Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/12/2024, 20:30
Behavioral task
behavioral1
Sample
a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
Behavioral task
behavioral2
Sample
a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c.exe
-
Size
163KB
-
MD5
a19093e6527dae984fe012710f2ef827
-
SHA1
3f57db1e81477a338daee3e5c84946c996c19d12
-
SHA256
a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c
-
SHA512
ff6cfc3b3b1f7a8d3e50568185c68381d9f463555ef241bb4d0257151db70bae22b31203bff4ca5ca621909ce20a7b6e881ec03a680e8bcc7f179c43215c50ef
-
SSDEEP
1536:PZa2Hp8JjvVlJhPuKLI8cR43bFdZlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVUA:Ra2J8lVlJwp8VnZltOrWKDBr+yJbA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifpelq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejabqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpgfmeag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckiiiine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpmjcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgpndg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flqkjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aokckm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfgdmjlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnnao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpefc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mploiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qboikm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apefjqob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdbflnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfeeff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjpkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhfjpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejdfqogm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmaog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kigndekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhhke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgghac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nipefmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjkcile.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgndbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hofqpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhcej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpgce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddjlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfpnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahedjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghaeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bolcma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gglbfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnkglj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclhjpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinfli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenffl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fglfgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkacfiga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlmoilni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdoccg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdeoccgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgghac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejklan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfjjdjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfegp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obmpgjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbkjap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onldqejb.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 4 IoCs
resource yara_rule behavioral1/files/0x000500000001a340-340.dat family_bruteratel behavioral1/files/0x000500000001a446-350.dat family_bruteratel behavioral1/files/0x000400000001dfc9-2966.dat family_bruteratel behavioral1/files/0x0004000000020577-4154.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2808 Jmnqje32.exe 2668 Jpmmfp32.exe 2528 Kigndekn.exe 2644 Kgkonj32.exe 2424 Kilgoe32.exe 2692 Kaglcgdc.exe 2144 Kajiigba.exe 2152 Legaoehg.exe 2340 Lanbdf32.exe 2024 Ldmopa32.exe 1796 Lpcoeb32.exe 1320 Ljnqdhga.exe 2940 Mphiqbon.exe 2840 Mqjefamk.exe 1520 Mciabmlo.exe 2844 Mhfjjdjf.exe 2976 Mmccqbpm.exe 616 Mdadjd32.exe 764 Mimpkcdn.exe 2860 Njpihk32.exe 996 Nmofdf32.exe 2220 Nckkgp32.exe 1688 Nfigck32.exe 2932 Njgpij32.exe 1692 Nijpdfhm.exe 2520 Omhhke32.exe 2672 Opfegp32.exe 2616 Oiafee32.exe 2408 Ojbbmnhc.exe 2892 Ojeobm32.exe 1872 Omckoi32.exe 2156 Piliii32.exe 1632 Pacajg32.exe 2020 Pddjlb32.exe 992 Pfbfhm32.exe 2188 Pbigmn32.exe 2372 Pehcij32.exe 1060 Qldhkc32.exe 2716 Qobdgo32.exe 3036 Qlfdac32.exe 2292 Qoeamo32.exe 2012 Qmhahkdj.exe 1532 Agpeaa32.exe 1132 Anljck32.exe 1508 Apkgpf32.exe 2816 Apppkekc.exe 1640 Acnlgajg.exe 2908 Afliclij.exe 3040 Bpbmqe32.exe 2704 Bcpimq32.exe 2576 Bjjaikoa.exe 1364 Baefnmml.exe 2916 Blkjkflb.exe 1048 Bnlgbnbp.exe 2312 Bdfooh32.exe 2180 Bolcma32.exe 1848 Bgghac32.exe 2736 Bjedmo32.exe 808 Bbllnlfd.exe 2136 Ccnifd32.exe 1256 Ckeqga32.exe 3008 Cmfmojcb.exe 288 Cdmepgce.exe 2088 Cjjnhnbl.exe -
Loads dropped DLL 64 IoCs
pid Process 1860 a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c.exe 1860 a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c.exe 2808 Jmnqje32.exe 2808 Jmnqje32.exe 2668 Jpmmfp32.exe 2668 Jpmmfp32.exe 2528 Kigndekn.exe 2528 Kigndekn.exe 2644 Kgkonj32.exe 2644 Kgkonj32.exe 2424 Kilgoe32.exe 2424 Kilgoe32.exe 2692 Kaglcgdc.exe 2692 Kaglcgdc.exe 2144 Kajiigba.exe 2144 Kajiigba.exe 2152 Legaoehg.exe 2152 Legaoehg.exe 2340 Lanbdf32.exe 2340 Lanbdf32.exe 2024 Ldmopa32.exe 2024 Ldmopa32.exe 1796 Lpcoeb32.exe 1796 Lpcoeb32.exe 1320 Ljnqdhga.exe 1320 Ljnqdhga.exe 2940 Mphiqbon.exe 2940 Mphiqbon.exe 2840 Mqjefamk.exe 2840 Mqjefamk.exe 1520 Mciabmlo.exe 1520 Mciabmlo.exe 2844 Mhfjjdjf.exe 2844 Mhfjjdjf.exe 2976 Mmccqbpm.exe 2976 Mmccqbpm.exe 616 Mdadjd32.exe 616 Mdadjd32.exe 764 Mimpkcdn.exe 764 Mimpkcdn.exe 2860 Njpihk32.exe 2860 Njpihk32.exe 996 Nmofdf32.exe 996 Nmofdf32.exe 2220 Nckkgp32.exe 2220 Nckkgp32.exe 1688 Nfigck32.exe 1688 Nfigck32.exe 2932 Njgpij32.exe 2932 Njgpij32.exe 1692 Nijpdfhm.exe 1692 Nijpdfhm.exe 2520 Omhhke32.exe 2520 Omhhke32.exe 2672 Opfegp32.exe 2672 Opfegp32.exe 2616 Oiafee32.exe 2616 Oiafee32.exe 2408 Ojbbmnhc.exe 2408 Ojbbmnhc.exe 2892 Ojeobm32.exe 2892 Ojeobm32.exe 1872 Omckoi32.exe 1872 Omckoi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nmofdf32.exe Njpihk32.exe File opened for modification C:\Windows\SysWOW64\Bnlphh32.exe Bgahkngh.exe File created C:\Windows\SysWOW64\Jjlgai32.dll Hlbpme32.exe File opened for modification C:\Windows\SysWOW64\Opccallb.exe Oapcfo32.exe File created C:\Windows\SysWOW64\Dekdikhc.exe Dpnladjl.exe File created C:\Windows\SysWOW64\Ioeclg32.exe Imggplgm.exe File opened for modification C:\Windows\SysWOW64\Ldkdckff.exe Lonlkcho.exe File created C:\Windows\SysWOW64\Hdgkicek.exe Hlpchfdi.exe File created C:\Windows\SysWOW64\Ahedjb32.exe Aeghng32.exe File created C:\Windows\SysWOW64\Kjpceebh.exe Khagijcd.exe File created C:\Windows\SysWOW64\Hjgkgm32.dll Noagjc32.exe File opened for modification C:\Windows\SysWOW64\Aokckm32.exe Aphcppmo.exe File opened for modification C:\Windows\SysWOW64\Hnbcaome.exe Hdjoii32.exe File created C:\Windows\SysWOW64\Ebdqhg32.dll Miapbpmb.exe File opened for modification C:\Windows\SysWOW64\Kelmbifm.exe Kapaaj32.exe File opened for modification C:\Windows\SysWOW64\Cmkfji32.exe Cfanmogq.exe File created C:\Windows\SysWOW64\Iooagm32.dll Pebbcdkn.exe File created C:\Windows\SysWOW64\Malmllfb.exe Momapqgn.exe File created C:\Windows\SysWOW64\Mgkbjb32.exe Manjaldo.exe File created C:\Windows\SysWOW64\Ijqjgo32.exe Ibibfa32.exe File opened for modification C:\Windows\SysWOW64\Gefolhja.exe Gpjfcali.exe File created C:\Windows\SysWOW64\Jfjolf32.exe Iclbpj32.exe File opened for modification C:\Windows\SysWOW64\Kgcnahoo.exe Kpieengb.exe File opened for modification C:\Windows\SysWOW64\Ejioln32.exe Efmckpko.exe File opened for modification C:\Windows\SysWOW64\Ibibfa32.exe Iokfjf32.exe File created C:\Windows\SysWOW64\Jpmooind.exe Jajocl32.exe File opened for modification C:\Windows\SysWOW64\Ncgcdi32.exe Nddcimag.exe File created C:\Windows\SysWOW64\Dgnminke.exe Ddppmclb.exe File opened for modification C:\Windows\SysWOW64\Noagjc32.exe Nhhominh.exe File created C:\Windows\SysWOW64\Dghjkpck.exe Dqobnf32.exe File created C:\Windows\SysWOW64\Neikpfdc.dll Manjaldo.exe File opened for modification C:\Windows\SysWOW64\Omlncc32.exe Ojmbgh32.exe File created C:\Windows\SysWOW64\Oplgeoea.exe Omnkicen.exe File created C:\Windows\SysWOW64\Dakfkb32.dll Oielnd32.exe File created C:\Windows\SysWOW64\Malopkam.dll Akfnkmei.exe File opened for modification C:\Windows\SysWOW64\Kipmhc32.exe Kdbepm32.exe File opened for modification C:\Windows\SysWOW64\Mdendpbg.exe Lnkege32.exe File opened for modification C:\Windows\SysWOW64\Blkmdodf.exe Bafhff32.exe File opened for modification C:\Windows\SysWOW64\Jfagemej.exe Jqeomfgc.exe File created C:\Windows\SysWOW64\Oieqmphd.dll Ckeqga32.exe File created C:\Windows\SysWOW64\Cpbkhabp.exe Chggdoee.exe File created C:\Windows\SysWOW64\Fihfnp32.exe Fhgifgnb.exe File created C:\Windows\SysWOW64\Ldknflmi.dll Pllkpn32.exe File created C:\Windows\SysWOW64\Kfggkc32.exe Jpmooind.exe File opened for modification C:\Windows\SysWOW64\Qobdgo32.exe Qldhkc32.exe File opened for modification C:\Windows\SysWOW64\Mkacfiga.exe Mhcfjnhm.exe File opened for modification C:\Windows\SysWOW64\Pnkglj32.exe Pllkpn32.exe File created C:\Windows\SysWOW64\Ffgfancd.exe Fbkjap32.exe File opened for modification C:\Windows\SysWOW64\Jbphgpfg.exe Jkfpjf32.exe File created C:\Windows\SysWOW64\Ennlbjle.dll Jmgfgham.exe File created C:\Windows\SysWOW64\Fdpcbceo.dll Mphiqbon.exe File opened for modification C:\Windows\SysWOW64\Mdadjd32.exe Mmccqbpm.exe File opened for modification C:\Windows\SysWOW64\Iqfiii32.exe Ifpelq32.exe File created C:\Windows\SysWOW64\Jjnjqb32.exe Jgpndg32.exe File created C:\Windows\SysWOW64\Hajfgnjc.exe Hlmnogkl.exe File opened for modification C:\Windows\SysWOW64\Ojdjqp32.exe Oqlfhjch.exe File created C:\Windows\SysWOW64\Ahfalc32.dll Qoeamo32.exe File created C:\Windows\SysWOW64\Kmkoadgf.dll Ibacbcgg.exe File created C:\Windows\SysWOW64\Pcdbhb32.dll Aipgifcp.exe File created C:\Windows\SysWOW64\Cgogealf.exe Cdqkifmb.exe File opened for modification C:\Windows\SysWOW64\Chbihc32.exe Cfcmlg32.exe File opened for modification C:\Windows\SysWOW64\Bnlgbnbp.exe Blkjkflb.exe File created C:\Windows\SysWOW64\Pbomli32.exe Opaqpn32.exe File created C:\Windows\SysWOW64\Jgpndg32.exe Jeaahk32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abhlak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpndg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpjfcali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpchfdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmqffonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Demaoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epfhde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfqfpop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfjildbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpfkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chggdoee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjnhnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbpekam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nllbdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcehg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkddd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnmoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbklnpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbenacdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjjkkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnqje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpidki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikelhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goocenaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpaeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfilffm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmdhfog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijacjnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdankjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lophacfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boobki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclbpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpokjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padccpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfggkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okinik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgaeddg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjpkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajfgnjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggjjlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipqicdim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offpbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khagijcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqinhcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmggllha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlafebn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhoeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbepkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbajbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpoohik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlboca32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkelpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaoobkci.dll" Agpeaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fliook32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fakglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcgmfgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnnimkom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbenacdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leikbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dghjkpck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pebbcdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppegfpa.dll" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kenjgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldmopa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Najeid32.dll" Khagijcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqddq32.dll" Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfgal32.dll" Klhbdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hennhl32.dll" Nhqhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmeedp32.dll" Jgjkfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lofifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpfkeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bklpjlmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehpcehcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjonoenh.dll" Opaqpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhklji32.dll" Oqennbbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfiebi32.dll" Hnpgloog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocpfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jndflk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaamhelq.dll" Lpnopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdgbdihl.dll" Gimaah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghekhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goocenaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmbfkh32.dll" Ghdiokbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imogcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adleoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijnnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djafaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaekljjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldmopa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhnmoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfaakfpk.dll" Ofaolcmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faiboc32.dll" Omckoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnifd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipqicdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfbpaeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkooael.dll" Dhgccbhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obmpgjbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbnlaqhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddcimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imhhea32.dll" Nakikpin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dncibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfopbgif.dll" Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkldcapk.dll" Egfjdchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejdfqogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gipngg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqodfpah.dll" Jghqia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcgkdb32.dll" Nbhkmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnkglj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adiaommc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1860 wrote to memory of 2808 1860 a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c.exe 29 PID 1860 wrote to memory of 2808 1860 a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c.exe 29 PID 1860 wrote to memory of 2808 1860 a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c.exe 29 PID 1860 wrote to memory of 2808 1860 a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c.exe 29 PID 2808 wrote to memory of 2668 2808 Jmnqje32.exe 30 PID 2808 wrote to memory of 2668 2808 Jmnqje32.exe 30 PID 2808 wrote to memory of 2668 2808 Jmnqje32.exe 30 PID 2808 wrote to memory of 2668 2808 Jmnqje32.exe 30 PID 2668 wrote to memory of 2528 2668 Jpmmfp32.exe 31 PID 2668 wrote to memory of 2528 2668 Jpmmfp32.exe 31 PID 2668 wrote to memory of 2528 2668 Jpmmfp32.exe 31 PID 2668 wrote to memory of 2528 2668 Jpmmfp32.exe 31 PID 2528 wrote to memory of 2644 2528 Kigndekn.exe 32 PID 2528 wrote to memory of 2644 2528 Kigndekn.exe 32 PID 2528 wrote to memory of 2644 2528 Kigndekn.exe 32 PID 2528 wrote to memory of 2644 2528 Kigndekn.exe 32 PID 2644 wrote to memory of 2424 2644 Kgkonj32.exe 33 PID 2644 wrote to memory of 2424 2644 Kgkonj32.exe 33 PID 2644 wrote to memory of 2424 2644 Kgkonj32.exe 33 PID 2644 wrote to memory of 2424 2644 Kgkonj32.exe 33 PID 2424 wrote to memory of 2692 2424 Kilgoe32.exe 34 PID 2424 wrote to memory of 2692 2424 Kilgoe32.exe 34 PID 2424 wrote to memory of 2692 2424 Kilgoe32.exe 34 PID 2424 wrote to memory of 2692 2424 Kilgoe32.exe 34 PID 2692 wrote to memory of 2144 2692 Kaglcgdc.exe 35 PID 2692 wrote to memory of 2144 2692 Kaglcgdc.exe 35 PID 2692 wrote to memory of 2144 2692 Kaglcgdc.exe 35 PID 2692 wrote to memory of 2144 2692 Kaglcgdc.exe 35 PID 2144 wrote to memory of 2152 2144 Kajiigba.exe 36 PID 2144 wrote to memory of 2152 2144 Kajiigba.exe 36 PID 2144 wrote to memory of 2152 2144 Kajiigba.exe 36 PID 2144 wrote to memory of 2152 2144 Kajiigba.exe 36 PID 2152 wrote to memory of 2340 2152 Legaoehg.exe 37 PID 2152 wrote to memory of 2340 2152 Legaoehg.exe 37 PID 2152 wrote to memory of 2340 2152 Legaoehg.exe 37 PID 2152 wrote to memory of 2340 2152 Legaoehg.exe 37 PID 2340 wrote to memory of 2024 2340 Lanbdf32.exe 38 PID 2340 wrote to memory of 2024 2340 Lanbdf32.exe 38 PID 2340 wrote to memory of 2024 2340 Lanbdf32.exe 38 PID 2340 wrote to memory of 2024 2340 Lanbdf32.exe 38 PID 2024 wrote to memory of 1796 2024 Ldmopa32.exe 39 PID 2024 wrote to memory of 1796 2024 Ldmopa32.exe 39 PID 2024 wrote to memory of 1796 2024 Ldmopa32.exe 39 PID 2024 wrote to memory of 1796 2024 Ldmopa32.exe 39 PID 1796 wrote to memory of 1320 1796 Lpcoeb32.exe 40 PID 1796 wrote to memory of 1320 1796 Lpcoeb32.exe 40 PID 1796 wrote to memory of 1320 1796 Lpcoeb32.exe 40 PID 1796 wrote to memory of 1320 1796 Lpcoeb32.exe 40 PID 1320 wrote to memory of 2940 1320 Ljnqdhga.exe 41 PID 1320 wrote to memory of 2940 1320 Ljnqdhga.exe 41 PID 1320 wrote to memory of 2940 1320 Ljnqdhga.exe 41 PID 1320 wrote to memory of 2940 1320 Ljnqdhga.exe 41 PID 2940 wrote to memory of 2840 2940 Mphiqbon.exe 42 PID 2940 wrote to memory of 2840 2940 Mphiqbon.exe 42 PID 2940 wrote to memory of 2840 2940 Mphiqbon.exe 42 PID 2940 wrote to memory of 2840 2940 Mphiqbon.exe 42 PID 2840 wrote to memory of 1520 2840 Mqjefamk.exe 43 PID 2840 wrote to memory of 1520 2840 Mqjefamk.exe 43 PID 2840 wrote to memory of 1520 2840 Mqjefamk.exe 43 PID 2840 wrote to memory of 1520 2840 Mqjefamk.exe 43 PID 1520 wrote to memory of 2844 1520 Mciabmlo.exe 44 PID 1520 wrote to memory of 2844 1520 Mciabmlo.exe 44 PID 1520 wrote to memory of 2844 1520 Mciabmlo.exe 44 PID 1520 wrote to memory of 2844 1520 Mciabmlo.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c.exe"C:\Users\Admin\AppData\Local\Temp\a0d1dca60a3a6bbe96559d5d6e967f3fbcd3d0a92679ba4b00d6289e63b8c16c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Kilgoe32.exeC:\Windows\system32\Kilgoe32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Kaglcgdc.exeC:\Windows\system32\Kaglcgdc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Lpcoeb32.exeC:\Windows\system32\Lpcoeb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Ljnqdhga.exeC:\Windows\system32\Ljnqdhga.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1520 -
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2844 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:616 -
C:\Windows\SysWOW64\Mimpkcdn.exeC:\Windows\system32\Mimpkcdn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:764 -
C:\Windows\SysWOW64\Njpihk32.exeC:\Windows\system32\Njpihk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2860 -
C:\Windows\SysWOW64\Nmofdf32.exeC:\Windows\system32\Nmofdf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:996 -
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1692 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2520 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Ojbbmnhc.exeC:\Windows\system32\Ojbbmnhc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe33⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe34⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe36⤵
- Executes dropped EXE
PID:992 -
C:\Windows\SysWOW64\Pbigmn32.exeC:\Windows\system32\Pbigmn32.exe37⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe38⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Qldhkc32.exeC:\Windows\system32\Qldhkc32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Qobdgo32.exeC:\Windows\system32\Qobdgo32.exe40⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Qlfdac32.exeC:\Windows\system32\Qlfdac32.exe41⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Qoeamo32.exeC:\Windows\system32\Qoeamo32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2292 -
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe43⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Agpeaa32.exeC:\Windows\system32\Agpeaa32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Anljck32.exeC:\Windows\system32\Anljck32.exe45⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Apkgpf32.exeC:\Windows\system32\Apkgpf32.exe46⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Apppkekc.exeC:\Windows\system32\Apppkekc.exe47⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Acnlgajg.exeC:\Windows\system32\Acnlgajg.exe48⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Afliclij.exeC:\Windows\system32\Afliclij.exe49⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bpbmqe32.exeC:\Windows\system32\Bpbmqe32.exe50⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe51⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Bjjaikoa.exeC:\Windows\system32\Bjjaikoa.exe52⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Baefnmml.exeC:\Windows\system32\Baefnmml.exe53⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Bnlgbnbp.exeC:\Windows\system32\Bnlgbnbp.exe55⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Bdfooh32.exeC:\Windows\system32\Bdfooh32.exe56⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Bolcma32.exeC:\Windows\system32\Bolcma32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Bgghac32.exeC:\Windows\system32\Bgghac32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Bjedmo32.exeC:\Windows\system32\Bjedmo32.exe59⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Bbllnlfd.exeC:\Windows\system32\Bbllnlfd.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:808 -
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Ckeqga32.exeC:\Windows\system32\Ckeqga32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1256 -
C:\Windows\SysWOW64\Cmfmojcb.exeC:\Windows\system32\Cmfmojcb.exe63⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe64⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Cmhjdiap.exeC:\Windows\system32\Cmhjdiap.exe66⤵PID:3048
-
C:\Windows\SysWOW64\Ccbbachm.exeC:\Windows\system32\Ccbbachm.exe67⤵PID:2864
-
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe68⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Cmkfji32.exeC:\Windows\system32\Cmkfji32.exe69⤵PID:2564
-
C:\Windows\SysWOW64\Cceogcfj.exeC:\Windows\system32\Cceogcfj.exe70⤵PID:2640
-
C:\Windows\SysWOW64\Ciagojda.exeC:\Windows\system32\Ciagojda.exe71⤵PID:2500
-
C:\Windows\SysWOW64\Colpld32.exeC:\Windows\system32\Colpld32.exe72⤵PID:2584
-
C:\Windows\SysWOW64\Cfehhn32.exeC:\Windows\system32\Cfehhn32.exe73⤵PID:2464
-
C:\Windows\SysWOW64\Cmppehkh.exeC:\Windows\system32\Cmppehkh.exe74⤵PID:2304
-
C:\Windows\SysWOW64\Dpnladjl.exeC:\Windows\system32\Dpnladjl.exe75⤵
- Drops file in System32 directory
PID:1032 -
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe76⤵PID:1444
-
C:\Windows\SysWOW64\Dgiaefgg.exeC:\Windows\system32\Dgiaefgg.exe77⤵PID:1292
-
C:\Windows\SysWOW64\Dncibp32.exeC:\Windows\system32\Dncibp32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Demaoj32.exeC:\Windows\system32\Demaoj32.exe79⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Dlgjldnm.exeC:\Windows\system32\Dlgjldnm.exe80⤵PID:3044
-
C:\Windows\SysWOW64\Dnefhpma.exeC:\Windows\system32\Dnefhpma.exe81⤵PID:1300
-
C:\Windows\SysWOW64\Dcbnpgkh.exeC:\Windows\system32\Dcbnpgkh.exe82⤵PID:1740
-
C:\Windows\SysWOW64\Deakjjbk.exeC:\Windows\system32\Deakjjbk.exe83⤵PID:1588
-
C:\Windows\SysWOW64\Dhpgfeao.exeC:\Windows\system32\Dhpgfeao.exe84⤵PID:2660
-
C:\Windows\SysWOW64\Djocbqpb.exeC:\Windows\system32\Djocbqpb.exe85⤵PID:2056
-
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Efedga32.exeC:\Windows\system32\Efedga32.exe87⤵PID:2300
-
C:\Windows\SysWOW64\Emoldlmc.exeC:\Windows\system32\Emoldlmc.exe88⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Eakhdj32.exeC:\Windows\system32\Eakhdj32.exe89⤵PID:2316
-
C:\Windows\SysWOW64\Eblelb32.exeC:\Windows\system32\Eblelb32.exe90⤵PID:324
-
C:\Windows\SysWOW64\Ejcmmp32.exeC:\Windows\system32\Ejcmmp32.exe91⤵PID:2796
-
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe92⤵PID:2392
-
C:\Windows\SysWOW64\Edlafebn.exeC:\Windows\system32\Edlafebn.exe93⤵
- System Location Discovery: System Language Discovery
PID:600 -
C:\Windows\SysWOW64\Efjmbaba.exeC:\Windows\system32\Efjmbaba.exe94⤵PID:2612
-
C:\Windows\SysWOW64\Eihjolae.exeC:\Windows\system32\Eihjolae.exe95⤵PID:1004
-
C:\Windows\SysWOW64\Epbbkf32.exeC:\Windows\system32\Epbbkf32.exe96⤵PID:2076
-
C:\Windows\SysWOW64\Eikfdl32.exeC:\Windows\system32\Eikfdl32.exe97⤵PID:1556
-
C:\Windows\SysWOW64\Elibpg32.exeC:\Windows\system32\Elibpg32.exe98⤵PID:2568
-
C:\Windows\SysWOW64\Eogolc32.exeC:\Windows\system32\Eogolc32.exe99⤵PID:2440
-
C:\Windows\SysWOW64\Eeagimdf.exeC:\Windows\system32\Eeagimdf.exe100⤵PID:2432
-
C:\Windows\SysWOW64\Ehpcehcj.exeC:\Windows\system32\Ehpcehcj.exe101⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Eojlbb32.exeC:\Windows\system32\Eojlbb32.exe102⤵PID:1160
-
C:\Windows\SysWOW64\Fahhnn32.exeC:\Windows\system32\Fahhnn32.exe103⤵PID:304
-
C:\Windows\SysWOW64\Fhbpkh32.exeC:\Windows\system32\Fhbpkh32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3020 -
C:\Windows\SysWOW64\Folhgbid.exeC:\Windows\system32\Folhgbid.exe105⤵PID:1104
-
C:\Windows\SysWOW64\Fakdcnhh.exeC:\Windows\system32\Fakdcnhh.exe106⤵PID:1748
-
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe107⤵PID:1988
-
C:\Windows\SysWOW64\Fhgifgnb.exeC:\Windows\system32\Fhgifgnb.exe108⤵
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe109⤵PID:2828
-
C:\Windows\SysWOW64\Faonom32.exeC:\Windows\system32\Faonom32.exe110⤵PID:2700
-
C:\Windows\SysWOW64\Fglfgd32.exeC:\Windows\system32\Fglfgd32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2452 -
C:\Windows\SysWOW64\Fijbco32.exeC:\Windows\system32\Fijbco32.exe112⤵PID:2204
-
C:\Windows\SysWOW64\Fliook32.exeC:\Windows\system32\Fliook32.exe113⤵
- Modifies registry class
PID:1952 -
C:\Windows\SysWOW64\Fccglehn.exeC:\Windows\system32\Fccglehn.exe114⤵PID:1592
-
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe115⤵PID:2348
-
C:\Windows\SysWOW64\Gpggei32.exeC:\Windows\system32\Gpggei32.exe116⤵PID:2212
-
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe117⤵PID:2804
-
C:\Windows\SysWOW64\Gecpnp32.exeC:\Windows\system32\Gecpnp32.exe118⤵PID:1684
-
C:\Windows\SysWOW64\Gpidki32.exeC:\Windows\system32\Gpidki32.exe119⤵
- System Location Discovery: System Language Discovery
PID:1512 -
C:\Windows\SysWOW64\Gcgqgd32.exeC:\Windows\system32\Gcgqgd32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2000 -
C:\Windows\SysWOW64\Ghdiokbq.exeC:\Windows\system32\Ghdiokbq.exe121⤵
- Modifies registry class
PID:2008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-