Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 22:38
Behavioral task
behavioral1
Sample
19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe
-
Size
352KB
-
MD5
0fda44db158758f16fd9d20bda482390
-
SHA1
5870c9a397b186266014ba84c95914ddacecc11f
-
SHA256
19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19b
-
SHA512
1a578d497729abb465572b41f02a43d85b7f3452451bc20f512d85b036fb3e546c742a6e10f33c8931b65b59ea979aa81be99ae98acde2e30de41860156c3295
-
SSDEEP
6144:pyQ/pz9iWis/j9SrJz9ieis/j9SrJz9is/j9SrJwWisp:AQWsUasUqsU6sp
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncamen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocjpkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkaane32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkhdnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hocmpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijgbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbcaome.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngpcohbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkqiek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dochelmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qghgigkn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbmom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bojipjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhklna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgoadp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hehhqk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpckce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hecebm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igkhjdde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjhdpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hadfah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbomli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figocipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaeqmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhaeldn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnnao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkfojakp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfekec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiilge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcckibfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Negeln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbblkaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kghmhegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Malmllfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgpndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnhhge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emdhhdqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdcfoq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkmdodf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcggef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfglfdeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nanfqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccnddg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimjhnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hganjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilbocej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpfbegei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbbnjgik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphpng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabplobe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbngfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acadchoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idekbgji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkfojakp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckiiiine.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idmlniea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijnnao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oggeokoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeokba32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2736 Ncamen32.exe 2164 Oepjoa32.exe 2752 Ofafgipc.exe 2744 Opjkpo32.exe 2652 Ogabql32.exe 2100 Omnkicen.exe 1512 Obkcajde.exe 1944 Omphocck.exe 2288 Ocjpkm32.exe 2788 Oekmceaf.exe 448 Opaqpn32.exe 2420 Pbomli32.exe 1140 Phledp32.exe 1360 Pnfnajed.exe 3056 Pilbocej.exe 1156 Pnhjgj32.exe 292 Pebbcdkn.exe 1460 Pjoklkie.exe 1644 Bgmnpn32.exe 3016 Babbng32.exe 2148 Bcflko32.exe 656 Bedhgj32.exe 1884 Bjbqmi32.exe 992 Bckefnki.exe 2852 Coafko32.exe 1540 Cdqkifmb.exe 2860 Cdchneko.exe 2640 Ckmpkpbl.exe 2632 Dgfmep32.exe 2976 Djdjalea.exe 2924 Dcmnja32.exe 2812 Djgfgkbo.exe 2800 Dcageqgm.exe 2200 Dinpnged.exe 2396 Dbgdgm32.exe 2136 Ebialmjb.exe 2120 Elaeeb32.exe 1576 Ejfbfo32.exe 1144 Eelgcg32.exe 2928 Endklmlq.exe 1020 Epfhde32.exe 2300 Ehmpeb32.exe 1432 Edcqjc32.exe 2932 Fjnignob.exe 2348 Floeof32.exe 1248 Ficehj32.exe 700 Fpmned32.exe 2476 Fejfmk32.exe 1868 Fhhbif32.exe 2724 Fbngfo32.exe 2856 Figocipe.exe 2748 Fkilka32.exe 324 Fodgkp32.exe 1736 Facdgl32.exe 2664 Fdapcg32.exe 2920 Fkkhpadq.exe 848 Gaeqmk32.exe 2388 Gkmefaan.exe 3032 Gagmbkik.exe 864 Ghaeoe32.exe 2892 Gkpakq32.exe 2160 Gmnngl32.exe 2468 Gdhfdffl.exe 1288 Ggfbpaeo.exe -
Loads dropped DLL 64 IoCs
pid Process 2008 19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe 2008 19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe 2736 Ncamen32.exe 2736 Ncamen32.exe 2164 Oepjoa32.exe 2164 Oepjoa32.exe 2752 Ofafgipc.exe 2752 Ofafgipc.exe 2744 Opjkpo32.exe 2744 Opjkpo32.exe 2652 Ogabql32.exe 2652 Ogabql32.exe 2100 Omnkicen.exe 2100 Omnkicen.exe 1512 Obkcajde.exe 1512 Obkcajde.exe 1944 Omphocck.exe 1944 Omphocck.exe 2288 Ocjpkm32.exe 2288 Ocjpkm32.exe 2788 Oekmceaf.exe 2788 Oekmceaf.exe 448 Opaqpn32.exe 448 Opaqpn32.exe 2420 Pbomli32.exe 2420 Pbomli32.exe 1140 Phledp32.exe 1140 Phledp32.exe 1360 Pnfnajed.exe 1360 Pnfnajed.exe 3056 Pilbocej.exe 3056 Pilbocej.exe 1156 Pnhjgj32.exe 1156 Pnhjgj32.exe 292 Pebbcdkn.exe 292 Pebbcdkn.exe 1460 Pjoklkie.exe 1460 Pjoklkie.exe 1644 Bgmnpn32.exe 1644 Bgmnpn32.exe 3016 Babbng32.exe 3016 Babbng32.exe 2148 Bcflko32.exe 2148 Bcflko32.exe 656 Bedhgj32.exe 656 Bedhgj32.exe 1884 Bjbqmi32.exe 1884 Bjbqmi32.exe 992 Bckefnki.exe 992 Bckefnki.exe 2852 Coafko32.exe 2852 Coafko32.exe 2940 Ckkcep32.exe 2940 Ckkcep32.exe 2860 Cdchneko.exe 2860 Cdchneko.exe 2640 Ckmpkpbl.exe 2640 Ckmpkpbl.exe 2632 Dgfmep32.exe 2632 Dgfmep32.exe 2976 Djdjalea.exe 2976 Djdjalea.exe 2924 Dcmnja32.exe 2924 Dcmnja32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Pkhdnh32.exe Pijgbl32.exe File opened for modification C:\Windows\SysWOW64\Adgein32.exe Aahimb32.exe File opened for modification C:\Windows\SysWOW64\Pmqffonj.exe Pjbjjc32.exe File created C:\Windows\SysWOW64\Ejjnkjiq.dll Fdapcg32.exe File created C:\Windows\SysWOW64\Amhcad32.exe Ajjgei32.exe File created C:\Windows\SysWOW64\Boobki32.exe Bkcfjk32.exe File created C:\Windows\SysWOW64\Ollqllod.exe Ojndpqpq.exe File created C:\Windows\SysWOW64\Pbgefa32.exe Pjpmdd32.exe File created C:\Windows\SysWOW64\Dehdbhgg.dll Hecebm32.exe File created C:\Windows\SysWOW64\Aifjgdkj.exe Aejnfe32.exe File created C:\Windows\SysWOW64\Qfcekf32.dll Jbhhkn32.exe File created C:\Windows\SysWOW64\Pglojj32.exe Ppdfimji.exe File opened for modification C:\Windows\SysWOW64\Pidaba32.exe Pnnmeh32.exe File opened for modification C:\Windows\SysWOW64\Ajamfh32.exe Adgein32.exe File opened for modification C:\Windows\SysWOW64\Oepjoa32.exe Ncamen32.exe File created C:\Windows\SysWOW64\Nilacmgb.dll Pjbjjc32.exe File created C:\Windows\SysWOW64\Ljbipolj.exe Lbkaoalg.exe File created C:\Windows\SysWOW64\Dcming32.dll Pbgefa32.exe File created C:\Windows\SysWOW64\Lilfgq32.exe Lbbnjgik.exe File created C:\Windows\SysWOW64\Edcqjc32.exe Ehmpeb32.exe File created C:\Windows\SysWOW64\Pmpigl32.dll Pglojj32.exe File created C:\Windows\SysWOW64\Nlqiie32.dll Lfhiepbn.exe File created C:\Windows\SysWOW64\Ofmlooqi.dll Pgodcich.exe File created C:\Windows\SysWOW64\Aknpmobg.dll Pilbocej.exe File opened for modification C:\Windows\SysWOW64\Iojopp32.exe Igcgnbim.exe File created C:\Windows\SysWOW64\Aocbokia.exe Appbcn32.exe File created C:\Windows\SysWOW64\Ippdloip.dll Dklepmal.exe File opened for modification C:\Windows\SysWOW64\Fnmjpk32.exe Fjaoplho.exe File opened for modification C:\Windows\SysWOW64\Igkhjdde.exe Idmlniea.exe File created C:\Windows\SysWOW64\Eciljg32.dll Jjnjqb32.exe File created C:\Windows\SysWOW64\Dljfocan.dll Baclaf32.exe File opened for modification C:\Windows\SysWOW64\Hnmcli32.exe Hgckoofa.exe File created C:\Windows\SysWOW64\Hqmnfa32.dll Kbmafngi.exe File created C:\Windows\SysWOW64\Geiilj32.dll Kelmbifm.exe File opened for modification C:\Windows\SysWOW64\Jkopndcb.exe Jfagemej.exe File opened for modification C:\Windows\SysWOW64\Afndjdpe.exe Acohnhab.exe File created C:\Windows\SysWOW64\Pilbocej.exe Pnfnajed.exe File created C:\Windows\SysWOW64\Lceeqk32.dll Fbngfo32.exe File created C:\Windows\SysWOW64\Nphmpc32.dll Lalhgogb.exe File opened for modification C:\Windows\SysWOW64\Nggipg32.exe Nqmqcmdh.exe File created C:\Windows\SysWOW64\Ajamfh32.exe Adgein32.exe File created C:\Windows\SysWOW64\Igcgnbim.exe Idekbgji.exe File created C:\Windows\SysWOW64\Dmddik32.dll Malmllfb.exe File created C:\Windows\SysWOW64\Bedhgj32.exe Bcflko32.exe File created C:\Windows\SysWOW64\Ghbakjma.dll Bnofaf32.exe File created C:\Windows\SysWOW64\Mgbkgheh.dll Gfoeel32.exe File created C:\Windows\SysWOW64\Fmdkki32.dll Ailqfooi.exe File created C:\Windows\SysWOW64\Hgoadp32.exe Hdpehd32.exe File created C:\Windows\SysWOW64\Hnmcli32.exe Hgckoofa.exe File created C:\Windows\SysWOW64\Madcho32.dll Cobhdhha.exe File created C:\Windows\SysWOW64\Gaplfinb.exe Gkedjo32.exe File created C:\Windows\SysWOW64\Epdcmhdd.dll Lhapocoi.exe File created C:\Windows\SysWOW64\Aedkomok.dll Fjnignob.exe File opened for modification C:\Windows\SysWOW64\Jjlmkb32.exe Jgmaog32.exe File created C:\Windows\SysWOW64\Gaeddino.dll Koibpd32.exe File created C:\Windows\SysWOW64\Aooglmid.dll Kccgheib.exe File opened for modification C:\Windows\SysWOW64\Nlanhh32.exe Negeln32.exe File created C:\Windows\SysWOW64\Cpiaipmh.exe Chbihc32.exe File created C:\Windows\SysWOW64\Ncamen32.exe 19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe File created C:\Windows\SysWOW64\Oekmceaf.exe Ocjpkm32.exe File opened for modification C:\Windows\SysWOW64\Ndafcmci.exe Macjgadf.exe File created C:\Windows\SysWOW64\Knikfnih.exe Kjmoeo32.exe File opened for modification C:\Windows\SysWOW64\Ibibfa32.exe Iokfjf32.exe File created C:\Windows\SysWOW64\Qddcbgfn.dll Maoalb32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlolnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohengmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biqfpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaofgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmepanje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beggec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hecebm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnjqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfojakp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afndjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbmom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noojdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epfhde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjmoace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbgefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnnlboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egebjmdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iemalkgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Golgon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqjao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmddgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlanhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abinjdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlhddh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifjgdkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfkchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afpapcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldpiifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfjnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epqgopbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ongckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hocmpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnnao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnlhab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfoeel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbjnqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmqffonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeenapck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qghgigkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinpnged.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipkfkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipefmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chbihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfnajed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkdnnfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhnqfla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ninhamne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alofnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnkicen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnhjgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbnjgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhjhdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojeomee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfllhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakglf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejabqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iojopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igeddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooofcg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkqiek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epnkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbpoebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joomjp32.dll" Nddcimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdohpb32.dll" Cdkkcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elllck32.dll" Iifghk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ainmlomf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaqnb32.dll" Fodgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjijkmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfqhifni.dll" Mdjihgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjeonbj.dll" Dgfmep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okfampdd.dll" Jjijkmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelgfoke.dll" Jkopndcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiihig32.dll" Kgjjndeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdnoim32.dll" Mcggef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qaablcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjpdkq32.dll" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnmbihjf.dll" Icabeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofafgipc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nldahn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnhefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anfdhfiq.dll" Bjfpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Babbng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeganjdl.dll" Odacbpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmncgk32.dll" Gdcfoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgkfkohg.dll" Kkalcdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbkaoalg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfmqigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnhjgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lalhgogb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Moenkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lodnjboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jihdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qddcbgfn.dll" Maoalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afpfqffb.dll" Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjoilfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkkioeig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acpchmhl.dll" Djoeki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emdhhdqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjpmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmeoijkk.dll" Ngbpehpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdepmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clhecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkcmjpma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqpebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odcimipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjoilfek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dknnijed.dll" Mdepmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cceapl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdapcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdojnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgckoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbbhobn.dll" Djgfgkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonkgg32.dll" Baqhapdj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djgfgkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imhqbkbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koibpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoffeijg.dll" Jqpebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nanfqo32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2736 2008 19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe 30 PID 2008 wrote to memory of 2736 2008 19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe 30 PID 2008 wrote to memory of 2736 2008 19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe 30 PID 2008 wrote to memory of 2736 2008 19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe 30 PID 2736 wrote to memory of 2164 2736 Ncamen32.exe 31 PID 2736 wrote to memory of 2164 2736 Ncamen32.exe 31 PID 2736 wrote to memory of 2164 2736 Ncamen32.exe 31 PID 2736 wrote to memory of 2164 2736 Ncamen32.exe 31 PID 2164 wrote to memory of 2752 2164 Oepjoa32.exe 32 PID 2164 wrote to memory of 2752 2164 Oepjoa32.exe 32 PID 2164 wrote to memory of 2752 2164 Oepjoa32.exe 32 PID 2164 wrote to memory of 2752 2164 Oepjoa32.exe 32 PID 2752 wrote to memory of 2744 2752 Ofafgipc.exe 33 PID 2752 wrote to memory of 2744 2752 Ofafgipc.exe 33 PID 2752 wrote to memory of 2744 2752 Ofafgipc.exe 33 PID 2752 wrote to memory of 2744 2752 Ofafgipc.exe 33 PID 2744 wrote to memory of 2652 2744 Opjkpo32.exe 34 PID 2744 wrote to memory of 2652 2744 Opjkpo32.exe 34 PID 2744 wrote to memory of 2652 2744 Opjkpo32.exe 34 PID 2744 wrote to memory of 2652 2744 Opjkpo32.exe 34 PID 2652 wrote to memory of 2100 2652 Ogabql32.exe 35 PID 2652 wrote to memory of 2100 2652 Ogabql32.exe 35 PID 2652 wrote to memory of 2100 2652 Ogabql32.exe 35 PID 2652 wrote to memory of 2100 2652 Ogabql32.exe 35 PID 2100 wrote to memory of 1512 2100 Omnkicen.exe 36 PID 2100 wrote to memory of 1512 2100 Omnkicen.exe 36 PID 2100 wrote to memory of 1512 2100 Omnkicen.exe 36 PID 2100 wrote to memory of 1512 2100 Omnkicen.exe 36 PID 1512 wrote to memory of 1944 1512 Obkcajde.exe 37 PID 1512 wrote to memory of 1944 1512 Obkcajde.exe 37 PID 1512 wrote to memory of 1944 1512 Obkcajde.exe 37 PID 1512 wrote to memory of 1944 1512 Obkcajde.exe 37 PID 1944 wrote to memory of 2288 1944 Omphocck.exe 38 PID 1944 wrote to memory of 2288 1944 Omphocck.exe 38 PID 1944 wrote to memory of 2288 1944 Omphocck.exe 38 PID 1944 wrote to memory of 2288 1944 Omphocck.exe 38 PID 2288 wrote to memory of 2788 2288 Ocjpkm32.exe 39 PID 2288 wrote to memory of 2788 2288 Ocjpkm32.exe 39 PID 2288 wrote to memory of 2788 2288 Ocjpkm32.exe 39 PID 2288 wrote to memory of 2788 2288 Ocjpkm32.exe 39 PID 2788 wrote to memory of 448 2788 Oekmceaf.exe 40 PID 2788 wrote to memory of 448 2788 Oekmceaf.exe 40 PID 2788 wrote to memory of 448 2788 Oekmceaf.exe 40 PID 2788 wrote to memory of 448 2788 Oekmceaf.exe 40 PID 448 wrote to memory of 2420 448 Opaqpn32.exe 41 PID 448 wrote to memory of 2420 448 Opaqpn32.exe 41 PID 448 wrote to memory of 2420 448 Opaqpn32.exe 41 PID 448 wrote to memory of 2420 448 Opaqpn32.exe 41 PID 2420 wrote to memory of 1140 2420 Pbomli32.exe 42 PID 2420 wrote to memory of 1140 2420 Pbomli32.exe 42 PID 2420 wrote to memory of 1140 2420 Pbomli32.exe 42 PID 2420 wrote to memory of 1140 2420 Pbomli32.exe 42 PID 1140 wrote to memory of 1360 1140 Phledp32.exe 43 PID 1140 wrote to memory of 1360 1140 Phledp32.exe 43 PID 1140 wrote to memory of 1360 1140 Phledp32.exe 43 PID 1140 wrote to memory of 1360 1140 Phledp32.exe 43 PID 1360 wrote to memory of 3056 1360 Pnfnajed.exe 44 PID 1360 wrote to memory of 3056 1360 Pnfnajed.exe 44 PID 1360 wrote to memory of 3056 1360 Pnfnajed.exe 44 PID 1360 wrote to memory of 3056 1360 Pnfnajed.exe 44 PID 3056 wrote to memory of 1156 3056 Pilbocej.exe 45 PID 3056 wrote to memory of 1156 3056 Pilbocej.exe 45 PID 3056 wrote to memory of 1156 3056 Pilbocej.exe 45 PID 3056 wrote to memory of 1156 3056 Pilbocej.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe"C:\Users\Admin\AppData\Local\Temp\19b7dfed1dff57005fa6e76702681ae6659a532418b4ee45ec680e262068f19bN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Ncamen32.exeC:\Windows\system32\Ncamen32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Omnkicen.exeC:\Windows\system32\Omnkicen.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Omphocck.exeC:\Windows\system32\Omphocck.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Pnhjgj32.exeC:\Windows\system32\Pnhjgj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1156 -
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Pjoklkie.exeC:\Windows\system32\Pjoklkie.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1460 -
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:656 -
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1884 -
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:992 -
C:\Windows\SysWOW64\Coafko32.exeC:\Windows\system32\Coafko32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2852 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe27⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe28⤵
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe35⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe37⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe38⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe39⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe40⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe41⤵
- Executes dropped EXE
PID:1144 -
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe42⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\Ehmpeb32.exeC:\Windows\system32\Ehmpeb32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Edcqjc32.exeC:\Windows\system32\Edcqjc32.exe45⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe47⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Ficehj32.exeC:\Windows\system32\Ficehj32.exe48⤵
- Executes dropped EXE
PID:1248 -
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe49⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe50⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe51⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Fkilka32.exeC:\Windows\system32\Fkilka32.exe54⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe56⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Fdapcg32.exeC:\Windows\system32\Fdapcg32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Fkkhpadq.exeC:\Windows\system32\Fkkhpadq.exe58⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Gaeqmk32.exeC:\Windows\system32\Gaeqmk32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe60⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe61⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Ghaeoe32.exeC:\Windows\system32\Ghaeoe32.exe62⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe63⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe64⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Gdhfdffl.exeC:\Windows\system32\Gdhfdffl.exe65⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe66⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe67⤵PID:1756
-
C:\Windows\SysWOW64\Geloanjg.exeC:\Windows\system32\Geloanjg.exe68⤵PID:1592
-
C:\Windows\SysWOW64\Gncgbkki.exeC:\Windows\system32\Gncgbkki.exe69⤵PID:2196
-
C:\Windows\SysWOW64\Goddjc32.exeC:\Windows\system32\Goddjc32.exe70⤵PID:2720
-
C:\Windows\SysWOW64\Genlgnhd.exeC:\Windows\system32\Genlgnhd.exe71⤵PID:2848
-
C:\Windows\SysWOW64\Hlhddh32.exeC:\Windows\system32\Hlhddh32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Hcblqb32.exeC:\Windows\system32\Hcblqb32.exe73⤵PID:2588
-
C:\Windows\SysWOW64\Hjlemlnk.exeC:\Windows\system32\Hjlemlnk.exe74⤵PID:2500
-
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe75⤵PID:2960
-
C:\Windows\SysWOW64\Hoimecmb.exeC:\Windows\system32\Hoimecmb.exe76⤵PID:1256
-
C:\Windows\SysWOW64\Hecebm32.exeC:\Windows\system32\Hecebm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe78⤵PID:752
-
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe79⤵PID:2240
-
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe80⤵PID:2404
-
C:\Windows\SysWOW64\Hdhbci32.exeC:\Windows\system32\Hdhbci32.exe81⤵PID:1280
-
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe82⤵PID:2132
-
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe83⤵PID:1260
-
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe84⤵PID:2452
-
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe85⤵PID:2440
-
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Idmlniea.exeC:\Windows\system32\Idmlniea.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2092 -
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe89⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe90⤵PID:1844
-
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe91⤵PID:872
-
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe92⤵PID:1684
-
C:\Windows\SysWOW64\Ioiidfon.exeC:\Windows\system32\Ioiidfon.exe93⤵PID:2840
-
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Iokfjf32.exeC:\Windows\system32\Iokfjf32.exe95⤵
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Ibibfa32.exeC:\Windows\system32\Ibibfa32.exe96⤵PID:2416
-
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe97⤵PID:1120
-
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe98⤵PID:856
-
C:\Windows\SysWOW64\Iifghk32.exeC:\Windows\system32\Iifghk32.exe99⤵
- Modifies registry class
PID:484 -
C:\Windows\SysWOW64\Jkdcdf32.exeC:\Windows\system32\Jkdcdf32.exe100⤵PID:2244
-
C:\Windows\SysWOW64\Jfjhbo32.exeC:\Windows\system32\Jfjhbo32.exe101⤵PID:1732
-
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe102⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe103⤵PID:2212
-
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe104⤵PID:592
-
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe105⤵
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Jjlmkb32.exeC:\Windows\system32\Jjlmkb32.exe106⤵PID:1204
-
C:\Windows\SysWOW64\Jaeehmko.exeC:\Windows\system32\Jaeehmko.exe107⤵PID:1668
-
C:\Windows\SysWOW64\Jgpndg32.exeC:\Windows\system32\Jgpndg32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2672 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Jmlfmn32.exeC:\Windows\system32\Jmlfmn32.exe110⤵PID:2704
-
C:\Windows\SysWOW64\Jcfoihhp.exeC:\Windows\system32\Jcfoihhp.exe111⤵PID:2824
-
C:\Windows\SysWOW64\Jfekec32.exeC:\Windows\system32\Jfekec32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2592 -
C:\Windows\SysWOW64\Jmocbnop.exeC:\Windows\system32\Jmocbnop.exe113⤵PID:904
-
C:\Windows\SysWOW64\Jajocl32.exeC:\Windows\system32\Jajocl32.exe114⤵PID:1856
-
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe115⤵PID:1724
-
C:\Windows\SysWOW64\Kjbclamj.exeC:\Windows\system32\Kjbclamj.exe116⤵PID:1624
-
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe117⤵PID:1524
-
C:\Windows\SysWOW64\Kckhdg32.exeC:\Windows\system32\Kckhdg32.exe118⤵PID:2636
-
C:\Windows\SysWOW64\Kjepaa32.exeC:\Windows\system32\Kjepaa32.exe119⤵PID:2784
-
C:\Windows\SysWOW64\Kmclmm32.exeC:\Windows\system32\Kmclmm32.exe120⤵PID:2872
-
C:\Windows\SysWOW64\Kbpefc32.exeC:\Windows\system32\Kbpefc32.exe121⤵PID:2356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-