Analysis
-
max time kernel
101s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/11/2024, 04:59
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe
-
Size
359KB
-
MD5
d536ddf6383ce157b1a6071744991520
-
SHA1
5dc183ab582dfa3b49db1fbea71c5b185e3c2ed3
-
SHA256
7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732a
-
SHA512
fac5d0db4fee153532b49c67c3e37e80b7103247a7511ec768cc6f9fb315af1bdcd476163d2636e4c791c5db1d62338f5104d3868b1ecb0be4222fb75fdc2b1c
-
SSDEEP
3072:s083ZmGf0Gfon/ZN0kQI8Va3CkfUVuyelbvP5lkzmQ1o0Otw44KmfpKivFM6Wpq5:+my0Nprba4Yb31/doG
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bngllkbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpiinfbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaobcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oooeeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Condfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkhagodb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpqfcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcaehhnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mppiod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjdjghf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcflbpnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpmhhcjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mabihm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acldpojj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnedfljc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddjmaebi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaigmoiq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankhjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pblkgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oooeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apjbpemb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifmqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkohnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knhnkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpjpmqjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncafemqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkcfdgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbonnjpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjbpemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcfhggeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibglhhdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cllaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbchijlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbhhlo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpiphmfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egnknj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqqeah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkfdlclg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofqhdnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acdemegf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfnbohm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Janijh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bclnfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmiegma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbpffhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmipmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpdhiaoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojhehlag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeommfnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Echpaecj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlmnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaaajo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpicjend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbfllc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibobhgno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjfmmnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okapcanj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnmglbgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifmqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajkjphd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kodhbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpecddpi.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2396 Glgqlkdl.exe 828 Gepeep32.exe 2808 Gidgdcli.exe 2980 Hcaehhnd.exe 2864 Hdgkkppm.exe 2756 Iqpiepcn.exe 2660 Iccnmk32.exe 2616 Jcekbk32.exe 2668 Jchhhjjg.exe 1852 Jiiikq32.exe 2096 Kaihjbno.exe 2116 Kmbeecaq.exe 1380 Lpekln32.exe 548 Lakqoe32.exe 2176 Mcafbm32.exe 2088 Mcfpmlll.exe 2092 Mcjihk32.exe 1704 Nndjhi32.exe 2624 Nkjggmal.exe 1712 Ngahmngp.exe 1408 Ohgnoeii.exe 2120 Ocoobngl.exe 1572 Ofphdi32.exe 1364 Onkmhl32.exe 2308 Pqlfjfni.exe 2112 Pkajgonp.exe 2772 Paclje32.exe 3032 Qmlief32.exe 2688 Qegnii32.exe 2720 Alfpab32.exe 2728 Adadedjq.exe 2872 Apjbpemb.exe 2004 Blabef32.exe 564 Bpahad32.exe 2336 Benpik32.exe 2988 Bdcmjg32.exe 2472 Cdejpg32.exe 1436 Cplkehnk.exe 276 Cjdonndl.exe 940 Cpadpg32.exe 2216 Cjiiim32.exe 1236 Ccamabgg.exe 2268 Dohnfc32.exe 1536 Dhaboi32.exe 1464 Ddgcdjip.exe 1952 Dblcnngi.exe 1844 Dopdgb32.exe 3004 Dkfdlclg.exe 2760 Dqcmdjjo.exe 2288 Emjnikpc.exe 2496 Efbbba32.exe 1496 Egaoldnf.exe 2604 Echpaecj.exe 2692 Ekcdegqe.exe 1168 Eiheok32.exe 1780 Fenedlec.exe 1732 Fngjmb32.exe 1188 Fhonegbd.exe 2952 Fagcnmie.exe 1996 Fmnccn32.exe 3028 Fhdhqg32.exe 1432 Fhfdffll.exe 2260 Gpaikiig.exe 2276 Geckno32.exe -
Loads dropped DLL 64 IoCs
pid Process 2600 7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe 2600 7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe 2396 Glgqlkdl.exe 2396 Glgqlkdl.exe 828 Gepeep32.exe 828 Gepeep32.exe 2808 Gidgdcli.exe 2808 Gidgdcli.exe 2980 Hcaehhnd.exe 2980 Hcaehhnd.exe 2864 Hdgkkppm.exe 2864 Hdgkkppm.exe 2756 Iqpiepcn.exe 2756 Iqpiepcn.exe 2660 Iccnmk32.exe 2660 Iccnmk32.exe 2616 Jcekbk32.exe 2616 Jcekbk32.exe 2668 Jchhhjjg.exe 2668 Jchhhjjg.exe 1852 Jiiikq32.exe 1852 Jiiikq32.exe 2096 Kaihjbno.exe 2096 Kaihjbno.exe 2116 Kmbeecaq.exe 2116 Kmbeecaq.exe 1380 Lpekln32.exe 1380 Lpekln32.exe 548 Lakqoe32.exe 548 Lakqoe32.exe 2176 Mcafbm32.exe 2176 Mcafbm32.exe 2088 Mcfpmlll.exe 2088 Mcfpmlll.exe 2092 Mcjihk32.exe 2092 Mcjihk32.exe 1704 Nndjhi32.exe 1704 Nndjhi32.exe 2624 Nkjggmal.exe 2624 Nkjggmal.exe 1712 Ngahmngp.exe 1712 Ngahmngp.exe 1408 Ohgnoeii.exe 1408 Ohgnoeii.exe 2120 Ocoobngl.exe 2120 Ocoobngl.exe 1572 Ofphdi32.exe 1572 Ofphdi32.exe 1364 Onkmhl32.exe 1364 Onkmhl32.exe 2308 Pqlfjfni.exe 2308 Pqlfjfni.exe 1248 Pfkkhmjn.exe 1248 Pfkkhmjn.exe 2772 Paclje32.exe 2772 Paclje32.exe 3032 Qmlief32.exe 3032 Qmlief32.exe 2688 Qegnii32.exe 2688 Qegnii32.exe 2720 Alfpab32.exe 2720 Alfpab32.exe 2728 Adadedjq.exe 2728 Adadedjq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Egnknj32.exe Emifaa32.exe File created C:\Windows\SysWOW64\Bcjefj32.dll Iolacn32.exe File opened for modification C:\Windows\SysWOW64\Kgibeklf.exe Knqnmeff.exe File opened for modification C:\Windows\SysWOW64\Hfiloiik.exe Hmphfc32.exe File created C:\Windows\SysWOW64\Ikhndk32.dll Inmdjjok.exe File opened for modification C:\Windows\SysWOW64\Ambohapm.exe Abmkjiqg.exe File opened for modification C:\Windows\SysWOW64\Ipkhpk32.exe Hcghffen.exe File created C:\Windows\SysWOW64\Iiaiih32.dll Gmacmkje.exe File created C:\Windows\SysWOW64\Nadbabeo.dll Fljjhb32.exe File created C:\Windows\SysWOW64\Ncdecefm.exe Ngndodpi.exe File created C:\Windows\SysWOW64\Memagk32.exe Mppiod32.exe File created C:\Windows\SysWOW64\Njikba32.exe Njfnlahb.exe File opened for modification C:\Windows\SysWOW64\Njikba32.exe Njfnlahb.exe File opened for modification C:\Windows\SysWOW64\Hlcimd32.exe Hpmhhcjk.exe File created C:\Windows\SysWOW64\Dmfkcf32.exe Cqokoeig.exe File created C:\Windows\SysWOW64\Nekjkl32.dll Dqemmcqb.exe File created C:\Windows\SysWOW64\Glcmna32.exe Goplem32.exe File created C:\Windows\SysWOW64\Hpckee32.exe Hiichkog.exe File created C:\Windows\SysWOW64\Bpbfom32.dll Jpjndh32.exe File opened for modification C:\Windows\SysWOW64\Memagk32.exe Mppiod32.exe File opened for modification C:\Windows\SysWOW64\Ndnncf32.exe Nbnajcig.exe File created C:\Windows\SysWOW64\Habgqehi.exe Hglcclhb.exe File opened for modification C:\Windows\SysWOW64\Kmbeecaq.exe Kaihjbno.exe File created C:\Windows\SysWOW64\Piaiko32.exe Ogqpjd32.exe File created C:\Windows\SysWOW64\Dnipid32.dll Dpldkf32.exe File created C:\Windows\SysWOW64\Mhobnqlg.exe Mdmmemih.exe File opened for modification C:\Windows\SysWOW64\Boblbe32.exe Boppmf32.exe File created C:\Windows\SysWOW64\Jgjkhi32.exe Jifjod32.exe File opened for modification C:\Windows\SysWOW64\Jjfplfll.exe Jopogefh.exe File opened for modification C:\Windows\SysWOW64\Ffbkkkcb.exe Fmjfbe32.exe File opened for modification C:\Windows\SysWOW64\Npbpjn32.exe Nelkme32.exe File created C:\Windows\SysWOW64\Aedghf32.exe Apgnpo32.exe File created C:\Windows\SysWOW64\Fdmpmneg.dll Kqomai32.exe File opened for modification C:\Windows\SysWOW64\Jokccnci.exe Jfoookfn.exe File opened for modification C:\Windows\SysWOW64\Okocmapl.exe Ohqgafqi.exe File created C:\Windows\SysWOW64\Kgfmmbkf.dll Ongijbja.exe File created C:\Windows\SysWOW64\Egooijaa.dll Kbjmhd32.exe File opened for modification C:\Windows\SysWOW64\Fndhed32.exe Ejfpofkh.exe File opened for modification C:\Windows\SysWOW64\Inmdjjok.exe Iaicpepa.exe File created C:\Windows\SysWOW64\Gokcej32.dll Oejfelin.exe File created C:\Windows\SysWOW64\Lpgmffki.dll Efqian32.exe File created C:\Windows\SysWOW64\Ekoelpgo.dll Hlnfof32.exe File created C:\Windows\SysWOW64\Idhqheep.exe Ihapcdol.exe File created C:\Windows\SysWOW64\Fphqehda.exe Feblho32.exe File created C:\Windows\SysWOW64\Jaonlj32.exe Jgficdgo.exe File created C:\Windows\SysWOW64\Fdehbo32.exe Fjlciihn.exe File created C:\Windows\SysWOW64\Iolacn32.exe Iceqnm32.exe File created C:\Windows\SysWOW64\Hmalaioi.dll Glgqlkdl.exe File opened for modification C:\Windows\SysWOW64\Qokhjjbk.exe Pqekin32.exe File opened for modification C:\Windows\SysWOW64\Bpomdmqa.exe Bjbelf32.exe File opened for modification C:\Windows\SysWOW64\Dqemmcqb.exe Dqcqgc32.exe File opened for modification C:\Windows\SysWOW64\Omcmda32.exe Ofiegggd.exe File opened for modification C:\Windows\SysWOW64\Dgoejm32.exe Dqemmcqb.exe File created C:\Windows\SysWOW64\Agaomdno.exe Qkkohc32.exe File created C:\Windows\SysWOW64\Koidficq.exe Kbedmedg.exe File created C:\Windows\SysWOW64\Adkaib32.exe Alpmep32.exe File created C:\Windows\SysWOW64\Mdfljc32.dll Dmfkcf32.exe File created C:\Windows\SysWOW64\Gpncdfkl.exe Fahfcjfd.exe File created C:\Windows\SysWOW64\Eohhfn32.dll Dcgppana.exe File created C:\Windows\SysWOW64\Jjfplfll.exe Jopogefh.exe File created C:\Windows\SysWOW64\Aigeplpg.exe Aalqlibl.exe File opened for modification C:\Windows\SysWOW64\Jgjkhi32.exe Jifjod32.exe File opened for modification C:\Windows\SysWOW64\Ekaegbnd.exe Ebfqbp32.exe File opened for modification C:\Windows\SysWOW64\Cnlegj32.exe Cgbmkp32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihhch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jebjijqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaofnkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahilhikb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnjkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hllkhoaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gadlio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlegj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfdflfjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfimggd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihkqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfobed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koidficq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bekobn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpicjend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joedil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcdegqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjpmqjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmqkellk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bngllkbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajeloe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genkhidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbmqpii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkblghdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibobhgno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qenjfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcaqdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjaqeebm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okocmapl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgccjenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjqfebnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcinia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojbii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boppmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnncf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apcfqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmjln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efneahdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpaikiig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikibkhla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqonjmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmjfbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lihoaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjefnckj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeahpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdbbedhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkefi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofellh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbnpfnfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmlief32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjiiim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdfbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mioaalkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqookn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqhegf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfamd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifjod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmcllm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejfelin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaiodh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bagafeai.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flnpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Panoee32.dll" Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nagobp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eccadhkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Papmnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dclibfjc.dll" Cgogbano.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efqian32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oohbhqjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghdfhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jedlph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgjnpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olapcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klgjfgdo.dll" Hobeipoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncdecefm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgmonc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qechbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bklbpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amepophm.dll" Cgbochop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgidlm32.dll" Jodkkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pblkgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgpjhmil.dll" Dghgdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnepnnnm.dll" Nbnmhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkncp32.dll" Lpidii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bocadg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agaomdno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaeekboo.dll" Bhchag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhobnqlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfbfpnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnkedemc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kamahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpiphmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfdggbck.dll" Moimdckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elafbcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmfpjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nalbkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laeiaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bikemiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nglcbafp.dll" Eogckqkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oooeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehobkikl.dll" Apcfqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeommfnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omcmda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enecegpg.dll" Coejfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idqpjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpkkl32.dll" Gqgjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmamne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Echpaecj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgjdjghf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgdfbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpekln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhboidoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqgjlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edljfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdfjekmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldkkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ambohapm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mihkqm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afcfebii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfojn32.dll" Dceodhjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpekln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhaboi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikibkhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknijnjl.dll" Ojjanlod.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2396 2600 7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe 29 PID 2600 wrote to memory of 2396 2600 7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe 29 PID 2600 wrote to memory of 2396 2600 7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe 29 PID 2600 wrote to memory of 2396 2600 7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe 29 PID 2396 wrote to memory of 828 2396 Glgqlkdl.exe 30 PID 2396 wrote to memory of 828 2396 Glgqlkdl.exe 30 PID 2396 wrote to memory of 828 2396 Glgqlkdl.exe 30 PID 2396 wrote to memory of 828 2396 Glgqlkdl.exe 30 PID 828 wrote to memory of 2808 828 Gepeep32.exe 31 PID 828 wrote to memory of 2808 828 Gepeep32.exe 31 PID 828 wrote to memory of 2808 828 Gepeep32.exe 31 PID 828 wrote to memory of 2808 828 Gepeep32.exe 31 PID 2808 wrote to memory of 2980 2808 Gidgdcli.exe 32 PID 2808 wrote to memory of 2980 2808 Gidgdcli.exe 32 PID 2808 wrote to memory of 2980 2808 Gidgdcli.exe 32 PID 2808 wrote to memory of 2980 2808 Gidgdcli.exe 32 PID 2980 wrote to memory of 2864 2980 Hcaehhnd.exe 33 PID 2980 wrote to memory of 2864 2980 Hcaehhnd.exe 33 PID 2980 wrote to memory of 2864 2980 Hcaehhnd.exe 33 PID 2980 wrote to memory of 2864 2980 Hcaehhnd.exe 33 PID 2864 wrote to memory of 2756 2864 Hdgkkppm.exe 34 PID 2864 wrote to memory of 2756 2864 Hdgkkppm.exe 34 PID 2864 wrote to memory of 2756 2864 Hdgkkppm.exe 34 PID 2864 wrote to memory of 2756 2864 Hdgkkppm.exe 34 PID 2756 wrote to memory of 2660 2756 Iqpiepcn.exe 35 PID 2756 wrote to memory of 2660 2756 Iqpiepcn.exe 35 PID 2756 wrote to memory of 2660 2756 Iqpiepcn.exe 35 PID 2756 wrote to memory of 2660 2756 Iqpiepcn.exe 35 PID 2660 wrote to memory of 2616 2660 Iccnmk32.exe 36 PID 2660 wrote to memory of 2616 2660 Iccnmk32.exe 36 PID 2660 wrote to memory of 2616 2660 Iccnmk32.exe 36 PID 2660 wrote to memory of 2616 2660 Iccnmk32.exe 36 PID 2616 wrote to memory of 2668 2616 Jcekbk32.exe 37 PID 2616 wrote to memory of 2668 2616 Jcekbk32.exe 37 PID 2616 wrote to memory of 2668 2616 Jcekbk32.exe 37 PID 2616 wrote to memory of 2668 2616 Jcekbk32.exe 37 PID 2668 wrote to memory of 1852 2668 Jchhhjjg.exe 38 PID 2668 wrote to memory of 1852 2668 Jchhhjjg.exe 38 PID 2668 wrote to memory of 1852 2668 Jchhhjjg.exe 38 PID 2668 wrote to memory of 1852 2668 Jchhhjjg.exe 38 PID 1852 wrote to memory of 2096 1852 Jiiikq32.exe 39 PID 1852 wrote to memory of 2096 1852 Jiiikq32.exe 39 PID 1852 wrote to memory of 2096 1852 Jiiikq32.exe 39 PID 1852 wrote to memory of 2096 1852 Jiiikq32.exe 39 PID 2096 wrote to memory of 2116 2096 Kaihjbno.exe 40 PID 2096 wrote to memory of 2116 2096 Kaihjbno.exe 40 PID 2096 wrote to memory of 2116 2096 Kaihjbno.exe 40 PID 2096 wrote to memory of 2116 2096 Kaihjbno.exe 40 PID 2116 wrote to memory of 1380 2116 Kmbeecaq.exe 41 PID 2116 wrote to memory of 1380 2116 Kmbeecaq.exe 41 PID 2116 wrote to memory of 1380 2116 Kmbeecaq.exe 41 PID 2116 wrote to memory of 1380 2116 Kmbeecaq.exe 41 PID 1380 wrote to memory of 548 1380 Lpekln32.exe 42 PID 1380 wrote to memory of 548 1380 Lpekln32.exe 42 PID 1380 wrote to memory of 548 1380 Lpekln32.exe 42 PID 1380 wrote to memory of 548 1380 Lpekln32.exe 42 PID 548 wrote to memory of 2176 548 Lakqoe32.exe 43 PID 548 wrote to memory of 2176 548 Lakqoe32.exe 43 PID 548 wrote to memory of 2176 548 Lakqoe32.exe 43 PID 548 wrote to memory of 2176 548 Lakqoe32.exe 43 PID 2176 wrote to memory of 2088 2176 Mcafbm32.exe 44 PID 2176 wrote to memory of 2088 2176 Mcafbm32.exe 44 PID 2176 wrote to memory of 2088 2176 Mcafbm32.exe 44 PID 2176 wrote to memory of 2088 2176 Mcafbm32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe"C:\Users\Admin\AppData\Local\Temp\7447be4dbd0cae849c43c36cca68c23aeed913d46877149a835e145070fb732aN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Glgqlkdl.exeC:\Windows\system32\Glgqlkdl.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Gepeep32.exeC:\Windows\system32\Gepeep32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Gidgdcli.exeC:\Windows\system32\Gidgdcli.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Hcaehhnd.exeC:\Windows\system32\Hcaehhnd.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Hdgkkppm.exeC:\Windows\system32\Hdgkkppm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Iqpiepcn.exeC:\Windows\system32\Iqpiepcn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Iccnmk32.exeC:\Windows\system32\Iccnmk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Jcekbk32.exeC:\Windows\system32\Jcekbk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Jchhhjjg.exeC:\Windows\system32\Jchhhjjg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Jiiikq32.exeC:\Windows\system32\Jiiikq32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Kaihjbno.exeC:\Windows\system32\Kaihjbno.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Kmbeecaq.exeC:\Windows\system32\Kmbeecaq.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Lpekln32.exeC:\Windows\system32\Lpekln32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\SysWOW64\Lakqoe32.exeC:\Windows\system32\Lakqoe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Mcafbm32.exeC:\Windows\system32\Mcafbm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Mcfpmlll.exeC:\Windows\system32\Mcfpmlll.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Mcjihk32.exeC:\Windows\system32\Mcjihk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Nndjhi32.exeC:\Windows\system32\Nndjhi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1704 -
C:\Windows\SysWOW64\Nkjggmal.exeC:\Windows\system32\Nkjggmal.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2624 -
C:\Windows\SysWOW64\Ngahmngp.exeC:\Windows\system32\Ngahmngp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Ohgnoeii.exeC:\Windows\system32\Ohgnoeii.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1408 -
C:\Windows\SysWOW64\Ocoobngl.exeC:\Windows\system32\Ocoobngl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Onkmhl32.exeC:\Windows\system32\Onkmhl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1364 -
C:\Windows\SysWOW64\Pqlfjfni.exeC:\Windows\system32\Pqlfjfni.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2308 -
C:\Windows\SysWOW64\Pkajgonp.exeC:\Windows\system32\Pkajgonp.exe27⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Pfkkhmjn.exeC:\Windows\system32\Pfkkhmjn.exe28⤵
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Paclje32.exeC:\Windows\system32\Paclje32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Qmlief32.exeC:\Windows\system32\Qmlief32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Qegnii32.exeC:\Windows\system32\Qegnii32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Alfpab32.exeC:\Windows\system32\Alfpab32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Adadedjq.exeC:\Windows\system32\Adadedjq.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Apjbpemb.exeC:\Windows\system32\Apjbpemb.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Blabef32.exeC:\Windows\system32\Blabef32.exe35⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe36⤵
- Executes dropped EXE
PID:564 -
C:\Windows\SysWOW64\Benpik32.exeC:\Windows\system32\Benpik32.exe37⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Bdcmjg32.exeC:\Windows\system32\Bdcmjg32.exe38⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Cdejpg32.exeC:\Windows\system32\Cdejpg32.exe39⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Cplkehnk.exeC:\Windows\system32\Cplkehnk.exe40⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Cjdonndl.exeC:\Windows\system32\Cjdonndl.exe41⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Cpadpg32.exeC:\Windows\system32\Cpadpg32.exe42⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Cjiiim32.exeC:\Windows\system32\Cjiiim32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Ccamabgg.exeC:\Windows\system32\Ccamabgg.exe44⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Dohnfc32.exeC:\Windows\system32\Dohnfc32.exe45⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Dhaboi32.exeC:\Windows\system32\Dhaboi32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Ddgcdjip.exeC:\Windows\system32\Ddgcdjip.exe47⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Dblcnngi.exeC:\Windows\system32\Dblcnngi.exe48⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Dopdgb32.exeC:\Windows\system32\Dopdgb32.exe49⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Dkfdlclg.exeC:\Windows\system32\Dkfdlclg.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Dqcmdjjo.exeC:\Windows\system32\Dqcmdjjo.exe51⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe52⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Efbbba32.exeC:\Windows\system32\Efbbba32.exe53⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Egaoldnf.exeC:\Windows\system32\Egaoldnf.exe54⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Echpaecj.exeC:\Windows\system32\Echpaecj.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Ekcdegqe.exeC:\Windows\system32\Ekcdegqe.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Eiheok32.exeC:\Windows\system32\Eiheok32.exe57⤵
- Executes dropped EXE
PID:1168 -
C:\Windows\SysWOW64\Fenedlec.exeC:\Windows\system32\Fenedlec.exe58⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Fngjmb32.exeC:\Windows\system32\Fngjmb32.exe59⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Fhonegbd.exeC:\Windows\system32\Fhonegbd.exe60⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Fagcnmie.exeC:\Windows\system32\Fagcnmie.exe61⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Fmnccn32.exeC:\Windows\system32\Fmnccn32.exe62⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Fhdhqg32.exeC:\Windows\system32\Fhdhqg32.exe63⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Fhfdffll.exeC:\Windows\system32\Fhfdffll.exe64⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Gpaikiig.exeC:\Windows\system32\Gpaikiig.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2260 -
C:\Windows\SysWOW64\Geckno32.exeC:\Windows\system32\Geckno32.exe66⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ghcdpjqj.exeC:\Windows\system32\Ghcdpjqj.exe67⤵PID:1424
-
C:\Windows\SysWOW64\Hhhmki32.exeC:\Windows\system32\Hhhmki32.exe68⤵PID:1656
-
C:\Windows\SysWOW64\Hpcbol32.exeC:\Windows\system32\Hpcbol32.exe69⤵PID:1980
-
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe70⤵PID:1308
-
C:\Windows\SysWOW64\Hlmpjl32.exeC:\Windows\system32\Hlmpjl32.exe71⤵PID:2160
-
C:\Windows\SysWOW64\Hcghffen.exeC:\Windows\system32\Hcghffen.exe72⤵
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Ipkhpk32.exeC:\Windows\system32\Ipkhpk32.exe73⤵PID:2912
-
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe74⤵PID:2956
-
C:\Windows\SysWOW64\Ilcfjkgj.exeC:\Windows\system32\Ilcfjkgj.exe75⤵PID:2848
-
C:\Windows\SysWOW64\Ifljcanj.exeC:\Windows\system32\Ifljcanj.exe76⤵PID:1968
-
C:\Windows\SysWOW64\Ikibkhla.exeC:\Windows\system32\Ikibkhla.exe77⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1892 -
C:\Windows\SysWOW64\Ihmcelkk.exeC:\Windows\system32\Ihmcelkk.exe78⤵PID:2748
-
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe79⤵PID:2080
-
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe80⤵PID:1764
-
C:\Windows\SysWOW64\Jjcigcmd.exeC:\Windows\system32\Jjcigcmd.exe81⤵PID:1244
-
C:\Windows\SysWOW64\Jcknqicd.exeC:\Windows\system32\Jcknqicd.exe82⤵PID:3036
-
C:\Windows\SysWOW64\Jqonjmbn.exeC:\Windows\system32\Jqonjmbn.exe83⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe84⤵PID:2636
-
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe85⤵
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Jimodo32.exeC:\Windows\system32\Jimodo32.exe86⤵PID:2124
-
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe87⤵
- Drops file in System32 directory
PID:2960 -
C:\Windows\SysWOW64\Koidficq.exeC:\Windows\system32\Koidficq.exe88⤵
- System Location Discovery: System Language Discovery
PID:1040 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe89⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe90⤵
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe91⤵PID:2920
-
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe92⤵PID:2752
-
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe93⤵PID:2132
-
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe94⤵PID:2348
-
C:\Windows\SysWOW64\Liohhbno.exeC:\Windows\system32\Liohhbno.exe95⤵PID:1292
-
C:\Windows\SysWOW64\Liaenblm.exeC:\Windows\system32\Liaenblm.exe96⤵PID:3000
-
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe97⤵PID:1324
-
C:\Windows\SysWOW64\Lmondpbc.exeC:\Windows\system32\Lmondpbc.exe98⤵PID:2412
-
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe99⤵PID:2656
-
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe100⤵PID:1216
-
C:\Windows\SysWOW64\Mhkkjnmo.exeC:\Windows\system32\Mhkkjnmo.exe101⤵PID:776
-
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe102⤵PID:1676
-
C:\Windows\SysWOW64\Mdbloobc.exeC:\Windows\system32\Mdbloobc.exe103⤵PID:1648
-
C:\Windows\SysWOW64\Mogqlgbi.exeC:\Windows\system32\Mogqlgbi.exe104⤵PID:3060
-
C:\Windows\SysWOW64\Mhpeem32.exeC:\Windows\system32\Mhpeem32.exe105⤵PID:668
-
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe106⤵PID:2940
-
C:\Windows\SysWOW64\Micnbe32.exeC:\Windows\system32\Micnbe32.exe107⤵PID:2684
-
C:\Windows\SysWOW64\Mmaghc32.exeC:\Windows\system32\Mmaghc32.exe108⤵PID:672
-
C:\Windows\SysWOW64\Nelkme32.exeC:\Windows\system32\Nelkme32.exe109⤵
- Drops file in System32 directory
PID:1276 -
C:\Windows\SysWOW64\Npbpjn32.exeC:\Windows\system32\Npbpjn32.exe110⤵PID:316
-
C:\Windows\SysWOW64\Nliqoofa.exeC:\Windows\system32\Nliqoofa.exe111⤵PID:3044
-
C:\Windows\SysWOW64\Naeigf32.exeC:\Windows\system32\Naeigf32.exe112⤵PID:1992
-
C:\Windows\SysWOW64\Nknmplji.exeC:\Windows\system32\Nknmplji.exe113⤵PID:1056
-
C:\Windows\SysWOW64\Necandjo.exeC:\Windows\system32\Necandjo.exe114⤵PID:236
-
C:\Windows\SysWOW64\Nnofbg32.exeC:\Windows\system32\Nnofbg32.exe115⤵PID:1668
-
C:\Windows\SysWOW64\Okbgkk32.exeC:\Windows\system32\Okbgkk32.exe116⤵PID:3012
-
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe117⤵PID:2052
-
C:\Windows\SysWOW64\Odmhjp32.exeC:\Windows\system32\Odmhjp32.exe118⤵PID:3016
-
C:\Windows\SysWOW64\Odpeop32.exeC:\Windows\system32\Odpeop32.exe119⤵PID:336
-
C:\Windows\SysWOW64\Ojlmgg32.exeC:\Windows\system32\Ojlmgg32.exe120⤵PID:1884
-
C:\Windows\SysWOW64\Oceaql32.exeC:\Windows\system32\Oceaql32.exe121⤵PID:1116
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-