcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaiminno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooeohjlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbbged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcqgnfbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkfiaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelhajbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklffnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccngkqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daeibkpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnohkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnhnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paaahbmi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcmoab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckkhocgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdoejd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hadkgapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnchjo32.dll" Pmllgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bilhil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgaqoqpk.dll" Mbkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccphhiaf.dll" Egfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnienbcp.dll" Fqmlpdda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fggnfemi.dll" Jokamcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbfhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnkjpp32.dll" Pcnaonnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkgddqbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhnjjbqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjpmcc32.dll" Nlnpepeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcqgnfbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijolffed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oklomk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbaedmff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddqbnpni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gnciohah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjjjdigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbllfoe.dll" Pfbcjdab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeicpna.dll" Llbnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffnfml32.dll" Niegehno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikjbmk32.dll" Oqlofeoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajoplgod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epopof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omhifeqp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggpgcm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aloeii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddjbhg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dancal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bplbfi32.dll" Fjnjhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igcmokcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cefojjne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fchdlj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niegehno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oodimaaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paoebbol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okeillhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cemldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceaeokaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kejipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dooenm32.dll" Nhnadidg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igalkpeb.dll" Pmalldhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Molckn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iihaepel.dll" Nhpgpboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgcmijhn.dll" Jagqdopa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abgqqckf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfpibpgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgaacahp.dll" Paaahbmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfooafm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkaehdoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjfiphmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojglpmcd.dll" Hcnnhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmmglg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kojdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdobqma.dll" Cgmoidqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnlcni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkhakmmj.dll" Ooeohjlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpifbcom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elohbpbe.dll" Ellfcbkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdgbo32.dll" Kojdig32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5044 wrote to memory of 4484 5044 d57f37a6eda3b39ff4050337dc2750cc2127635dc97c83188da631e752e2a5d4N.exe 83 PID 5044 wrote to memory of 4484 5044 d57f37a6eda3b39ff4050337dc2750cc2127635dc97c83188da631e752e2a5d4N.exe 83 PID 5044 wrote to memory of 4484 5044 d57f37a6eda3b39ff4050337dc2750cc2127635dc97c83188da631e752e2a5d4N.exe 83 PID 4484 wrote to memory of 4068 4484 Kejipb32.exe 84 PID 4484 wrote to memory of 4068 4484 Kejipb32.exe 84 PID 4484 wrote to memory of 4068 4484 Kejipb32.exe 84 PID 4068 wrote to memory of 2716 4068 Kldblmmk.exe 85 PID 4068 wrote to memory of 2716 4068 Kldblmmk.exe 85 PID 4068 wrote to memory of 2716 4068 Kldblmmk.exe 85 PID 2716 wrote to memory of 1372 2716 Kbnjig32.exe 86 PID 2716 wrote to memory of 1372 2716 Kbnjig32.exe 86 PID 2716 wrote to memory of 1372 2716 Kbnjig32.exe 86 PID 1372 wrote to memory of 964 1372 Kemfeb32.exe 87 PID 1372 wrote to memory of 964 1372 Kemfeb32.exe 87 PID 1372 wrote to memory of 964 1372 Kemfeb32.exe 87 PID 964 wrote to memory of 1392 964 Klgoalkh.exe 88 PID 964 wrote to memory of 1392 964 Klgoalkh.exe 88 PID 964 wrote to memory of 1392 964 Klgoalkh.exe 88 PID 1392 wrote to memory of 3996 1392 Kcqgnfbe.exe 89 PID 1392 wrote to memory of 3996 1392 Kcqgnfbe.exe 89 PID 1392 wrote to memory of 3996 1392 Kcqgnfbe.exe 89 PID 3996 wrote to memory of 4900 3996 Keocjbai.exe 90 PID 3996 wrote to memory of 4900 3996 Keocjbai.exe 90 PID 3996 wrote to memory of 4900 3996 Keocjbai.exe 90 PID 4900 wrote to memory of 980 4900 Khmogmal.exe 91 PID 4900 wrote to memory of 980 4900 Khmogmal.exe 91 PID 4900 wrote to memory of 980 4900 Khmogmal.exe 91 PID 980 wrote to memory of 2544 980 Koggcg32.exe 93 PID 980 wrote to memory of 2544 980 Koggcg32.exe 93 PID 980 wrote to memory of 2544 980 Koggcg32.exe 93 PID 2544 wrote to memory of 2880 2544 Kafcpc32.exe 94 PID 2544 wrote to memory of 2880 2544 Kafcpc32.exe 94 PID 2544 wrote to memory of 2880 2544 Kafcpc32.exe 94 PID 2880 wrote to memory of 1932 2880 Khpllmoj.exe 95 PID 2880 wrote to memory of 1932 2880 Khpllmoj.exe 95 PID 2880 wrote to memory of 1932 2880 Khpllmoj.exe 95 PID 1932 wrote to memory of 844 1932 Kojdig32.exe 96 PID 1932 wrote to memory of 844 1932 Kojdig32.exe 96 PID 1932 wrote to memory of 844 1932 Kojdig32.exe 96 PID 844 wrote to memory of 2272 844 Kedlea32.exe 97 PID 844 wrote to memory of 2272 844 Kedlea32.exe 97 PID 844 wrote to memory of 2272 844 Kedlea32.exe 97 PID 2272 wrote to memory of 1812 2272 Khbibm32.exe 99 PID 2272 wrote to memory of 1812 2272 Khbibm32.exe 99 PID 2272 wrote to memory of 1812 2272 Khbibm32.exe 99 PID 1812 wrote to memory of 3636 1812 Lchmoe32.exe 100 PID 1812 wrote to memory of 3636 1812 Lchmoe32.exe 100 PID 1812 wrote to memory of 3636 1812 Lchmoe32.exe 100 PID 3636 wrote to memory of 1484 3636 Liaelpdj.exe 101 PID 3636 wrote to memory of 1484 3636 Liaelpdj.exe 101 PID 3636 wrote to memory of 1484 3636 Liaelpdj.exe 101 PID 1484 wrote to memory of 1148 1484 Lplmhj32.exe 102 PID 1484 wrote to memory of 1148 1484 Lplmhj32.exe 102 PID 1484 wrote to memory of 1148 1484 Lplmhj32.exe 102 PID 1148 wrote to memory of 2396 1148 Lehfqqjn.exe 104 PID 1148 wrote to memory of 2396 1148 Lehfqqjn.exe 104 PID 1148 wrote to memory of 2396 1148 Lehfqqjn.exe 104 PID 2396 wrote to memory of 2004 2396 Llbnmk32.exe 105 PID 2396 wrote to memory of 2004 2396 Llbnmk32.exe 105 PID 2396 wrote to memory of 2004 2396 Llbnmk32.exe 105 PID 2004 wrote to memory of 4296 2004 Lclfjehh.exe 106 PID 2004 wrote to memory of 4296 2004 Lclfjehh.exe 106 PID 2004 wrote to memory of 4296 2004 Lclfjehh.exe 106 PID 4296 wrote to memory of 2468 4296 Ljfogo32.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\d57f37a6eda3b39ff4050337dc2750cc2127635dc97c83188da631e752e2a5d4N.exe"C:\Users\Admin\AppData\Local\Temp\d57f37a6eda3b39ff4050337dc2750cc2127635dc97c83188da631e752e2a5d4N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\Kejipb32.exeC:\Windows\system32\Kejipb32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\Kldblmmk.exeC:\Windows\system32\Kldblmmk.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\Kbnjig32.exeC:\Windows\system32\Kbnjig32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Kemfeb32.exeC:\Windows\system32\Kemfeb32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Klgoalkh.exeC:\Windows\system32\Klgoalkh.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Kcqgnfbe.exeC:\Windows\system32\Kcqgnfbe.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Keocjbai.exeC:\Windows\system32\Keocjbai.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Windows\SysWOW64\Khmogmal.exeC:\Windows\system32\Khmogmal.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\SysWOW64\Koggcg32.exeC:\Windows\system32\Koggcg32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Windows\SysWOW64\Kafcpc32.exeC:\Windows\system32\Kafcpc32.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Khpllmoj.exeC:\Windows\system32\Khpllmoj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Kojdig32.exeC:\Windows\system32\Kojdig32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Kedlea32.exeC:\Windows\system32\Kedlea32.exe14⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Khbibm32.exeC:\Windows\system32\Khbibm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Lchmoe32.exeC:\Windows\system32\Lchmoe32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Liaelpdj.exeC:\Windows\system32\Liaelpdj.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\Lplmhj32.exeC:\Windows\system32\Lplmhj32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Lehfqqjn.exeC:\Windows\system32\Lehfqqjn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Llbnmk32.exeC:\Windows\system32\Llbnmk32.exe20⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Lclfjehh.exeC:\Windows\system32\Lclfjehh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Ljfogo32.exeC:\Windows\system32\Ljfogo32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4296 -
C:\Windows\SysWOW64\Lppgciga.exeC:\Windows\system32\Lppgciga.exe23⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Lcocpdfe.exeC:\Windows\system32\Lcocpdfe.exe24⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Lemolpei.exeC:\Windows\system32\Lemolpei.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2024 -
C:\Windows\SysWOW64\Lhkkhk32.exeC:\Windows\system32\Lhkkhk32.exe26⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Lpbcii32.exeC:\Windows\system32\Lpbcii32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\Lfplap32.exeC:\Windows\system32\Lfplap32.exe28⤵
- Executes dropped EXE
PID:4396 -
C:\Windows\SysWOW64\Lhnhnk32.exeC:\Windows\system32\Lhnhnk32.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3140 -
C:\Windows\SysWOW64\Lpepoh32.exeC:\Windows\system32\Lpepoh32.exe30⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Mfbigo32.exeC:\Windows\system32\Mfbigo32.exe31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3448 -
C:\Windows\SysWOW64\Mllaci32.exeC:\Windows\system32\Mllaci32.exe32⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Mojmpe32.exeC:\Windows\system32\Mojmpe32.exe33⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Mbhilp32.exeC:\Windows\system32\Mbhilp32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4960 -
C:\Windows\SysWOW64\Mjpamn32.exeC:\Windows\system32\Mjpamn32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Mlnnii32.exeC:\Windows\system32\Mlnnii32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Momjed32.exeC:\Windows\system32\Momjed32.exe37⤵
- Executes dropped EXE
PID:4348 -
C:\Windows\SysWOW64\Mbkfap32.exeC:\Windows\system32\Mbkfap32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4552 -
C:\Windows\SysWOW64\Mhennjma.exeC:\Windows\system32\Mhennjma.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Mplfog32.exeC:\Windows\system32\Mplfog32.exe40⤵
- Executes dropped EXE
PID:3756 -
C:\Windows\SysWOW64\Mcjbkc32.exeC:\Windows\system32\Mcjbkc32.exe41⤵
- Executes dropped EXE
PID:4704 -
C:\Windows\SysWOW64\Mbmcgpcb.exeC:\Windows\system32\Mbmcgpcb.exe42⤵
- Executes dropped EXE
PID:3080 -
C:\Windows\SysWOW64\Mjdkhmcd.exeC:\Windows\system32\Mjdkhmcd.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Mqnceg32.exeC:\Windows\system32\Mqnceg32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:4556 -
C:\Windows\SysWOW64\Mcmoab32.exeC:\Windows\system32\Mcmoab32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3084 -
C:\Windows\SysWOW64\Mfkkmn32.exeC:\Windows\system32\Mfkkmn32.exe46⤵
- Executes dropped EXE
PID:4168 -
C:\Windows\SysWOW64\Mhihii32.exeC:\Windows\system32\Mhihii32.exe47⤵
- Executes dropped EXE
PID:4456 -
C:\Windows\SysWOW64\Nocpfc32.exeC:\Windows\system32\Nocpfc32.exe48⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Nbblbo32.exeC:\Windows\system32\Nbblbo32.exe49⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Nhldoifj.exeC:\Windows\system32\Nhldoifj.exe50⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Nqclpfgl.exeC:\Windows\system32\Nqclpfgl.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Ncailbfp.exeC:\Windows\system32\Ncailbfp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Nfpehmec.exeC:\Windows\system32\Nfpehmec.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4408 -
C:\Windows\SysWOW64\Nhnadidg.exeC:\Windows\system32\Nhnadidg.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3508 -
C:\Windows\SysWOW64\Nqeiefei.exeC:\Windows\system32\Nqeiefei.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4308 -
C:\Windows\SysWOW64\Ncdeaa32.exeC:\Windows\system32\Ncdeaa32.exe56⤵
- Executes dropped EXE
PID:512 -
C:\Windows\SysWOW64\Njnnnllj.exeC:\Windows\system32\Njnnnllj.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Nmljjgkm.exeC:\Windows\system32\Nmljjgkm.exe58⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Nokfgbja.exeC:\Windows\system32\Nokfgbja.exe59⤵
- Executes dropped EXE
PID:3220 -
C:\Windows\SysWOW64\Njpjdkig.exeC:\Windows\system32\Njpjdkig.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3304 -
C:\Windows\SysWOW64\Nmofpgik.exeC:\Windows\system32\Nmofpgik.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:808 -
C:\Windows\SysWOW64\Nomclbho.exeC:\Windows\system32\Nomclbho.exe62⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Nfgkilok.exeC:\Windows\system32\Nfgkilok.exe63⤵
- Executes dropped EXE
PID:3404 -
C:\Windows\SysWOW64\Niegehno.exeC:\Windows\system32\Niegehno.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:4816 -
C:\Windows\SysWOW64\Oqlofeoa.exeC:\Windows\system32\Oqlofeoa.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:4500 -
C:\Windows\SysWOW64\Ockkbqne.exeC:\Windows\system32\Ockkbqne.exe66⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Ojecok32.exeC:\Windows\system32\Ojecok32.exe67⤵PID:228
-
C:\Windows\SysWOW64\Omcpkf32.exeC:\Windows\system32\Omcpkf32.exe68⤵PID:1440
-
C:\Windows\SysWOW64\Ocmhhplb.exeC:\Windows\system32\Ocmhhplb.exe69⤵
- System Location Discovery: System Language Discovery
PID:4776 -
C:\Windows\SysWOW64\Ojgpdjco.exeC:\Windows\system32\Ojgpdjco.exe70⤵PID:4528
-
C:\Windows\SysWOW64\Oodimaaf.exeC:\Windows\system32\Oodimaaf.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Obbeimaj.exeC:\Windows\system32\Obbeimaj.exe72⤵PID:1028
-
C:\Windows\SysWOW64\Ojimjjal.exeC:\Windows\system32\Ojimjjal.exe73⤵PID:1592
-
C:\Windows\SysWOW64\Omhifeqp.exeC:\Windows\system32\Omhifeqp.exe74⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Opfebqpd.exeC:\Windows\system32\Opfebqpd.exe75⤵PID:4880
-
C:\Windows\SysWOW64\Obdbolog.exeC:\Windows\system32\Obdbolog.exe76⤵PID:2012
-
C:\Windows\SysWOW64\Ojljpi32.exeC:\Windows\system32\Ojljpi32.exe77⤵
- Drops file in System32 directory
PID:3932 -
C:\Windows\SysWOW64\Oiojkffd.exeC:\Windows\system32\Oiojkffd.exe78⤵PID:2200
-
C:\Windows\SysWOW64\Ocdnhofj.exeC:\Windows\system32\Ocdnhofj.exe79⤵PID:2680
-
C:\Windows\SysWOW64\Ojnfei32.exeC:\Windows\system32\Ojnfei32.exe80⤵PID:2220
-
C:\Windows\SysWOW64\Pqhobced.exeC:\Windows\system32\Pqhobced.exe81⤵PID:2636
-
C:\Windows\SysWOW64\Pbikjl32.exeC:\Windows\system32\Pbikjl32.exe82⤵PID:868
-
C:\Windows\SysWOW64\Pjqckikd.exeC:\Windows\system32\Pjqckikd.exe83⤵PID:2568
-
C:\Windows\SysWOW64\Pmopgdjh.exeC:\Windows\system32\Pmopgdjh.exe84⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Ppmlcpil.exeC:\Windows\system32\Ppmlcpil.exe85⤵PID:1324
-
C:\Windows\SysWOW64\Pblhokip.exeC:\Windows\system32\Pblhokip.exe86⤵
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Pmalldhe.exeC:\Windows\system32\Pmalldhe.exe87⤵
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Pckdin32.exeC:\Windows\system32\Pckdin32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1956 -
C:\Windows\SysWOW64\Pfjqei32.exeC:\Windows\system32\Pfjqei32.exe89⤵PID:4324
-
C:\Windows\SysWOW64\Pihmae32.exeC:\Windows\system32\Pihmae32.exe90⤵PID:2664
-
C:\Windows\SysWOW64\Paoebbol.exeC:\Windows\system32\Paoebbol.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4564 -
C:\Windows\SysWOW64\Pcnaonnp.exeC:\Windows\system32\Pcnaonnp.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Pflmkimc.exeC:\Windows\system32\Pflmkimc.exe93⤵PID:4592
-
C:\Windows\SysWOW64\Paaahbmi.exeC:\Windows\system32\Paaahbmi.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4180 -
C:\Windows\SysWOW64\Pfnjqikq.exeC:\Windows\system32\Pfnjqikq.exe95⤵PID:3964
-
C:\Windows\SysWOW64\Qimfmdjd.exeC:\Windows\system32\Qimfmdjd.exe96⤵PID:1808
-
C:\Windows\SysWOW64\Qcbjjm32.exeC:\Windows\system32\Qcbjjm32.exe97⤵PID:4100
-
C:\Windows\SysWOW64\Qfqgfh32.exeC:\Windows\system32\Qfqgfh32.exe98⤵PID:5036
-
C:\Windows\SysWOW64\Qjlcfgag.exeC:\Windows\system32\Qjlcfgag.exe99⤵PID:2384
-
C:\Windows\SysWOW64\Qmkobbpk.exeC:\Windows\system32\Qmkobbpk.exe100⤵PID:3708
-
C:\Windows\SysWOW64\Qafkca32.exeC:\Windows\system32\Qafkca32.exe101⤵
- System Location Discovery: System Language Discovery
PID:5012 -
C:\Windows\SysWOW64\Qbggkiob.exeC:\Windows\system32\Qbggkiob.exe102⤵
- Drops file in System32 directory
PID:3704 -
C:\Windows\SysWOW64\Ajoplgod.exeC:\Windows\system32\Ajoplgod.exe103⤵
- Modifies registry class
PID:3280 -
C:\Windows\SysWOW64\Ammlhbnh.exeC:\Windows\system32\Ammlhbnh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3156 -
C:\Windows\SysWOW64\Aahhia32.exeC:\Windows\system32\Aahhia32.exe105⤵PID:5156
-
C:\Windows\SysWOW64\Acgdelfe.exeC:\Windows\system32\Acgdelfe.exe106⤵
- System Location Discovery: System Language Discovery
PID:5220 -
C:\Windows\SysWOW64\Abjdqi32.exeC:\Windows\system32\Abjdqi32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:5288 -
C:\Windows\SysWOW64\Ajalaf32.exeC:\Windows\system32\Ajalaf32.exe108⤵PID:5328
-
C:\Windows\SysWOW64\Aidlmcdl.exeC:\Windows\system32\Aidlmcdl.exe109⤵PID:5380
-
C:\Windows\SysWOW64\Aakdnqdo.exeC:\Windows\system32\Aakdnqdo.exe110⤵PID:5432
-
C:\Windows\SysWOW64\Apndjm32.exeC:\Windows\system32\Apndjm32.exe111⤵PID:5504
-
C:\Windows\SysWOW64\Ablafi32.exeC:\Windows\system32\Ablafi32.exe112⤵
- Drops file in System32 directory
PID:5588 -
C:\Windows\SysWOW64\Ajcigf32.exeC:\Windows\system32\Ajcigf32.exe113⤵PID:5640
-
C:\Windows\SysWOW64\Aamadpbl.exeC:\Windows\system32\Aamadpbl.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:5684 -
C:\Windows\SysWOW64\Adlmpl32.exeC:\Windows\system32\Adlmpl32.exe115⤵PID:5736
-
C:\Windows\SysWOW64\Afjjlg32.exeC:\Windows\system32\Afjjlg32.exe116⤵PID:5780
-
C:\Windows\SysWOW64\Aihfhb32.exeC:\Windows\system32\Aihfhb32.exe117⤵PID:5840
-
C:\Windows\SysWOW64\Amdbiahp.exeC:\Windows\system32\Amdbiahp.exe118⤵
- Drops file in System32 directory
PID:5884 -
C:\Windows\SysWOW64\Apbnemgd.exeC:\Windows\system32\Apbnemgd.exe119⤵PID:5928
-
C:\Windows\SysWOW64\Adnjek32.exeC:\Windows\system32\Adnjek32.exe120⤵PID:5972
-
C:\Windows\SysWOW64\Abajahfg.exeC:\Windows\system32\Abajahfg.exe121⤵
- Drops file in System32 directory
PID:6016 -
C:\Windows\SysWOW64\Ajhbbegj.exeC:\Windows\system32\Ajhbbegj.exe122⤵PID:6060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-