Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21/11/2024, 10:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391.exe
-
Size
64KB
-
MD5
e497bdcf831f13fb706b5ea0691fe4cb
-
SHA1
bb3f4dc922235db52cc37af8729ae012357e2436
-
SHA256
e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391
-
SHA512
25531ec3976c81ba6ca95d90633899a25494ce28e866be3df3e6e60cc079046f28d0ff599fdcce3cd78181df088e591771e5b7bdb76f54843e8cbb56e962fe56
-
SSDEEP
768:yXTHTC0fv/uYrYDbggk+Xz50btWcldXiiuIAxtel/1H5GXdnhgOPuM1DPf:4HTCm/uYrQ0t+XuBrPuRve/WZuYDPf
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdodmlcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpmkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npkdnnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkcmjpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Migbpocm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onkmfofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keango32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moenkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchoop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Podpoffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nldahn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbjnqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmbgageq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfmeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kepgmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdgkicek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhdcojaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmfalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhfjpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdlfngcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjmmffgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmpeljkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baealp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjpem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcikog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paafmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bojipjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgjnbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glnkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqllghon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkfqlpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clclhmin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nepokogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkhjdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdcdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jegdgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Floeof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejglo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckiiiine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laaabo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onjgkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhcicf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gminbfoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeoeclek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhglop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiahnnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eddjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmiolk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmecbkgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lijiaabk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qaablcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfpmog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmaog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajjgei32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2776 Dgcmod32.exe 2564 Dgcmod32.exe 2800 Ealahi32.exe 2604 Egfjdchi.exe 2632 Eejjnhgc.exe 3048 Enbogmnc.exe 1076 Eaqkcimg.exe 1036 Ejioln32.exe 2256 Eacghhkd.exe 2828 Ecadddjh.exe 672 Einlmkhp.exe 1152 Ffbmfo32.exe 480 Floeof32.exe 1372 Fbimkpmm.exe 2352 Ficehj32.exe 1492 Ffgfancd.exe 2392 Fhhbif32.exe 660 Fbngfo32.exe 1636 Figocipe.exe 1436 Flfkoeoh.exe 2016 Fbpclofe.exe 2976 Fhmldfdm.exe 2532 Fkkhpadq.exe 2200 Ghoijebj.exe 984 Gkmefaan.exe 2252 Gmlablaa.exe 2664 Ghaeoe32.exe 2940 Gkpakq32.exe 2748 Ggfbpaeo.exe 2888 Gcmcebkc.exe 2580 Gigkbm32.exe 1932 Glfgnh32.exe 1984 Hijhhl32.exe 1676 Heqimm32.exe 2936 Hkmaed32.exe 2864 Hhaanh32.exe 2892 Hokjkbkp.exe 2996 Hgfooe32.exe 1244 Honfqb32.exe 2192 Hqochjnk.exe 744 Hbnpbm32.exe 2400 Icplje32.exe 1908 Igkhjdde.exe 2968 Iqcmcj32.exe 1664 Idohdhbo.exe 860 Ijnnao32.exe 2060 Iianmlfn.exe 1684 Immjnj32.exe 1760 Icfbkded.exe 2288 Ifengpdh.exe 340 Iickckcl.exe 2692 Imogcj32.exe 2688 Ikagogco.exe 2552 Iifghk32.exe 2572 Jkdcdf32.exe 2588 Joppeeif.exe 2172 Jelhmlgm.exe 2540 Jihdnk32.exe 2796 Jnemfa32.exe 2660 Jbphgpfg.exe 2088 Jeoeclek.exe 1960 Jgmaog32.exe 1968 Jngilalk.exe 1880 Jaeehmko.exe -
Loads dropped DLL 64 IoCs
pid Process 2096 e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391.exe 2096 e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391.exe 2776 Dgcmod32.exe 2776 Dgcmod32.exe 2564 Dgcmod32.exe 2564 Dgcmod32.exe 2800 Ealahi32.exe 2800 Ealahi32.exe 2604 Egfjdchi.exe 2604 Egfjdchi.exe 2632 Eejjnhgc.exe 2632 Eejjnhgc.exe 3048 Enbogmnc.exe 3048 Enbogmnc.exe 1076 Eaqkcimg.exe 1076 Eaqkcimg.exe 1036 Ejioln32.exe 1036 Ejioln32.exe 2256 Eacghhkd.exe 2256 Eacghhkd.exe 2828 Ecadddjh.exe 2828 Ecadddjh.exe 672 Einlmkhp.exe 672 Einlmkhp.exe 1152 Ffbmfo32.exe 1152 Ffbmfo32.exe 480 Floeof32.exe 480 Floeof32.exe 1372 Fbimkpmm.exe 1372 Fbimkpmm.exe 2352 Ficehj32.exe 2352 Ficehj32.exe 1492 Ffgfancd.exe 1492 Ffgfancd.exe 2392 Fhhbif32.exe 2392 Fhhbif32.exe 660 Fbngfo32.exe 660 Fbngfo32.exe 1636 Figocipe.exe 1636 Figocipe.exe 1436 Flfkoeoh.exe 1436 Flfkoeoh.exe 2016 Fbpclofe.exe 2016 Fbpclofe.exe 2976 Fhmldfdm.exe 2976 Fhmldfdm.exe 2532 Fkkhpadq.exe 2532 Fkkhpadq.exe 2200 Ghoijebj.exe 2200 Ghoijebj.exe 984 Gkmefaan.exe 984 Gkmefaan.exe 2252 Gmlablaa.exe 2252 Gmlablaa.exe 2664 Ghaeoe32.exe 2664 Ghaeoe32.exe 2940 Gkpakq32.exe 2940 Gkpakq32.exe 2748 Ggfbpaeo.exe 2748 Ggfbpaeo.exe 2888 Gcmcebkc.exe 2888 Gcmcebkc.exe 2580 Gigkbm32.exe 2580 Gigkbm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cpohhk32.exe Clclhmin.exe File created C:\Windows\SysWOW64\Fhgmfb32.dll Feipbefb.exe File created C:\Windows\SysWOW64\Hchoop32.exe Hafbghhj.exe File created C:\Windows\SysWOW64\Nqmice32.dll Ikjjda32.exe File created C:\Windows\SysWOW64\Jqnocncd.dll Kcajceke.exe File created C:\Windows\SysWOW64\Mhcqcl32.dll Pfnhkq32.exe File created C:\Windows\SysWOW64\Khfhio32.dll Aejglo32.exe File created C:\Windows\SysWOW64\Bacefpbg.exe Bfmqigba.exe File created C:\Windows\SysWOW64\Fkbhkj32.dll Bojipjcj.exe File created C:\Windows\SysWOW64\Cgkqcb32.dll Cppobaeb.exe File created C:\Windows\SysWOW64\Dnqnoqah.dll Flqkjo32.exe File created C:\Windows\SysWOW64\Jhllnk32.dll Hnkffi32.exe File created C:\Windows\SysWOW64\Joildhiq.dll Ilemce32.exe File created C:\Windows\SysWOW64\Ikapdqoc.exe Iqllghon.exe File opened for modification C:\Windows\SysWOW64\Bdcnhk32.exe Baealp32.exe File created C:\Windows\SysWOW64\Jnemfa32.exe Jihdnk32.exe File created C:\Windows\SysWOW64\Ldbjdj32.exe Lmhbgpia.exe File created C:\Windows\SysWOW64\Ooidei32.exe Oiokholk.exe File created C:\Windows\SysWOW64\Aobffp32.dll Onamle32.exe File created C:\Windows\SysWOW64\Jllaig32.dll Ijfqfj32.exe File created C:\Windows\SysWOW64\Knohpo32.exe Kmnlhg32.exe File created C:\Windows\SysWOW64\Fbmmbaal.dll Pildgl32.exe File opened for modification C:\Windows\SysWOW64\Clfhml32.exe Celpqbon.exe File created C:\Windows\SysWOW64\Cbjnqh32.exe Ccgnelll.exe File created C:\Windows\SysWOW64\Bafmhm32.dll Cbjnqh32.exe File created C:\Windows\SysWOW64\Cinefnpo.dll Ghidcceo.exe File opened for modification C:\Windows\SysWOW64\Npechhgd.exe Nmggllha.exe File created C:\Windows\SysWOW64\Nphpng32.exe Nhqhmj32.exe File created C:\Windows\SysWOW64\Pcpgblfk.dll Oomjng32.exe File created C:\Windows\SysWOW64\Kfidqb32.exe Kppldhla.exe File created C:\Windows\SysWOW64\Doqkpl32.exe Dfhgggim.exe File created C:\Windows\SysWOW64\Enjqlaec.dll Mhcicf32.exe File created C:\Windows\SysWOW64\Hjlkkhne.dll Celpqbon.exe File created C:\Windows\SysWOW64\Obhpad32.exe Ooidei32.exe File created C:\Windows\SysWOW64\Dkjhjm32.exe Dqddmd32.exe File created C:\Windows\SysWOW64\Enmnahnm.exe Eddjhb32.exe File created C:\Windows\SysWOW64\Jjejnabb.dll Hhnnnbaj.exe File created C:\Windows\SysWOW64\Mkohjbah.exe Mdepmh32.exe File created C:\Windows\SysWOW64\Hkmaed32.exe Heqimm32.exe File created C:\Windows\SysWOW64\Jeoeclek.exe Jbphgpfg.exe File created C:\Windows\SysWOW64\Ajcdki32.dll Ooidei32.exe File opened for modification C:\Windows\SysWOW64\Bbchkime.exe Beogaenl.exe File created C:\Windows\SysWOW64\Cjoilfek.exe Cceapl32.exe File opened for modification C:\Windows\SysWOW64\Kmnlhg32.exe Jegdgj32.exe File created C:\Windows\SysWOW64\Cnkbeloa.dll Mmdkfmjc.exe File created C:\Windows\SysWOW64\Cidffnka.dll Noagjc32.exe File opened for modification C:\Windows\SysWOW64\Pecelm32.exe Pkjqcg32.exe File opened for modification C:\Windows\SysWOW64\Hbnpbm32.exe Hqochjnk.exe File opened for modification C:\Windows\SysWOW64\Oqmmbqgd.exe Onoqfehp.exe File opened for modification C:\Windows\SysWOW64\Bihgmdih.exe Aocbokia.exe File created C:\Windows\SysWOW64\Oiaapj32.dll Figocipe.exe File created C:\Windows\SysWOW64\Mmndfnpl.exe Mkohjbah.exe File opened for modification C:\Windows\SysWOW64\Lepclldc.exe Ladgkmlj.exe File opened for modification C:\Windows\SysWOW64\Blobmm32.exe Biqfpb32.exe File opened for modification C:\Windows\SysWOW64\Hijhhl32.exe Glfgnh32.exe File created C:\Windows\SysWOW64\Befaceaa.dll Jkdcdf32.exe File created C:\Windows\SysWOW64\Okkkoj32.exe Ofobgc32.exe File created C:\Windows\SysWOW64\Cceapl32.exe Cojeomee.exe File created C:\Windows\SysWOW64\Fipbhd32.exe Faijggao.exe File opened for modification C:\Windows\SysWOW64\Kpoejbhe.exe Kghmhegc.exe File created C:\Windows\SysWOW64\Cbkgog32.exe Bpmkbl32.exe File created C:\Windows\SysWOW64\Nnbjpqoa.exe Nkdndeon.exe File created C:\Windows\SysWOW64\Egfjdchi.exe Ealahi32.exe File opened for modification C:\Windows\SysWOW64\Ecadddjh.exe Eacghhkd.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqeomfgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgjnbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmpklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmkhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpeljkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbchkime.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negeln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnemfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopdpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaholp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndafcmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapaaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpqjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfbjdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okinik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjifgcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpgibbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghmhegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofiopaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfbpaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgfooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jihdnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahbmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfmnkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneaacno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgdmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hokjkbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpiaipmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjnkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofdeeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcjgnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejioln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idohdhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leegbnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baealp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naimepkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfjnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmqigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ficehj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpdeoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piohgbng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gipngg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njchfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqllghon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baqhapdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nklopg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojeomee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjpem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkfqlpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpldcfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepanje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhioioc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockinl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goapjnoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhbif32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhhbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgppdkib.dll" Ikagogco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmfalg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pngjcj32.dll" Nndgeplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omqjgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djenbd32.dll" Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjbejog.dll" Ejioln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Calonebc.dll" Igkhjdde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neajod32.dll" Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlmoilni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbqebj32.dll" Blniinac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enhaeldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegibbeb.dll" Ofdeeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdodmlcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldbjdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moenkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbqkeioh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebappk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfabkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqmice32.dll" Ikjjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcqkjfel.dll" Jbfkeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgpndg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbpoebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Celpqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhonm32.dll" Ojkhjabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ockbdebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgcmod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofaolcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phahme32.dll" Ockinl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjijkmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iagiph32.dll" Odnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enihha32.dll" Ofiopaap.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onjgkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnkffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjkfqlpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll" Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgkqcb32.dll" Cppobaeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kapaaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahhchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkpakq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgmmkof.dll" Njalacon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjfhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfmnkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinalc32.dll" Nloachkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dofohkkf.dll" Kihpmnbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lolofd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllpgcjb.dll" Mpnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nepokogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhmldfdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlpchfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihnjmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anmbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnmcojmg.dll" Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djiiddfd.dll" Acohnhab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghoijebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcgqbmgm.dll" Kmficl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqddmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjjcdeh.dll" Iemalkgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnjdf32.dll" Ikocoa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2776 2096 e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391.exe 30 PID 2096 wrote to memory of 2776 2096 e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391.exe 30 PID 2096 wrote to memory of 2776 2096 e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391.exe 30 PID 2096 wrote to memory of 2776 2096 e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391.exe 30 PID 2776 wrote to memory of 2564 2776 Dgcmod32.exe 31 PID 2776 wrote to memory of 2564 2776 Dgcmod32.exe 31 PID 2776 wrote to memory of 2564 2776 Dgcmod32.exe 31 PID 2776 wrote to memory of 2564 2776 Dgcmod32.exe 31 PID 2564 wrote to memory of 2800 2564 Dgcmod32.exe 32 PID 2564 wrote to memory of 2800 2564 Dgcmod32.exe 32 PID 2564 wrote to memory of 2800 2564 Dgcmod32.exe 32 PID 2564 wrote to memory of 2800 2564 Dgcmod32.exe 32 PID 2800 wrote to memory of 2604 2800 Ealahi32.exe 33 PID 2800 wrote to memory of 2604 2800 Ealahi32.exe 33 PID 2800 wrote to memory of 2604 2800 Ealahi32.exe 33 PID 2800 wrote to memory of 2604 2800 Ealahi32.exe 33 PID 2604 wrote to memory of 2632 2604 Egfjdchi.exe 34 PID 2604 wrote to memory of 2632 2604 Egfjdchi.exe 34 PID 2604 wrote to memory of 2632 2604 Egfjdchi.exe 34 PID 2604 wrote to memory of 2632 2604 Egfjdchi.exe 34 PID 2632 wrote to memory of 3048 2632 Eejjnhgc.exe 35 PID 2632 wrote to memory of 3048 2632 Eejjnhgc.exe 35 PID 2632 wrote to memory of 3048 2632 Eejjnhgc.exe 35 PID 2632 wrote to memory of 3048 2632 Eejjnhgc.exe 35 PID 3048 wrote to memory of 1076 3048 Enbogmnc.exe 36 PID 3048 wrote to memory of 1076 3048 Enbogmnc.exe 36 PID 3048 wrote to memory of 1076 3048 Enbogmnc.exe 36 PID 3048 wrote to memory of 1076 3048 Enbogmnc.exe 36 PID 1076 wrote to memory of 1036 1076 Eaqkcimg.exe 37 PID 1076 wrote to memory of 1036 1076 Eaqkcimg.exe 37 PID 1076 wrote to memory of 1036 1076 Eaqkcimg.exe 37 PID 1076 wrote to memory of 1036 1076 Eaqkcimg.exe 37 PID 1036 wrote to memory of 2256 1036 Ejioln32.exe 38 PID 1036 wrote to memory of 2256 1036 Ejioln32.exe 38 PID 1036 wrote to memory of 2256 1036 Ejioln32.exe 38 PID 1036 wrote to memory of 2256 1036 Ejioln32.exe 38 PID 2256 wrote to memory of 2828 2256 Eacghhkd.exe 39 PID 2256 wrote to memory of 2828 2256 Eacghhkd.exe 39 PID 2256 wrote to memory of 2828 2256 Eacghhkd.exe 39 PID 2256 wrote to memory of 2828 2256 Eacghhkd.exe 39 PID 2828 wrote to memory of 672 2828 Ecadddjh.exe 40 PID 2828 wrote to memory of 672 2828 Ecadddjh.exe 40 PID 2828 wrote to memory of 672 2828 Ecadddjh.exe 40 PID 2828 wrote to memory of 672 2828 Ecadddjh.exe 40 PID 672 wrote to memory of 1152 672 Einlmkhp.exe 41 PID 672 wrote to memory of 1152 672 Einlmkhp.exe 41 PID 672 wrote to memory of 1152 672 Einlmkhp.exe 41 PID 672 wrote to memory of 1152 672 Einlmkhp.exe 41 PID 1152 wrote to memory of 480 1152 Ffbmfo32.exe 42 PID 1152 wrote to memory of 480 1152 Ffbmfo32.exe 42 PID 1152 wrote to memory of 480 1152 Ffbmfo32.exe 42 PID 1152 wrote to memory of 480 1152 Ffbmfo32.exe 42 PID 480 wrote to memory of 1372 480 Floeof32.exe 43 PID 480 wrote to memory of 1372 480 Floeof32.exe 43 PID 480 wrote to memory of 1372 480 Floeof32.exe 43 PID 480 wrote to memory of 1372 480 Floeof32.exe 43 PID 1372 wrote to memory of 2352 1372 Fbimkpmm.exe 44 PID 1372 wrote to memory of 2352 1372 Fbimkpmm.exe 44 PID 1372 wrote to memory of 2352 1372 Fbimkpmm.exe 44 PID 1372 wrote to memory of 2352 1372 Fbimkpmm.exe 44 PID 2352 wrote to memory of 1492 2352 Ficehj32.exe 45 PID 2352 wrote to memory of 1492 2352 Ficehj32.exe 45 PID 2352 wrote to memory of 1492 2352 Ficehj32.exe 45 PID 2352 wrote to memory of 1492 2352 Ficehj32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391.exe"C:\Users\Admin\AppData\Local\Temp\e7e04102f28edf5c1fa6c689d0fb8a9072cd88dfe8e78c7bf555c192c3dd6391.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Eaqkcimg.exeC:\Windows\system32\Eaqkcimg.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:672 -
C:\Windows\SysWOW64\Ffbmfo32.exeC:\Windows\system32\Ffbmfo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:480 -
C:\Windows\SysWOW64\Fbimkpmm.exeC:\Windows\system32\Fbimkpmm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:660 -
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1636 -
C:\Windows\SysWOW64\Flfkoeoh.exeC:\Windows\system32\Flfkoeoh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2016 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Fkkhpadq.exeC:\Windows\system32\Fkkhpadq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Ghoijebj.exeC:\Windows\system32\Ghoijebj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Gmlablaa.exeC:\Windows\system32\Gmlablaa.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Ghaeoe32.exeC:\Windows\system32\Ghaeoe32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2664 -
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe34⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Heqimm32.exeC:\Windows\system32\Heqimm32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe36⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe37⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe40⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe42⤵
- Executes dropped EXE
PID:744 -
C:\Windows\SysWOW64\Icplje32.exeC:\Windows\system32\Icplje32.exe43⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe45⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1664 -
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe47⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Iianmlfn.exeC:\Windows\system32\Iianmlfn.exe48⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe49⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Icfbkded.exeC:\Windows\system32\Icfbkded.exe50⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ifengpdh.exeC:\Windows\system32\Ifengpdh.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Iickckcl.exeC:\Windows\system32\Iickckcl.exe52⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe53⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe55⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2572 -
C:\Windows\SysWOW64\Joppeeif.exeC:\Windows\system32\Joppeeif.exe57⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Jelhmlgm.exeC:\Windows\system32\Jelhmlgm.exe58⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Jbphgpfg.exeC:\Windows\system32\Jbphgpfg.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2660 -
C:\Windows\SysWOW64\Jeoeclek.exeC:\Windows\system32\Jeoeclek.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Jngilalk.exeC:\Windows\system32\Jngilalk.exe64⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Jaeehmko.exeC:\Windows\system32\Jaeehmko.exe65⤵
- Executes dropped EXE
PID:1880 -
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe66⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe67⤵PID:2324
-
C:\Windows\SysWOW64\Jahbmlil.exeC:\Windows\system32\Jahbmlil.exe68⤵
- System Location Discovery: System Language Discovery
PID:2488 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe69⤵PID:2528
-
C:\Windows\SysWOW64\Jgbjjf32.exeC:\Windows\system32\Jgbjjf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1412 -
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Jcikog32.exeC:\Windows\system32\Jcikog32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe73⤵PID:868
-
C:\Windows\SysWOW64\Kiecgo32.exeC:\Windows\system32\Kiecgo32.exe74⤵PID:2872
-
C:\Windows\SysWOW64\Kmaphmln.exeC:\Windows\system32\Kmaphmln.exe75⤵PID:2612
-
C:\Windows\SysWOW64\Kppldhla.exeC:\Windows\system32\Kppldhla.exe76⤵
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Kfidqb32.exeC:\Windows\system32\Kfidqb32.exe77⤵PID:2948
-
C:\Windows\SysWOW64\Kihpmnbb.exeC:\Windows\system32\Kihpmnbb.exe78⤵
- Modifies registry class
PID:1216 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe79⤵PID:1276
-
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe80⤵PID:2440
-
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe81⤵PID:1788
-
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe82⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Klhioioc.exeC:\Windows\system32\Klhioioc.exe83⤵
- System Location Discovery: System Language Discovery
PID:2516 -
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Kngekdnf.exeC:\Windows\system32\Kngekdnf.exe85⤵PID:2132
-
C:\Windows\SysWOW64\Keango32.exeC:\Windows\system32\Keango32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:888 -
C:\Windows\SysWOW64\Kimjhnnl.exeC:\Windows\system32\Kimjhnnl.exe87⤵PID:708
-
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe88⤵PID:556
-
C:\Windows\SysWOW64\Koibpd32.exeC:\Windows\system32\Koibpd32.exe89⤵PID:964
-
C:\Windows\SysWOW64\Kaholp32.exeC:\Windows\system32\Kaholp32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Khagijcd.exeC:\Windows\system32\Khagijcd.exe91⤵PID:1576
-
C:\Windows\SysWOW64\Lolofd32.exeC:\Windows\system32\Lolofd32.exe92⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Lajkbp32.exeC:\Windows\system32\Lajkbp32.exe93⤵PID:1584
-
C:\Windows\SysWOW64\Leegbnan.exeC:\Windows\system32\Leegbnan.exe94⤵
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Lhdcojaa.exeC:\Windows\system32\Lhdcojaa.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1616 -
C:\Windows\SysWOW64\Lkbpke32.exeC:\Windows\system32\Lkbpke32.exe96⤵PID:532
-
C:\Windows\SysWOW64\Lonlkcho.exeC:\Windows\system32\Lonlkcho.exe97⤵PID:2932
-
C:\Windows\SysWOW64\Lehdhn32.exeC:\Windows\system32\Lehdhn32.exe98⤵PID:1940
-
C:\Windows\SysWOW64\Ldkdckff.exeC:\Windows\system32\Ldkdckff.exe99⤵PID:2984
-
C:\Windows\SysWOW64\Lkelpd32.exeC:\Windows\system32\Lkelpd32.exe100⤵PID:3016
-
C:\Windows\SysWOW64\Lophacfl.exeC:\Windows\system32\Lophacfl.exe101⤵PID:2520
-
C:\Windows\SysWOW64\Lpaehl32.exeC:\Windows\system32\Lpaehl32.exe102⤵PID:2708
-
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe103⤵PID:2820
-
C:\Windows\SysWOW64\Lijiaabk.exeC:\Windows\system32\Lijiaabk.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2804 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Lilfgq32.exeC:\Windows\system32\Lilfgq32.exe106⤵PID:2868
-
C:\Windows\SysWOW64\Lmhbgpia.exeC:\Windows\system32\Lmhbgpia.exe107⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Ldbjdj32.exeC:\Windows\system32\Ldbjdj32.exe108⤵
- Modifies registry class
PID:492 -
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe109⤵
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe110⤵PID:1844
-
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe111⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Mcggef32.exeC:\Windows\system32\Mcggef32.exe112⤵PID:1804
-
C:\Windows\SysWOW64\Mhdpnm32.exeC:\Windows\system32\Mhdpnm32.exe113⤵PID:1224
-
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe114⤵PID:684
-
C:\Windows\SysWOW64\Mehpga32.exeC:\Windows\system32\Mehpga32.exe115⤵PID:2640
-
C:\Windows\SysWOW64\Mhflcm32.exeC:\Windows\system32\Mhflcm32.exe116⤵PID:1532
-
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe117⤵
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Mejmmqpd.exeC:\Windows\system32\Mejmmqpd.exe118⤵PID:2832
-
C:\Windows\SysWOW64\Mhhiiloh.exeC:\Windows\system32\Mhhiiloh.exe119⤵PID:1420
-
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe120⤵PID:2904
-
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe121⤵
- System Location Discovery: System Language Discovery
PID:2112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-