Analysis
-
max time kernel
114s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2024 04:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2f89f8730aadf6b36d6c747b69fdf3f19c19f64dcbed93cc3b5828a0928e47e8.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
2f89f8730aadf6b36d6c747b69fdf3f19c19f64dcbed93cc3b5828a0928e47e8.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
2f89f8730aadf6b36d6c747b69fdf3f19c19f64dcbed93cc3b5828a0928e47e8.exe
-
Size
60KB
-
MD5
170f14517254abab8ee316e5354e1650
-
SHA1
0a1d16519aa76f70f92ede4df9a22d31ae8fa1de
-
SHA256
2f89f8730aadf6b36d6c747b69fdf3f19c19f64dcbed93cc3b5828a0928e47e8
-
SHA512
8c1e9bf35ecc8c2991445d4b3edadbb95db12a874b32104abd82f2a4c8cbab81374706112deeddb8e9e383cc25f93fc505e32297ef6e11eeaf60ce6a48ef25a3
-
SSDEEP
1536:D6b2Dx/eLxnupXUBDVqZhLva37KB86l1rs:2yxeLZeUBDI7yrKB86l1rs
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
Processes:
Lieccf32.exeNncccnol.exeEjjaqk32.exeFgnjqm32.exeMkmkkjko.exeIfmqfm32.exeAddaif32.exeIpkdek32.exeInfhebbh.exePmiikh32.exeAphnnafb.exeFnkfmm32.exePplhhm32.exeHdehni32.exeHmkigh32.exePmjhlklg.exeOmdieb32.exeMahklf32.exeNhgmcp32.exeMmnhcb32.exePddhbipj.exeBlnoga32.exeMnegbp32.exeCimmggfl.exeOqklkbbi.exeGihgfk32.exeGiecfejd.exeEaceghcg.exeHildmn32.exeLobjni32.exeQfmmplad.exeHebcao32.exeQbngeadf.exeHkfglb32.exeOldjcg32.exeCienon32.exeCgiohbfi.exeKplmliko.exeEjagaj32.exeBdickcpo.exeGbalopbn.exeJekqmhia.exeHppeim32.exeEkjded32.exeIlfodgeg.exeMhpgca32.exeLnnbqnjn.exeKcndbp32.exeMqkiok32.exeCdimqm32.exeOocmii32.exeBjbfklei.exeCofnik32.exeMhoahh32.exeFglnkm32.exeHmbfbn32.exeFneggdhg.exeAbpcja32.exeGkhkjd32.exeBhkmec32.exeGldglf32.exeEgcaod32.exeKdigadjo.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lieccf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nncccnol.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejjaqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgnjqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifmqfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Addaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipkdek32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Infhebbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmiikh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnkfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pplhhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdehni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkigh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjhlklg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mahklf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhgmcp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmnhcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddhbipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnoga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnegbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cimmggfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqklkbbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihgfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giecfejd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eaceghcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hildmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lobjni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfmmplad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebcao32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbngeadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfglb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldjcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cienon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgiohbfi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kplmliko.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejagaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdickcpo.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbalopbn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jekqmhia.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hppeim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjded32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfodgeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhpgca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnnbqnjn.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcndbp32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqkiok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdimqm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oocmii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbfklei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmiikh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofnik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fglnkm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbfbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fneggdhg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkhkjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkmec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gldglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egcaod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdigadjo.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
Processes:
Kndojobi.exeKijchhbo.exeKkhpdcab.exeKaehljpj.exeKilpmh32.exeKjmmepfj.exeKinmcg32.exeKjpijpdg.exeLajagj32.exeLiqihglg.exeLnnbqnjn.exeLicfngjd.exeLankbigo.exeLieccf32.exeLaqhhi32.exeLndham32.exeLhmmjbkf.exeMbbagk32.exeMhoipb32.exeMahnhhod.exeMhafeb32.exeMjpbam32.exeMeefofek.exeMhdckaeo.exeMjbogmdb.exeMhfppabl.exeMjellmbp.exeMaodigil.exeNbnpcj32.exeNemmoe32.exeNlfelogp.exeNacmdf32.exeNklbmllg.exeNhpbfpka.exeNeccpd32.exeNbgcih32.exeObjpoh32.exeOehlkc32.exeOoqqdi32.exeOocmii32.exeOemefcap.exeOkjnnj32.exeOlijhmgj.exeOimkbaed.exePojcjh32.exePiphgq32.exePhedhmhi.exePeieba32.exePkenjh32.exePhincl32.exePabblb32.exePemomqcn.exeQkjgegae.exeQcaofebg.exeQhngolpo.exeQebhhp32.exeAkoqpg32.exeAaiimadl.exeAjpqnneo.exeAlnmjjdb.exeAchegd32.exeAjbmdn32.exeAfinioip.exeAoabad32.exepid Process 4748 Kndojobi.exe 804 Kijchhbo.exe 1520 Kkhpdcab.exe 4000 Kaehljpj.exe 4768 Kilpmh32.exe 2308 Kjmmepfj.exe 4584 Kinmcg32.exe 4464 Kjpijpdg.exe 4580 Lajagj32.exe 4308 Liqihglg.exe 1580 Lnnbqnjn.exe 2404 Licfngjd.exe 3576 Lankbigo.exe 4032 Lieccf32.exe 2916 Laqhhi32.exe 4512 Lndham32.exe 2936 Lhmmjbkf.exe 264 Mbbagk32.exe 3484 Mhoipb32.exe 1172 Mahnhhod.exe 3808 Mhafeb32.exe 5056 Mjpbam32.exe 1732 Meefofek.exe 1456 Mhdckaeo.exe 3064 Mjbogmdb.exe 4860 Mhfppabl.exe 1656 Mjellmbp.exe 2168 Maodigil.exe 3544 Nbnpcj32.exe 4036 Nemmoe32.exe 4928 Nlfelogp.exe 1420 Nacmdf32.exe 2204 Nklbmllg.exe 756 Nhpbfpka.exe 4352 Neccpd32.exe 3452 Nbgcih32.exe 4504 Objpoh32.exe 4436 Oehlkc32.exe 4232 Ooqqdi32.exe 4460 Oocmii32.exe 3972 Oemefcap.exe 2552 Okjnnj32.exe 2480 Olijhmgj.exe 1180 Oimkbaed.exe 4092 Pojcjh32.exe 452 Piphgq32.exe 4332 Phedhmhi.exe 1516 Peieba32.exe 1672 Pkenjh32.exe 64 Phincl32.exe 1952 Pabblb32.exe 2572 Pemomqcn.exe 2848 Qkjgegae.exe 4100 Qcaofebg.exe 184 Qhngolpo.exe 5072 Qebhhp32.exe 5064 Akoqpg32.exe 3744 Aaiimadl.exe 4844 Ajpqnneo.exe 4840 Alnmjjdb.exe 1812 Achegd32.exe 4384 Ajbmdn32.exe 3252 Afinioip.exe 2300 Aoabad32.exe -
Drops file in System32 directory 64 IoCs
Processes:
Mgehfkop.exePhigif32.exeCkeimm32.exeNnafno32.exeLklnconj.exeMhdckaeo.exeElpkep32.exeQfmmplad.exeFkjmlaac.exeFnffhgon.exeMahklf32.exeBahkih32.exeMfqlfb32.exeMqafhl32.exeHcblpdgg.exeJdfjld32.exeIjcjmmil.exeKpmdfonj.exeKifojnol.exePmjhlklg.exeKndojobi.exeKilpmh32.exeLljdai32.exeNcmhko32.exeAijlgkjq.exeHmbphg32.exeOnmfimga.exeNfpghccm.exeCaojpaij.exeIahgad32.exeAfbgkl32.exeLakfeodm.exeAaiimadl.exeNlcalieg.exeHiipmhmk.exeOpqofe32.exeHicpgc32.exeIcnklbmj.exeEeelnp32.exeMjaabq32.exeBobabg32.exeCkjknfnh.exeFpdcag32.exeGbalopbn.exeBkphhgfc.exeHiacacpg.exeNbebbk32.exeLmmolepp.exeNpepkf32.exeDlghoa32.exeFibhpbea.exeCfipef32.exeFneggdhg.exeFbjena32.exeBgdemb32.exePijcpmhc.exeKijchhbo.exeAednci32.exeDqnjgl32.exeFbdehlip.exeGnohnffc.exeKqfngd32.exeAnaomkdb.exedescription ioc Process File created C:\Windows\SysWOW64\Mjdebfnd.exe Mgehfkop.exe File created C:\Windows\SysWOW64\Qemhbj32.exe Phigif32.exe File opened for modification C:\Windows\SysWOW64\Cfkmkf32.exe Ckeimm32.exe File created C:\Windows\SysWOW64\Gfkcaoef.dll Nnafno32.exe File created C:\Windows\SysWOW64\Laffpi32.exe Lklnconj.exe File created C:\Windows\SysWOW64\Gcbpne32.dll Mhdckaeo.exe File opened for modification C:\Windows\SysWOW64\Ecgcfm32.exe Elpkep32.exe File opened for modification C:\Windows\SysWOW64\Qodeajbg.exe Qfmmplad.exe File created C:\Windows\SysWOW64\Plgdqf32.dll Fkjmlaac.exe File opened for modification C:\Windows\SysWOW64\Fdpnda32.exe Fnffhgon.exe File created C:\Windows\SysWOW64\Medglemj.exe Mahklf32.exe File opened for modification C:\Windows\SysWOW64\Bdgged32.exe Bahkih32.exe File created C:\Windows\SysWOW64\Gpkpbaea.dll Mfqlfb32.exe File opened for modification C:\Windows\SysWOW64\Mjjkaabc.exe Mqafhl32.exe File created C:\Windows\SysWOW64\Lhlndcmq.dll Hcblpdgg.exe File created C:\Windows\SysWOW64\Bhhqlkph.dll Jdfjld32.exe File created C:\Windows\SysWOW64\Fgbdja32.dll Ijcjmmil.exe File created C:\Windows\SysWOW64\Abhemohm.dll Kpmdfonj.exe File created C:\Windows\SysWOW64\Onogcg32.dll Kifojnol.exe File created C:\Windows\SysWOW64\Fddogn32.dll Pmjhlklg.exe File opened for modification C:\Windows\SysWOW64\Kijchhbo.exe Kndojobi.exe File created C:\Windows\SysWOW64\Jdigjdia.dll Kilpmh32.exe File created C:\Windows\SysWOW64\Aaeidf32.dll Lljdai32.exe File opened for modification C:\Windows\SysWOW64\Nbphglbe.exe Ncmhko32.exe File created C:\Windows\SysWOW64\Gckjdhni.dll Aijlgkjq.exe File opened for modification C:\Windows\SysWOW64\Hbohpn32.exe Hmbphg32.exe File created C:\Windows\SysWOW64\Ojdgnn32.exe Onmfimga.exe File created C:\Windows\SysWOW64\Oljoen32.exe Nfpghccm.exe File opened for modification C:\Windows\SysWOW64\Cdmfllhn.exe Caojpaij.exe File created C:\Windows\SysWOW64\Mmmncpmp.dll Iahgad32.exe File created C:\Windows\SysWOW64\Amlogfel.exe Afbgkl32.exe File opened for modification C:\Windows\SysWOW64\Lhenai32.exe Lakfeodm.exe File opened for modification C:\Windows\SysWOW64\Ajpqnneo.exe Aaiimadl.exe File opened for modification C:\Windows\SysWOW64\Nmenca32.exe Nlcalieg.exe File created C:\Windows\SysWOW64\Hpchib32.exe Hiipmhmk.exe File opened for modification C:\Windows\SysWOW64\Ofkgcobj.exe Opqofe32.exe File opened for modification C:\Windows\SysWOW64\Hpmhdmea.exe Hicpgc32.exe File created C:\Windows\SysWOW64\Ikdcmpnl.exe Icnklbmj.exe File created C:\Windows\SysWOW64\Kfbdfl32.dll Eeelnp32.exe File created C:\Windows\SysWOW64\Mqkiok32.exe Mjaabq32.exe File opened for modification C:\Windows\SysWOW64\Bpdnjple.exe Bobabg32.exe File created C:\Windows\SysWOW64\Cdbpgl32.exe Ckjknfnh.exe File created C:\Windows\SysWOW64\Ffnknafg.exe Fpdcag32.exe File created C:\Windows\SysWOW64\Adfokn32.dll Gbalopbn.exe File opened for modification C:\Windows\SysWOW64\Bnoddcef.exe Bkphhgfc.exe File created C:\Windows\SysWOW64\Hkhcdb32.dll Hiacacpg.exe File opened for modification C:\Windows\SysWOW64\Lcclncbh.exe Lljdai32.exe File opened for modification C:\Windows\SysWOW64\Niojoeel.exe Nbebbk32.exe File opened for modification C:\Windows\SysWOW64\Lcggio32.exe Lmmolepp.exe File created C:\Windows\SysWOW64\Ncqlkemc.exe Npepkf32.exe File created C:\Windows\SysWOW64\Ggamph32.dll Dlghoa32.exe File opened for modification C:\Windows\SysWOW64\Fplpll32.exe Fibhpbea.exe File created C:\Windows\SysWOW64\Ckeimm32.exe Cfipef32.exe File created C:\Windows\SysWOW64\Fijkdmhn.exe Fneggdhg.exe File opened for modification C:\Windows\SysWOW64\Gidnkkpc.exe Fbjena32.exe File created C:\Windows\SysWOW64\Cpljehpo.exe Bgdemb32.exe File created C:\Windows\SysWOW64\Podkmgop.exe Pijcpmhc.exe File opened for modification C:\Windows\SysWOW64\Kkhpdcab.exe Kijchhbo.exe File opened for modification C:\Windows\SysWOW64\Ahbjoe32.exe Aednci32.exe File created C:\Windows\SysWOW64\Bfcjjj32.dll Dqnjgl32.exe File opened for modification C:\Windows\SysWOW64\Finnef32.exe Fbdehlip.exe File opened for modification C:\Windows\SysWOW64\Gdiakp32.exe Gnohnffc.exe File created C:\Windows\SysWOW64\Eghghj32.dll Kqfngd32.exe File created C:\Windows\SysWOW64\Dlgaff32.dll Anaomkdb.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Pimfpc32.exeOimkbaed.exeFpggamqc.exeKqphfe32.exeNndjndbh.exeJekqmhia.exeKcmmhj32.exeFnalmh32.exeFnjocf32.exeCcmgiaig.exeEmbddb32.exePjdpelnc.exeBcahmb32.exeKdmqmc32.exeNhmofj32.exeIbfnqmpf.exePfoann32.exeFbmohmoh.exeJikoopij.exeJnelok32.exeEiokinbk.exeOcgbld32.exeCcpdoqgd.exeAnaomkdb.exeQjhbfd32.exeMhoipb32.exeLobjni32.exeBhmbqm32.exeGgahedjn.exeHdhedh32.exeLclpdncg.exeNbgcih32.exeFimodc32.exeNjfkmphe.exeNqcejcha.exePojcjh32.exeKnqepc32.exePjbcplpe.exeIcachjbb.exeOjigdcll.exePplobcpp.exeEdihdb32.exeAbcppq32.exeLndagg32.exeDdligq32.exeMnegbp32.exeNnafno32.exeBgkiaj32.exeIcnklbmj.exeIjmhkchl.exeNhokljge.exeMmnhcb32.exeMqkiok32.exeKndojobi.exeFpdcag32.exeHpchib32.exeChkobkod.exeHcljmj32.exeGfkbde32.exeHbenoi32.exeIacngdgj.exeBemqih32.exeAcokhc32.exeBgdemb32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oimkbaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpggamqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqphfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndjndbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekqmhia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmmhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnalmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjocf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmgiaig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdpelnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcahmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdmqmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhmofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibfnqmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfoann32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbmohmoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikoopij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnelok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiokinbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocgbld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anaomkdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjhbfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhoipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lobjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmbqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggahedjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdhedh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclpdncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbgcih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfkmphe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqcejcha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojcjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knqepc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbcplpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icachjbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojigdcll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplobcpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edihdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abcppq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lndagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddligq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnafno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgkiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnklbmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmhkchl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhokljge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmnhcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqkiok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kndojobi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpchib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkobkod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcljmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbenoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacngdgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemqih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acokhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdemb32.exe -
Modifies registry class 64 IoCs
Processes:
Pkenjh32.exeHloqml32.exeFlfkkhid.exeHbldphde.exeCmgqpkip.exeFcniglmb.exeMkmkkjko.exeIloajfml.exePokanf32.exeAmfhgj32.exeHifcgion.exeIefphb32.exeNfnamjhk.exeNqcejcha.exeKjmmepfj.exeFjmkoeqi.exeIloidijb.exeJgkdbacp.exeIlcldb32.exeOpqofe32.exeFijdjfdb.exeLaqhhi32.exeIknmla32.exeJgpfbjlo.exeHjfbjdnd.exeLieccf32.exeDhikci32.exeMemalfcb.exeAoalgn32.exePdenmbkk.exeBhhiemoj.exeNkcmjlio.exeNhgmcp32.exeMfchlbfd.exeNpgmpf32.exeFbmohmoh.exeInfhebbh.exeOfijnbkb.exeCmmbbejp.exeBhpfqcln.exeDolmodpi.exeIpkdek32.exeObjpoh32.exeHdhedh32.exeEfeihb32.exeDdnobj32.exeQbngeadf.exeMjpbam32.exeCklhcfle.exeCdaile32.exeLankbigo.exeLclpdncg.exeLndagg32.exePjdpelnc.exeGgahedjn.exeMhanngbl.exeCbkfbcpb.exeEjccgi32.exeHkbmqb32.exeHibjli32.exePjbcplpe.exeHiacacpg.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkenjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hloqml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flfkkhid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oefgjq32.dll" Hbldphde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmgqpkip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcniglmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkmkkjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdiphhpk.dll" Iloajfml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblaceei.dll" Pokanf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcgjl32.dll" Amfhgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifcgion.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iefphb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpfohk32.dll" Nfnamjhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqcejcha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjmmepfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjmkoeqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abakhdbk.dll" Iloidijb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhoneioi.dll" Jgkdbacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilcldb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opqofe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fijdjfdb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Laqhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Miepkipc.dll" Iknmla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgpfbjlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjfbjdnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lieccf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhikci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Encnaa32.dll" Memalfcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoalgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdenmbkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhhiemoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkcmjlio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhgmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfchlbfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npgmpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbmohmoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Infhebbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofijnbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jecampmk.dll" Cmmbbejp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dolmodpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipkdek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jppadk32.dll" Objpoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajgflp32.dll" Fcniglmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efeihb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddnobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iilpao32.dll" Qbngeadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjpbam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghgmioe.dll" Cklhcfle.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdaile32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Infhebbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apddkmko.dll" Lankbigo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lclpdncg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndagg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjdpelnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhain32.dll" Ggahedjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhanngbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbkfbcpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejccgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kideagnd.dll" Hkbmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjgjmg32.dll" Hibjli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjbcplpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiacacpg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
2f89f8730aadf6b36d6c747b69fdf3f19c19f64dcbed93cc3b5828a0928e47e8.exeKndojobi.exeKijchhbo.exeKkhpdcab.exeKaehljpj.exeKilpmh32.exeKjmmepfj.exeKinmcg32.exeKjpijpdg.exeLajagj32.exeLiqihglg.exeLnnbqnjn.exeLicfngjd.exeLankbigo.exeLieccf32.exeLaqhhi32.exeLndham32.exeLhmmjbkf.exeMbbagk32.exeMhoipb32.exeMahnhhod.exeMhafeb32.exedescription pid Process procid_target PID 1236 wrote to memory of 4748 1236 2f89f8730aadf6b36d6c747b69fdf3f19c19f64dcbed93cc3b5828a0928e47e8.exe 82 PID 1236 wrote to memory of 4748 1236 2f89f8730aadf6b36d6c747b69fdf3f19c19f64dcbed93cc3b5828a0928e47e8.exe 82 PID 1236 wrote to memory of 4748 1236 2f89f8730aadf6b36d6c747b69fdf3f19c19f64dcbed93cc3b5828a0928e47e8.exe 82 PID 4748 wrote to memory of 804 4748 Kndojobi.exe 83 PID 4748 wrote to memory of 804 4748 Kndojobi.exe 83 PID 4748 wrote to memory of 804 4748 Kndojobi.exe 83 PID 804 wrote to memory of 1520 804 Kijchhbo.exe 84 PID 804 wrote to memory of 1520 804 Kijchhbo.exe 84 PID 804 wrote to memory of 1520 804 Kijchhbo.exe 84 PID 1520 wrote to memory of 4000 1520 Kkhpdcab.exe 85 PID 1520 wrote to memory of 4000 1520 Kkhpdcab.exe 85 PID 1520 wrote to memory of 4000 1520 Kkhpdcab.exe 85 PID 4000 wrote to memory of 4768 4000 Kaehljpj.exe 86 PID 4000 wrote to memory of 4768 4000 Kaehljpj.exe 86 PID 4000 wrote to memory of 4768 4000 Kaehljpj.exe 86 PID 4768 wrote to memory of 2308 4768 Kilpmh32.exe 87 PID 4768 wrote to memory of 2308 4768 Kilpmh32.exe 87 PID 4768 wrote to memory of 2308 4768 Kilpmh32.exe 87 PID 2308 wrote to memory of 4584 2308 Kjmmepfj.exe 88 PID 2308 wrote to memory of 4584 2308 Kjmmepfj.exe 88 PID 2308 wrote to memory of 4584 2308 Kjmmepfj.exe 88 PID 4584 wrote to memory of 4464 4584 Kinmcg32.exe 89 PID 4584 wrote to memory of 4464 4584 Kinmcg32.exe 89 PID 4584 wrote to memory of 4464 4584 Kinmcg32.exe 89 PID 4464 wrote to memory of 4580 4464 Kjpijpdg.exe 90 PID 4464 wrote to memory of 4580 4464 Kjpijpdg.exe 90 PID 4464 wrote to memory of 4580 4464 Kjpijpdg.exe 90 PID 4580 wrote to memory of 4308 4580 Lajagj32.exe 91 PID 4580 wrote to memory of 4308 4580 Lajagj32.exe 91 PID 4580 wrote to memory of 4308 4580 Lajagj32.exe 91 PID 4308 wrote to memory of 1580 4308 Liqihglg.exe 92 PID 4308 wrote to memory of 1580 4308 Liqihglg.exe 92 PID 4308 wrote to memory of 1580 4308 Liqihglg.exe 92 PID 1580 wrote to memory of 2404 1580 Lnnbqnjn.exe 93 PID 1580 wrote to memory of 2404 1580 Lnnbqnjn.exe 93 PID 1580 wrote to memory of 2404 1580 Lnnbqnjn.exe 93 PID 2404 wrote to memory of 3576 2404 Licfngjd.exe 94 PID 2404 wrote to memory of 3576 2404 Licfngjd.exe 94 PID 2404 wrote to memory of 3576 2404 Licfngjd.exe 94 PID 3576 wrote to memory of 4032 3576 Lankbigo.exe 95 PID 3576 wrote to memory of 4032 3576 Lankbigo.exe 95 PID 3576 wrote to memory of 4032 3576 Lankbigo.exe 95 PID 4032 wrote to memory of 2916 4032 Lieccf32.exe 96 PID 4032 wrote to memory of 2916 4032 Lieccf32.exe 96 PID 4032 wrote to memory of 2916 4032 Lieccf32.exe 96 PID 2916 wrote to memory of 4512 2916 Laqhhi32.exe 97 PID 2916 wrote to memory of 4512 2916 Laqhhi32.exe 97 PID 2916 wrote to memory of 4512 2916 Laqhhi32.exe 97 PID 4512 wrote to memory of 2936 4512 Lndham32.exe 98 PID 4512 wrote to memory of 2936 4512 Lndham32.exe 98 PID 4512 wrote to memory of 2936 4512 Lndham32.exe 98 PID 2936 wrote to memory of 264 2936 Lhmmjbkf.exe 99 PID 2936 wrote to memory of 264 2936 Lhmmjbkf.exe 99 PID 2936 wrote to memory of 264 2936 Lhmmjbkf.exe 99 PID 264 wrote to memory of 3484 264 Mbbagk32.exe 100 PID 264 wrote to memory of 3484 264 Mbbagk32.exe 100 PID 264 wrote to memory of 3484 264 Mbbagk32.exe 100 PID 3484 wrote to memory of 1172 3484 Mhoipb32.exe 101 PID 3484 wrote to memory of 1172 3484 Mhoipb32.exe 101 PID 3484 wrote to memory of 1172 3484 Mhoipb32.exe 101 PID 1172 wrote to memory of 3808 1172 Mahnhhod.exe 102 PID 1172 wrote to memory of 3808 1172 Mahnhhod.exe 102 PID 1172 wrote to memory of 3808 1172 Mahnhhod.exe 102 PID 3808 wrote to memory of 5056 3808 Mhafeb32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\2f89f8730aadf6b36d6c747b69fdf3f19c19f64dcbed93cc3b5828a0928e47e8.exe"C:\Users\Admin\AppData\Local\Temp\2f89f8730aadf6b36d6c747b69fdf3f19c19f64dcbed93cc3b5828a0928e47e8.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Kndojobi.exeC:\Windows\system32\Kndojobi.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\SysWOW64\Kijchhbo.exeC:\Windows\system32\Kijchhbo.exe3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Windows\SysWOW64\Kkhpdcab.exeC:\Windows\system32\Kkhpdcab.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Kaehljpj.exeC:\Windows\system32\Kaehljpj.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4000 -
C:\Windows\SysWOW64\Kilpmh32.exeC:\Windows\system32\Kilpmh32.exe6⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4768 -
C:\Windows\SysWOW64\Kjmmepfj.exeC:\Windows\system32\Kjmmepfj.exe7⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Kinmcg32.exeC:\Windows\system32\Kinmcg32.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Windows\SysWOW64\Kjpijpdg.exeC:\Windows\system32\Kjpijpdg.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4464 -
C:\Windows\SysWOW64\Lajagj32.exeC:\Windows\system32\Lajagj32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4580 -
C:\Windows\SysWOW64\Liqihglg.exeC:\Windows\system32\Liqihglg.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4308 -
C:\Windows\SysWOW64\Lnnbqnjn.exeC:\Windows\system32\Lnnbqnjn.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\SysWOW64\Licfngjd.exeC:\Windows\system32\Licfngjd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Lankbigo.exeC:\Windows\system32\Lankbigo.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3576 -
C:\Windows\SysWOW64\Lieccf32.exeC:\Windows\system32\Lieccf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Windows\SysWOW64\Laqhhi32.exeC:\Windows\system32\Laqhhi32.exe16⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Lndham32.exeC:\Windows\system32\Lndham32.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4512 -
C:\Windows\SysWOW64\Lhmmjbkf.exeC:\Windows\system32\Lhmmjbkf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Mbbagk32.exeC:\Windows\system32\Mbbagk32.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Mhoipb32.exeC:\Windows\system32\Mhoipb32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\SysWOW64\Mahnhhod.exeC:\Windows\system32\Mahnhhod.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\SysWOW64\Mhafeb32.exeC:\Windows\system32\Mhafeb32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\SysWOW64\Mjpbam32.exeC:\Windows\system32\Mjpbam32.exe23⤵
- Executes dropped EXE
- Modifies registry class
PID:5056 -
C:\Windows\SysWOW64\Meefofek.exeC:\Windows\system32\Meefofek.exe24⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Mhdckaeo.exeC:\Windows\system32\Mhdckaeo.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1456 -
C:\Windows\SysWOW64\Mjbogmdb.exeC:\Windows\system32\Mjbogmdb.exe26⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Mhfppabl.exeC:\Windows\system32\Mhfppabl.exe27⤵
- Executes dropped EXE
PID:4860 -
C:\Windows\SysWOW64\Mjellmbp.exeC:\Windows\system32\Mjellmbp.exe28⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Maodigil.exeC:\Windows\system32\Maodigil.exe29⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Nbnpcj32.exeC:\Windows\system32\Nbnpcj32.exe30⤵
- Executes dropped EXE
PID:3544 -
C:\Windows\SysWOW64\Nemmoe32.exeC:\Windows\system32\Nemmoe32.exe31⤵
- Executes dropped EXE
PID:4036 -
C:\Windows\SysWOW64\Nlfelogp.exeC:\Windows\system32\Nlfelogp.exe32⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Nacmdf32.exeC:\Windows\system32\Nacmdf32.exe33⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Nklbmllg.exeC:\Windows\system32\Nklbmllg.exe34⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Nhpbfpka.exeC:\Windows\system32\Nhpbfpka.exe35⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Neccpd32.exeC:\Windows\system32\Neccpd32.exe36⤵
- Executes dropped EXE
PID:4352 -
C:\Windows\SysWOW64\Nbgcih32.exeC:\Windows\system32\Nbgcih32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3452 -
C:\Windows\SysWOW64\Objpoh32.exeC:\Windows\system32\Objpoh32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:4504 -
C:\Windows\SysWOW64\Oehlkc32.exeC:\Windows\system32\Oehlkc32.exe39⤵
- Executes dropped EXE
PID:4436 -
C:\Windows\SysWOW64\Ooqqdi32.exeC:\Windows\system32\Ooqqdi32.exe40⤵
- Executes dropped EXE
PID:4232 -
C:\Windows\SysWOW64\Oocmii32.exeC:\Windows\system32\Oocmii32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4460 -
C:\Windows\SysWOW64\Oemefcap.exeC:\Windows\system32\Oemefcap.exe42⤵
- Executes dropped EXE
PID:3972 -
C:\Windows\SysWOW64\Okjnnj32.exeC:\Windows\system32\Okjnnj32.exe43⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Olijhmgj.exeC:\Windows\system32\Olijhmgj.exe44⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Oimkbaed.exeC:\Windows\system32\Oimkbaed.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1180 -
C:\Windows\SysWOW64\Pojcjh32.exeC:\Windows\system32\Pojcjh32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4092 -
C:\Windows\SysWOW64\Piphgq32.exeC:\Windows\system32\Piphgq32.exe47⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Phedhmhi.exeC:\Windows\system32\Phedhmhi.exe48⤵
- Executes dropped EXE
PID:4332 -
C:\Windows\SysWOW64\Peieba32.exeC:\Windows\system32\Peieba32.exe49⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Pkenjh32.exeC:\Windows\system32\Pkenjh32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1672 -
C:\Windows\SysWOW64\Phincl32.exeC:\Windows\system32\Phincl32.exe51⤵
- Executes dropped EXE
PID:64 -
C:\Windows\SysWOW64\Pabblb32.exeC:\Windows\system32\Pabblb32.exe52⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Pemomqcn.exeC:\Windows\system32\Pemomqcn.exe53⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Qkjgegae.exeC:\Windows\system32\Qkjgegae.exe54⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Qcaofebg.exeC:\Windows\system32\Qcaofebg.exe55⤵
- Executes dropped EXE
PID:4100 -
C:\Windows\SysWOW64\Qhngolpo.exeC:\Windows\system32\Qhngolpo.exe56⤵
- Executes dropped EXE
PID:184 -
C:\Windows\SysWOW64\Qebhhp32.exeC:\Windows\system32\Qebhhp32.exe57⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Akoqpg32.exeC:\Windows\system32\Akoqpg32.exe58⤵
- Executes dropped EXE
PID:5064 -
C:\Windows\SysWOW64\Aaiimadl.exeC:\Windows\system32\Aaiimadl.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3744 -
C:\Windows\SysWOW64\Ajpqnneo.exeC:\Windows\system32\Ajpqnneo.exe60⤵
- Executes dropped EXE
PID:4844 -
C:\Windows\SysWOW64\Alnmjjdb.exeC:\Windows\system32\Alnmjjdb.exe61⤵
- Executes dropped EXE
PID:4840 -
C:\Windows\SysWOW64\Achegd32.exeC:\Windows\system32\Achegd32.exe62⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Ajbmdn32.exeC:\Windows\system32\Ajbmdn32.exe63⤵
- Executes dropped EXE
PID:4384 -
C:\Windows\SysWOW64\Afinioip.exeC:\Windows\system32\Afinioip.exe64⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Aoabad32.exeC:\Windows\system32\Aoabad32.exe65⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Acokhc32.exeC:\Windows\system32\Acokhc32.exe66⤵
- System Location Discovery: System Language Discovery
PID:3580 -
C:\Windows\SysWOW64\Bcahmb32.exeC:\Windows\system32\Bcahmb32.exe67⤵
- System Location Discovery: System Language Discovery
PID:3088 -
C:\Windows\SysWOW64\Bljlfh32.exeC:\Windows\system32\Bljlfh32.exe68⤵PID:2888
-
C:\Windows\SysWOW64\Bhamkipi.exeC:\Windows\system32\Bhamkipi.exe69⤵PID:4896
-
C:\Windows\SysWOW64\Bjpjel32.exeC:\Windows\system32\Bjpjel32.exe70⤵PID:100
-
C:\Windows\SysWOW64\Bjbfklei.exeC:\Windows\system32\Bjbfklei.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Bmabggdm.exeC:\Windows\system32\Bmabggdm.exe72⤵PID:4588
-
C:\Windows\SysWOW64\Bopocbcq.exeC:\Windows\system32\Bopocbcq.exe73⤵PID:1412
-
C:\Windows\SysWOW64\Cfigpm32.exeC:\Windows\system32\Cfigpm32.exe74⤵PID:3888
-
C:\Windows\SysWOW64\Cihclh32.exeC:\Windows\system32\Cihclh32.exe75⤵PID:3672
-
C:\Windows\SysWOW64\Ckfphc32.exeC:\Windows\system32\Ckfphc32.exe76⤵PID:4876
-
C:\Windows\SysWOW64\Ccmgiaig.exeC:\Windows\system32\Ccmgiaig.exe77⤵
- System Location Discovery: System Language Discovery
PID:720 -
C:\Windows\SysWOW64\Cfldelik.exeC:\Windows\system32\Cfldelik.exe78⤵PID:316
-
C:\Windows\SysWOW64\Cijpahho.exeC:\Windows\system32\Cijpahho.exe79⤵PID:4244
-
C:\Windows\SysWOW64\Cmflbf32.exeC:\Windows\system32\Cmflbf32.exe80⤵PID:1280
-
C:\Windows\SysWOW64\Ckilmcgb.exeC:\Windows\system32\Ckilmcgb.exe81⤵PID:1176
-
C:\Windows\SysWOW64\Ccpdoqgd.exeC:\Windows\system32\Ccpdoqgd.exe82⤵
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Cfnqklgh.exeC:\Windows\system32\Cfnqklgh.exe83⤵PID:4796
-
C:\Windows\SysWOW64\Cimmggfl.exeC:\Windows\system32\Cimmggfl.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Cofecami.exeC:\Windows\system32\Cofecami.exe85⤵PID:32
-
C:\Windows\SysWOW64\Cjliajmo.exeC:\Windows\system32\Cjliajmo.exe86⤵PID:3488
-
C:\Windows\SysWOW64\Cfcjfk32.exeC:\Windows\system32\Cfcjfk32.exe87⤵PID:4116
-
C:\Windows\SysWOW64\Cmmbbejp.exeC:\Windows\system32\Cmmbbejp.exe88⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Dbjkkl32.exeC:\Windows\system32\Dbjkkl32.exe89⤵PID:3380
-
C:\Windows\SysWOW64\Diccgfpd.exeC:\Windows\system32\Diccgfpd.exe90⤵PID:3584
-
C:\Windows\SysWOW64\Dkbocbog.exeC:\Windows\system32\Dkbocbog.exe91⤵PID:1636
-
C:\Windows\SysWOW64\Dpnkdq32.exeC:\Windows\system32\Dpnkdq32.exe92⤵PID:3288
-
C:\Windows\SysWOW64\Djcoai32.exeC:\Windows\system32\Djcoai32.exe93⤵PID:4672
-
C:\Windows\SysWOW64\Dkdliame.exeC:\Windows\system32\Dkdliame.exe94⤵PID:4952
-
C:\Windows\SysWOW64\Dlghoa32.exeC:\Windows\system32\Dlghoa32.exe95⤵
- Drops file in System32 directory
PID:392 -
C:\Windows\SysWOW64\Dlieda32.exeC:\Windows\system32\Dlieda32.exe96⤵PID:5028
-
C:\Windows\SysWOW64\Efafgifc.exeC:\Windows\system32\Efafgifc.exe97⤵PID:4992
-
C:\Windows\SysWOW64\Eiobceef.exeC:\Windows\system32\Eiobceef.exe98⤵PID:220
-
C:\Windows\SysWOW64\Epikpo32.exeC:\Windows\system32\Epikpo32.exe99⤵PID:4996
-
C:\Windows\SysWOW64\Ejoomhmi.exeC:\Windows\system32\Ejoomhmi.exe100⤵PID:5140
-
C:\Windows\SysWOW64\Elpkep32.exeC:\Windows\system32\Elpkep32.exe101⤵
- Drops file in System32 directory
PID:5184 -
C:\Windows\SysWOW64\Ecgcfm32.exeC:\Windows\system32\Ecgcfm32.exe102⤵PID:5228
-
C:\Windows\SysWOW64\Elbhjp32.exeC:\Windows\system32\Elbhjp32.exe103⤵PID:5276
-
C:\Windows\SysWOW64\Embddb32.exeC:\Windows\system32\Embddb32.exe104⤵
- System Location Discovery: System Language Discovery
PID:5320 -
C:\Windows\SysWOW64\Fcniglmb.exeC:\Windows\system32\Fcniglmb.exe105⤵
- Modifies registry class
PID:5364 -
C:\Windows\SysWOW64\Ffmfchle.exeC:\Windows\system32\Ffmfchle.exe106⤵PID:5408
-
C:\Windows\SysWOW64\Flinkojm.exeC:\Windows\system32\Flinkojm.exe107⤵PID:5452
-
C:\Windows\SysWOW64\Fbcfhibj.exeC:\Windows\system32\Fbcfhibj.exe108⤵PID:5496
-
C:\Windows\SysWOW64\Fimodc32.exeC:\Windows\system32\Fimodc32.exe109⤵
- System Location Discovery: System Language Discovery
PID:5544 -
C:\Windows\SysWOW64\Fpggamqc.exeC:\Windows\system32\Fpggamqc.exe110⤵
- System Location Discovery: System Language Discovery
PID:5588 -
C:\Windows\SysWOW64\Fjmkoeqi.exeC:\Windows\system32\Fjmkoeqi.exe111⤵
- Modifies registry class
PID:5628 -
C:\Windows\SysWOW64\Flngfn32.exeC:\Windows\system32\Flngfn32.exe112⤵PID:5672
-
C:\Windows\SysWOW64\Fdepgkgj.exeC:\Windows\system32\Fdepgkgj.exe113⤵PID:5716
-
C:\Windows\SysWOW64\Fibhpbea.exeC:\Windows\system32\Fibhpbea.exe114⤵
- Drops file in System32 directory
PID:5760 -
C:\Windows\SysWOW64\Fplpll32.exeC:\Windows\system32\Fplpll32.exe115⤵PID:5800
-
C:\Windows\SysWOW64\Fffhifdk.exeC:\Windows\system32\Fffhifdk.exe116⤵PID:5840
-
C:\Windows\SysWOW64\Fmpqfq32.exeC:\Windows\system32\Fmpqfq32.exe117⤵PID:5884
-
C:\Windows\SysWOW64\Gbmingjo.exeC:\Windows\system32\Gbmingjo.exe118⤵PID:5928
-
C:\Windows\SysWOW64\Gigaka32.exeC:\Windows\system32\Gigaka32.exe119⤵PID:5972
-
C:\Windows\SysWOW64\Gpqjglii.exeC:\Windows\system32\Gpqjglii.exe120⤵PID:6016
-
C:\Windows\SysWOW64\Gfkbde32.exeC:\Windows\system32\Gfkbde32.exe121⤵
- System Location Discovery: System Language Discovery
PID:6060
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-