Analysis
-
max time kernel
93s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-11-2024 05:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe
-
Size
448KB
-
MD5
99f2da802dd4c96ac4998e59f4942234
-
SHA1
3ec23beb43c766a8a36310aeaee9a8a0bf715a66
-
SHA256
2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf
-
SHA512
d8c2a811ca2b2ed4c992cad416e907edeea5cf671afeb2ecf3756737591cbc22fe77a000ebc7c04aba70068c8027d0103cbf389c79daf90cbe5144cef83b8130
-
SSDEEP
6144:Q6TqP5DdUNZUPQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y5:yxDdKn/NcZ7/NC64tm6Y5
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iapjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfbqol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peqidn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolingnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegidknj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hchfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilfbpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lanmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bofebqlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpadpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icnngeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clgpckcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afbbiafj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdockgqp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfkdik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nahemf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pemdic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfigkljk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iobdopna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdeaohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aomghchl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdmdlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknehe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poqniegj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfanjqo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jejgcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lelphbon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dekcng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbnpdnq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgeiaaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhlkmnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcnmjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojgado32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aijgemok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipmeej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcodhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aalcdngp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeobidll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kliboh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlfebcnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oenngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgnkgjgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcgnmlkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkmjbo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdbocl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogcddjpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnqdpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcokaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hacoio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oncpmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foencfda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afmack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pclolakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehodaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkaghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgbdge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmeemp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfdlehlc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppcplg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjoob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljhmmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icnngeof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhnoocab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knapen32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2892 Lafekm32.exe 2820 Lllihf32.exe 2844 Lnobfn32.exe 2904 Lnaokn32.exe 2708 Ndpmbjbk.exe 2440 Nqkgbkdj.exe 1676 Olehbh32.exe 2112 Olokighn.exe 2320 Pjchjcmf.exe 2176 Pmdalo32.exe 1400 Qamleagn.exe 2896 Akmgoehg.exe 1108 Aefhpc32.exe 2236 Bdbkaoce.exe 368 Cbfhjfdk.exe 2216 Dieiap32.exe 1076 Deljfqmf.exe 2128 Edfqclni.exe 2564 Eibikc32.exe 844 Eponmmaj.exe 1372 Ehjbaooe.exe 964 Fhlogo32.exe 2680 Fljhmmci.exe 2964 Fkpeojha.exe 1692 Fkbadifn.exe 2144 Gcocnk32.exe 1608 Gpccgppq.exe 2828 Gohqhl32.exe 2932 Ghcbga32.exe 2748 Hhhkbqea.exe 2732 Happkf32.exe 2596 Hqemlbqi.exe 2304 Hchbcmlh.exe 2396 Iihgadhl.exe 1020 Ibplji32.exe 2960 Ibeeeijg.exe 1984 Ijpjik32.exe 2004 Jmqckf32.exe 1272 Jfkdik32.exe 2228 Jlkigbef.exe 1160 Kbgnil32.exe 2212 Klocba32.exe 2484 Kalkjh32.exe 2580 Kdmdlc32.exe 640 Kobhillo.exe 1672 Khkmba32.exe 1776 Ldangbhd.exe 1004 Lknbjlnn.exe 1740 Mlfebcnd.exe 2980 Mkkbcpbl.exe 2456 Mdfcaegj.exe 2572 Majdkifd.exe 2716 Mnqdpj32.exe 2536 Ngiiip32.exe 2808 Nfnfjmgp.exe 1172 Nogjbbma.exe 3052 Nkmkgc32.exe 2568 Ndfppije.exe 1744 Ndhlfh32.exe 2488 Onqaonnc.exe 2192 Ojgado32.exe 1848 Ogkbmcba.exe 2412 Ocbbbd32.exe 1488 Onggom32.exe -
Loads dropped DLL 64 IoCs
pid Process 392 2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe 392 2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe 2892 Lafekm32.exe 2892 Lafekm32.exe 2820 Lllihf32.exe 2820 Lllihf32.exe 2844 Lnobfn32.exe 2844 Lnobfn32.exe 2904 Lnaokn32.exe 2904 Lnaokn32.exe 2708 Ndpmbjbk.exe 2708 Ndpmbjbk.exe 2440 Nqkgbkdj.exe 2440 Nqkgbkdj.exe 1676 Olehbh32.exe 1676 Olehbh32.exe 2112 Olokighn.exe 2112 Olokighn.exe 2320 Pjchjcmf.exe 2320 Pjchjcmf.exe 2176 Pmdalo32.exe 2176 Pmdalo32.exe 1400 Qamleagn.exe 1400 Qamleagn.exe 2896 Akmgoehg.exe 2896 Akmgoehg.exe 1108 Aefhpc32.exe 1108 Aefhpc32.exe 2236 Bdbkaoce.exe 2236 Bdbkaoce.exe 368 Cbfhjfdk.exe 368 Cbfhjfdk.exe 2216 Dieiap32.exe 2216 Dieiap32.exe 1076 Deljfqmf.exe 1076 Deljfqmf.exe 2128 Edfqclni.exe 2128 Edfqclni.exe 2564 Eibikc32.exe 2564 Eibikc32.exe 844 Eponmmaj.exe 844 Eponmmaj.exe 1372 Ehjbaooe.exe 1372 Ehjbaooe.exe 964 Fhlogo32.exe 964 Fhlogo32.exe 2680 Fljhmmci.exe 2680 Fljhmmci.exe 2964 Fkpeojha.exe 2964 Fkpeojha.exe 1692 Fkbadifn.exe 1692 Fkbadifn.exe 2144 Gcocnk32.exe 2144 Gcocnk32.exe 1608 Gpccgppq.exe 1608 Gpccgppq.exe 2828 Gohqhl32.exe 2828 Gohqhl32.exe 2932 Ghcbga32.exe 2932 Ghcbga32.exe 2748 Hhhkbqea.exe 2748 Hhhkbqea.exe 2732 Happkf32.exe 2732 Happkf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Akmgoehg.exe Qamleagn.exe File opened for modification C:\Windows\SysWOW64\Pkpacaoj.exe Pagmjlhj.exe File created C:\Windows\SysWOW64\Cgacalph.dll Elbkddpg.exe File opened for modification C:\Windows\SysWOW64\Qpmiahlp.exe Qechqj32.exe File opened for modification C:\Windows\SysWOW64\Dnmada32.exe Dknehe32.exe File opened for modification C:\Windows\SysWOW64\Dcofqphi.exe Dclikp32.exe File opened for modification C:\Windows\SysWOW64\Jafnhl32.exe Jjlfkaqk.exe File opened for modification C:\Windows\SysWOW64\Mdbocl32.exe Mdpbnlbe.exe File opened for modification C:\Windows\SysWOW64\Opdkgj32.exe Ohifch32.exe File created C:\Windows\SysWOW64\Midgogjn.dll Bjcnoe32.exe File created C:\Windows\SysWOW64\Lgapglfh.dll Jojmigpn.exe File opened for modification C:\Windows\SysWOW64\Ipipllec.exe Hgnkgjgh.exe File created C:\Windows\SysWOW64\Gckcpl32.dll Hffkhlof.exe File opened for modification C:\Windows\SysWOW64\Mgalpg32.exe Mdbocl32.exe File created C:\Windows\SysWOW64\Bknabn32.dll Feeldk32.exe File created C:\Windows\SysWOW64\Jfijmdbh.exe Jjcigcmd.exe File created C:\Windows\SysWOW64\Ejgkkf32.dll Bgbncdmm.exe File created C:\Windows\SysWOW64\Deafji32.dll Jjqlbdog.exe File created C:\Windows\SysWOW64\Ljljenoi.exe Ljjnpo32.exe File opened for modification C:\Windows\SysWOW64\Cgdggg32.exe Cecnflpd.exe File opened for modification C:\Windows\SysWOW64\Mjiemdgp.exe Lkblghdj.exe File created C:\Windows\SysWOW64\Joaaeapn.dll Pjemgibi.exe File opened for modification C:\Windows\SysWOW64\Mpegka32.exe Mcafbm32.exe File created C:\Windows\SysWOW64\Mheekb32.exe Momqbm32.exe File opened for modification C:\Windows\SysWOW64\Icnngeof.exe Ipmeej32.exe File opened for modification C:\Windows\SysWOW64\Aehanfgm.exe Aeedhf32.exe File created C:\Windows\SysWOW64\Bqiejned.dll Ncaokgmp.exe File created C:\Windows\SysWOW64\Abnmae32.exe Aghidl32.exe File created C:\Windows\SysWOW64\Lnobfn32.exe Lllihf32.exe File opened for modification C:\Windows\SysWOW64\Blabef32.exe Adenqd32.exe File created C:\Windows\SysWOW64\Gpaikiig.exe Ffghlcei.exe File created C:\Windows\SysWOW64\Gknlbd32.dll Dmbpaa32.exe File created C:\Windows\SysWOW64\Gijfeqbn.dll Pjchjcmf.exe File created C:\Windows\SysWOW64\Hbcdfq32.exe Hbagaa32.exe File opened for modification C:\Windows\SysWOW64\Cocpjf32.exe Cbmoeeod.exe File created C:\Windows\SysWOW64\Aonkammc.dll Jbfalecf.exe File created C:\Windows\SysWOW64\Lmpdoffo.exe Llnhgn32.exe File created C:\Windows\SysWOW64\Dgkike32.exe Dghlfe32.exe File opened for modification C:\Windows\SysWOW64\Dciekjhc.exe Dhcanahm.exe File opened for modification C:\Windows\SysWOW64\Jpnhoh32.exe Jgccjenb.exe File created C:\Windows\SysWOW64\Hjpcdg32.dll Jpnhoh32.exe File created C:\Windows\SysWOW64\Mdfcaegj.exe Mkkbcpbl.exe File opened for modification C:\Windows\SysWOW64\Fgojdj32.exe Fndhed32.exe File opened for modification C:\Windows\SysWOW64\Afbbiafj.exe Acbigfii.exe File created C:\Windows\SysWOW64\Ddbahifh.dll Ncafemqk.exe File created C:\Windows\SysWOW64\Iogkaf32.exe Ilfbpk32.exe File opened for modification C:\Windows\SysWOW64\Ojpedn32.exe Njnion32.exe File created C:\Windows\SysWOW64\Ieplbk32.dll Hcnfllcd.exe File created C:\Windows\SysWOW64\Bbamec32.dll Cdnicemo.exe File opened for modification C:\Windows\SysWOW64\Dlbcgo32.exe Dbjonicb.exe File created C:\Windows\SysWOW64\Lcgnmlkk.exe Lceagmmn.exe File opened for modification C:\Windows\SysWOW64\Fkdbmblb.exe Eegidknj.exe File created C:\Windows\SysWOW64\Gfpamd32.dll Oindpd32.exe File created C:\Windows\SysWOW64\Onjeinde.dll Ffndghdj.exe File created C:\Windows\SysWOW64\Foencfda.exe Fcnmne32.exe File created C:\Windows\SysWOW64\Lgibjo32.dll Fbkgjgqi.exe File opened for modification C:\Windows\SysWOW64\Peqidn32.exe Ppcplg32.exe File created C:\Windows\SysWOW64\Nbfjckjc.exe Nmgeedno.exe File opened for modification C:\Windows\SysWOW64\Ljjkgfig.exe Kaagnp32.exe File created C:\Windows\SysWOW64\Nbnajcig.exe Njcmeqkl.exe File created C:\Windows\SysWOW64\Cbmoeeod.exe Chgkgmoo.exe File opened for modification C:\Windows\SysWOW64\Qecejnco.exe Peqidn32.exe File opened for modification C:\Windows\SysWOW64\Emmnch32.exe Ebgifo32.exe File created C:\Windows\SysWOW64\Fhbnpdnq.exe Fojjfogp.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelinm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcbpemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiipfbgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gggkqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcmcckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipfhbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cblniaii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chafpfqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjemgibi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklbid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphgpnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkdhohk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkjknji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikembicd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhadhakp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbckeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqenfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lagjhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opbjpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqbini32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdbkaoce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnkgjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplnpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jafnhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndpmbjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqbbig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jknnoppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppbfmdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogbllfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afoqbpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpkho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deljfqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhkbqea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Happkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefmkpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cignlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajfanjqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiepca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofaaghom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlddbgai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbncdmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfambk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllihf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnaokn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caijik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbdge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infefqkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khpccibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdbocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enblpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limogpna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiigppp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meiedg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghlfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afolpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibigeojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgojdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eilodk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eicfhb32.dll" Jppbkoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbahifh.dll" Ncafemqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aalcdngp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhbjdkeh.dll" Lmppmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdnojkck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcegdl32.dll" Djcbib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcmbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbfalecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caldepec.dll" Qamleagn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nojljcjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgbldch.dll" Blfodb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pejkdm32.dll" Cfjgopop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlegof32.dll" Cfpinnfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjpljb32.dll" Ejpkho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmjqhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knapen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmgolcng.dll" Mjabhjec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iilqnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aacknfhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emaejfgn.dll" Kalkjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eempcfbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eklbid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pghmeikh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqkdenfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqhmkq32.dll" Lnaokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oglknfoo.dll" Nlfohb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehhoncce.dll" Hchfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgmclcjo.dll" Gkjahg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mghgbeni.dll" Eiipfbgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imepio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mccgnc32.dll" Dehfig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogkali32.dll" Jclqefac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llnhikkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddbegmqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deafji32.dll" Jjqlbdog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmggemgf.dll" Kaojiqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbmoeeod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhlkmnmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfpamd32.dll" Oindpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgjman32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpcngnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaocm32.dll" Noepfkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgalpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Conbmfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npojanqo.dll" Nmgeedno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfpijngn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhnhcnkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbmoeeod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Conbmfif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egobfdpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mahinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbagaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaocoklg.dll" Infefqkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qechqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kojkqcjm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkmjbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcbmend.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcnfllcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odfloh32.dll" Jiqjiojc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpihinap.dll" Afolpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpqoofhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Labamcdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bklpglom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odpljf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 392 wrote to memory of 2892 392 2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe 29 PID 392 wrote to memory of 2892 392 2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe 29 PID 392 wrote to memory of 2892 392 2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe 29 PID 392 wrote to memory of 2892 392 2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe 29 PID 2892 wrote to memory of 2820 2892 Lafekm32.exe 30 PID 2892 wrote to memory of 2820 2892 Lafekm32.exe 30 PID 2892 wrote to memory of 2820 2892 Lafekm32.exe 30 PID 2892 wrote to memory of 2820 2892 Lafekm32.exe 30 PID 2820 wrote to memory of 2844 2820 Lllihf32.exe 31 PID 2820 wrote to memory of 2844 2820 Lllihf32.exe 31 PID 2820 wrote to memory of 2844 2820 Lllihf32.exe 31 PID 2820 wrote to memory of 2844 2820 Lllihf32.exe 31 PID 2844 wrote to memory of 2904 2844 Lnobfn32.exe 32 PID 2844 wrote to memory of 2904 2844 Lnobfn32.exe 32 PID 2844 wrote to memory of 2904 2844 Lnobfn32.exe 32 PID 2844 wrote to memory of 2904 2844 Lnobfn32.exe 32 PID 2904 wrote to memory of 2708 2904 Lnaokn32.exe 33 PID 2904 wrote to memory of 2708 2904 Lnaokn32.exe 33 PID 2904 wrote to memory of 2708 2904 Lnaokn32.exe 33 PID 2904 wrote to memory of 2708 2904 Lnaokn32.exe 33 PID 2708 wrote to memory of 2440 2708 Ndpmbjbk.exe 34 PID 2708 wrote to memory of 2440 2708 Ndpmbjbk.exe 34 PID 2708 wrote to memory of 2440 2708 Ndpmbjbk.exe 34 PID 2708 wrote to memory of 2440 2708 Ndpmbjbk.exe 34 PID 2440 wrote to memory of 1676 2440 Nqkgbkdj.exe 35 PID 2440 wrote to memory of 1676 2440 Nqkgbkdj.exe 35 PID 2440 wrote to memory of 1676 2440 Nqkgbkdj.exe 35 PID 2440 wrote to memory of 1676 2440 Nqkgbkdj.exe 35 PID 1676 wrote to memory of 2112 1676 Olehbh32.exe 36 PID 1676 wrote to memory of 2112 1676 Olehbh32.exe 36 PID 1676 wrote to memory of 2112 1676 Olehbh32.exe 36 PID 1676 wrote to memory of 2112 1676 Olehbh32.exe 36 PID 2112 wrote to memory of 2320 2112 Olokighn.exe 37 PID 2112 wrote to memory of 2320 2112 Olokighn.exe 37 PID 2112 wrote to memory of 2320 2112 Olokighn.exe 37 PID 2112 wrote to memory of 2320 2112 Olokighn.exe 37 PID 2320 wrote to memory of 2176 2320 Pjchjcmf.exe 38 PID 2320 wrote to memory of 2176 2320 Pjchjcmf.exe 38 PID 2320 wrote to memory of 2176 2320 Pjchjcmf.exe 38 PID 2320 wrote to memory of 2176 2320 Pjchjcmf.exe 38 PID 2176 wrote to memory of 1400 2176 Pmdalo32.exe 39 PID 2176 wrote to memory of 1400 2176 Pmdalo32.exe 39 PID 2176 wrote to memory of 1400 2176 Pmdalo32.exe 39 PID 2176 wrote to memory of 1400 2176 Pmdalo32.exe 39 PID 1400 wrote to memory of 2896 1400 Qamleagn.exe 40 PID 1400 wrote to memory of 2896 1400 Qamleagn.exe 40 PID 1400 wrote to memory of 2896 1400 Qamleagn.exe 40 PID 1400 wrote to memory of 2896 1400 Qamleagn.exe 40 PID 2896 wrote to memory of 1108 2896 Akmgoehg.exe 41 PID 2896 wrote to memory of 1108 2896 Akmgoehg.exe 41 PID 2896 wrote to memory of 1108 2896 Akmgoehg.exe 41 PID 2896 wrote to memory of 1108 2896 Akmgoehg.exe 41 PID 1108 wrote to memory of 2236 1108 Aefhpc32.exe 42 PID 1108 wrote to memory of 2236 1108 Aefhpc32.exe 42 PID 1108 wrote to memory of 2236 1108 Aefhpc32.exe 42 PID 1108 wrote to memory of 2236 1108 Aefhpc32.exe 42 PID 2236 wrote to memory of 368 2236 Bdbkaoce.exe 43 PID 2236 wrote to memory of 368 2236 Bdbkaoce.exe 43 PID 2236 wrote to memory of 368 2236 Bdbkaoce.exe 43 PID 2236 wrote to memory of 368 2236 Bdbkaoce.exe 43 PID 368 wrote to memory of 2216 368 Cbfhjfdk.exe 44 PID 368 wrote to memory of 2216 368 Cbfhjfdk.exe 44 PID 368 wrote to memory of 2216 368 Cbfhjfdk.exe 44 PID 368 wrote to memory of 2216 368 Cbfhjfdk.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe"C:\Users\Admin\AppData\Local\Temp\2d4a301fd463aa50a33d4bdbd4538eaf903c00a7677c033bd0e48f4703b45ebf.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Lafekm32.exeC:\Windows\system32\Lafekm32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Lllihf32.exeC:\Windows\system32\Lllihf32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Lnobfn32.exeC:\Windows\system32\Lnobfn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Lnaokn32.exeC:\Windows\system32\Lnaokn32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Ndpmbjbk.exeC:\Windows\system32\Ndpmbjbk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Nqkgbkdj.exeC:\Windows\system32\Nqkgbkdj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Olokighn.exeC:\Windows\system32\Olokighn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Pmdalo32.exeC:\Windows\system32\Pmdalo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Qamleagn.exeC:\Windows\system32\Qamleagn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1076 -
C:\Windows\SysWOW64\Edfqclni.exeC:\Windows\system32\Edfqclni.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2128 -
C:\Windows\SysWOW64\Eibikc32.exeC:\Windows\system32\Eibikc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Eponmmaj.exeC:\Windows\system32\Eponmmaj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Ehjbaooe.exeC:\Windows\system32\Ehjbaooe.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Fhlogo32.exeC:\Windows\system32\Fhlogo32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Fkpeojha.exeC:\Windows\system32\Fkpeojha.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2964 -
C:\Windows\SysWOW64\Fkbadifn.exeC:\Windows\system32\Fkbadifn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Gcocnk32.exeC:\Windows\system32\Gcocnk32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2144 -
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Gohqhl32.exeC:\Windows\system32\Gohqhl32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Ghcbga32.exeC:\Windows\system32\Ghcbga32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2732 -
C:\Windows\SysWOW64\Hqemlbqi.exeC:\Windows\system32\Hqemlbqi.exe33⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Hchbcmlh.exeC:\Windows\system32\Hchbcmlh.exe34⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Iihgadhl.exeC:\Windows\system32\Iihgadhl.exe35⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe36⤵
- Executes dropped EXE
PID:1020 -
C:\Windows\SysWOW64\Ibeeeijg.exeC:\Windows\system32\Ibeeeijg.exe37⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe38⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Jmqckf32.exeC:\Windows\system32\Jmqckf32.exe39⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Jfkdik32.exeC:\Windows\system32\Jfkdik32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe41⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Kbgnil32.exeC:\Windows\system32\Kbgnil32.exe42⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Klocba32.exeC:\Windows\system32\Klocba32.exe43⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Kalkjh32.exeC:\Windows\system32\Kalkjh32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Kdmdlc32.exeC:\Windows\system32\Kdmdlc32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Kobhillo.exeC:\Windows\system32\Kobhillo.exe46⤵
- Executes dropped EXE
PID:640 -
C:\Windows\SysWOW64\Khkmba32.exeC:\Windows\system32\Khkmba32.exe47⤵
- Executes dropped EXE
PID:1672 -
C:\Windows\SysWOW64\Ldangbhd.exeC:\Windows\system32\Ldangbhd.exe48⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Lknbjlnn.exeC:\Windows\system32\Lknbjlnn.exe49⤵
- Executes dropped EXE
PID:1004 -
C:\Windows\SysWOW64\Mlfebcnd.exeC:\Windows\system32\Mlfebcnd.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Mkkbcpbl.exeC:\Windows\system32\Mkkbcpbl.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2980 -
C:\Windows\SysWOW64\Mdfcaegj.exeC:\Windows\system32\Mdfcaegj.exe52⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Majdkifd.exeC:\Windows\system32\Majdkifd.exe53⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Ngiiip32.exeC:\Windows\system32\Ngiiip32.exe55⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Nfnfjmgp.exeC:\Windows\system32\Nfnfjmgp.exe56⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Nogjbbma.exeC:\Windows\system32\Nogjbbma.exe57⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Nkmkgc32.exeC:\Windows\system32\Nkmkgc32.exe58⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ndfppije.exeC:\Windows\system32\Ndfppije.exe59⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Ndhlfh32.exeC:\Windows\system32\Ndhlfh32.exe60⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Onqaonnc.exeC:\Windows\system32\Onqaonnc.exe61⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Ojgado32.exeC:\Windows\system32\Ojgado32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe63⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Ocbbbd32.exeC:\Windows\system32\Ocbbbd32.exe64⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Onggom32.exeC:\Windows\system32\Onggom32.exe65⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Ojnhdn32.exeC:\Windows\system32\Ojnhdn32.exe66⤵PID:2476
-
C:\Windows\SysWOW64\Picdejbg.exeC:\Windows\system32\Picdejbg.exe67⤵PID:1992
-
C:\Windows\SysWOW64\Pejejkhl.exeC:\Windows\system32\Pejejkhl.exe68⤵PID:1632
-
C:\Windows\SysWOW64\Pnbjca32.exeC:\Windows\system32\Pnbjca32.exe69⤵PID:884
-
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe70⤵
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\Pbcooo32.exeC:\Windows\system32\Pbcooo32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe72⤵PID:3000
-
C:\Windows\SysWOW64\Qechqj32.exeC:\Windows\system32\Qechqj32.exe73⤵
- Drops file in System32 directory
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Qpmiahlp.exeC:\Windows\system32\Qpmiahlp.exe74⤵PID:1064
-
C:\Windows\SysWOW64\Abnbccia.exeC:\Windows\system32\Abnbccia.exe75⤵PID:2508
-
C:\Windows\SysWOW64\Abpohb32.exeC:\Windows\system32\Abpohb32.exe76⤵PID:1136
-
C:\Windows\SysWOW64\Aijgemok.exeC:\Windows\system32\Aijgemok.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2172 -
C:\Windows\SysWOW64\Apdobg32.exeC:\Windows\system32\Apdobg32.exe78⤵PID:1296
-
C:\Windows\SysWOW64\Ahpdficc.exeC:\Windows\system32\Ahpdficc.exe79⤵PID:2328
-
C:\Windows\SysWOW64\Aecdpmbm.exeC:\Windows\system32\Aecdpmbm.exe80⤵PID:2260
-
C:\Windows\SysWOW64\Abgeiaaf.exeC:\Windows\system32\Abgeiaaf.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Bonenbgj.exeC:\Windows\system32\Bonenbgj.exe82⤵PID:340
-
C:\Windows\SysWOW64\Boqbcbeh.exeC:\Windows\system32\Boqbcbeh.exe83⤵PID:1932
-
C:\Windows\SysWOW64\Bdmklico.exeC:\Windows\system32\Bdmklico.exe84⤵PID:1832
-
C:\Windows\SysWOW64\Bcbhmehg.exeC:\Windows\system32\Bcbhmehg.exe85⤵PID:1756
-
C:\Windows\SysWOW64\Bdbdgh32.exeC:\Windows\system32\Bdbdgh32.exe86⤵PID:2688
-
C:\Windows\SysWOW64\Bpieli32.exeC:\Windows\system32\Bpieli32.exe87⤵PID:2292
-
C:\Windows\SysWOW64\Cfemdp32.exeC:\Windows\system32\Cfemdp32.exe88⤵PID:2336
-
C:\Windows\SysWOW64\Conbmfif.exeC:\Windows\system32\Conbmfif.exe89⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Cblniaii.exeC:\Windows\system32\Cblniaii.exe90⤵
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Cfjgopop.exeC:\Windows\system32\Cfjgopop.exe91⤵
- Modifies registry class
PID:2068 -
C:\Windows\SysWOW64\Cldolj32.exeC:\Windows\system32\Cldolj32.exe92⤵PID:3056
-
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe93⤵PID:2952
-
C:\Windows\SysWOW64\Chkpakla.exeC:\Windows\system32\Chkpakla.exe94⤵PID:2016
-
C:\Windows\SysWOW64\Djoinbpm.exeC:\Windows\system32\Djoinbpm.exe95⤵PID:2240
-
C:\Windows\SysWOW64\Dqiakm32.exeC:\Windows\system32\Dqiakm32.exe96⤵PID:592
-
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Dnmada32.exeC:\Windows\system32\Dnmada32.exe98⤵PID:1944
-
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe99⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Dggcbf32.exeC:\Windows\system32\Dggcbf32.exe100⤵PID:2656
-
C:\Windows\SysWOW64\Dcnchg32.exeC:\Windows\system32\Dcnchg32.exe101⤵PID:2124
-
C:\Windows\SysWOW64\Dpedmhfi.exeC:\Windows\system32\Dpedmhfi.exe102⤵PID:2448
-
C:\Windows\SysWOW64\Ebcqicem.exeC:\Windows\system32\Ebcqicem.exe103⤵PID:2884
-
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe104⤵PID:2028
-
C:\Windows\SysWOW64\Eipekmjg.exeC:\Windows\system32\Eipekmjg.exe105⤵PID:2352
-
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe106⤵PID:3028
-
C:\Windows\SysWOW64\Fadmenpg.exeC:\Windows\system32\Fadmenpg.exe107⤵PID:3068
-
C:\Windows\SysWOW64\Fmknko32.exeC:\Windows\system32\Fmknko32.exe108⤵PID:1804
-
C:\Windows\SysWOW64\Fianpp32.exeC:\Windows\system32\Fianpp32.exe109⤵PID:2096
-
C:\Windows\SysWOW64\Fehodaqd.exeC:\Windows\system32\Fehodaqd.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2032 -
C:\Windows\SysWOW64\Feklja32.exeC:\Windows\system32\Feklja32.exe111⤵PID:2312
-
C:\Windows\SysWOW64\Gbolce32.exeC:\Windows\system32\Gbolce32.exe112⤵PID:1816
-
C:\Windows\SysWOW64\Gkjahg32.exeC:\Windows\system32\Gkjahg32.exe113⤵
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe114⤵PID:876
-
C:\Windows\SysWOW64\Gkojcgga.exeC:\Windows\system32\Gkojcgga.exe115⤵PID:2876
-
C:\Windows\SysWOW64\Gaibpa32.exeC:\Windows\system32\Gaibpa32.exe116⤵PID:2696
-
C:\Windows\SysWOW64\Gkaghf32.exeC:\Windows\system32\Gkaghf32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Hekhid32.exeC:\Windows\system32\Hekhid32.exe118⤵PID:1844
-
C:\Windows\SysWOW64\Hcohbh32.exeC:\Windows\system32\Hcohbh32.exe119⤵PID:800
-
C:\Windows\SysWOW64\Hjkneb32.exeC:\Windows\system32\Hjkneb32.exe120⤵PID:2272
-
C:\Windows\SysWOW64\Hohfmi32.exeC:\Windows\system32\Hohfmi32.exe121⤵PID:2424
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-