Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 00:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe
-
Size
80KB
-
MD5
be34d0dbd3e488a205c7c03e0769579e
-
SHA1
dacab4343de1f0b3366d247ddc02c97292f4440c
-
SHA256
8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3
-
SHA512
e473744c3eea52409034706e37c9b082af07bfd88a63dae67d27ba21e580ddd179fff448361e54807bf06aad5756d4f2cb1f2fa8640e893b89654fdab93fcff1
-
SSDEEP
1536:Ek3Cr9K0GF6I9xjDNMqHBbsXNgXB2L0nS5DUHRbPa9b6i+sIk:u+J98C6NgqwS5DSCopsIk
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egebjmdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaplfinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jojloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kabngjla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkjqcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnckki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhfjpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngjoif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omqjgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopknhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnjnkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbojjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cojeomee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Johoic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npechhgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pildgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Celpqbon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gminbfoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goapjnoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hipkfkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgckoofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikocoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfkkeq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pildgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhpejbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghghnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlbpme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekhgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abbhje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhpgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjfmem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglfcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aejglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Binikb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddppmclb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Johoic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkhjabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cccdjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onkmfofg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfbjdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcopl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhfjpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofdeeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knfopnkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjgcecja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alaccj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bopknhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnabffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmbabj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abinjdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feipbefb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbfkeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jegdgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mghfdcdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkdndeon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcfoq32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1924 Befnbd32.exe 2704 Bdinnqon.exe 2668 Bkcfjk32.exe 2224 Cnabffeo.exe 2596 Ckecpjdh.exe 276 Ccqhdmbc.exe 1592 Ckhpejbf.exe 1004 Cpdhna32.exe 1708 Cccdjl32.exe 2832 Clkicbfa.exe 2352 Cojeomee.exe 2260 Coladm32.exe 1712 Djafaf32.exe 2016 Dbmkfh32.exe 2196 Ddkgbc32.exe 264 Dnckki32.exe 1348 Dboglhna.exe 844 Dkgldm32.exe 1552 Dbadagln.exe 884 Ddppmclb.exe 2728 Dkjhjm32.exe 1604 Djmiejji.exe 2492 Djoeki32.exe 2528 Dmmbge32.exe 2164 Ecgjdong.exe 1616 Eqkjmcmq.exe 2756 Egebjmdn.exe 2764 Eclcon32.exe 2176 Efjpkj32.exe 2776 Ebappk32.exe 552 Eikimeff.exe 1252 Elieipej.exe 1228 Enhaeldn.exe 2532 Fnjnkkbk.exe 900 Faijggao.exe 2804 Fhbbcail.exe 2420 Fakglf32.exe 2916 Fcichb32.exe 352 Feipbefb.exe 1920 Fhglop32.exe 2504 Fappgflg.exe 2296 Ffmipmjn.exe 1732 Fjhdpk32.exe 920 Gjjafkpe.exe 2020 Gminbfoh.exe 2636 Gdcfoq32.exe 2612 Gfabkl32.exe 2204 Gfcopl32.exe 2464 Ghekhd32.exe 2280 Glpgibbn.exe 2924 Gplcia32.exe 2716 Gbjpem32.exe 2072 Gampaipe.exe 2624 Geilah32.exe 1324 Ghghnc32.exe 2216 Gkedjo32.exe 2012 Goapjnoo.exe 2888 Gaplfinb.exe 2824 Gekhgh32.exe 1152 Gdnibdmf.exe 1492 Gleqdb32.exe 2096 Habili32.exe 1364 Hdpehd32.exe 2512 Hhlaiccm.exe -
Loads dropped DLL 64 IoCs
pid Process 1900 8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe 1900 8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe 1924 Befnbd32.exe 1924 Befnbd32.exe 2704 Bdinnqon.exe 2704 Bdinnqon.exe 2668 Bkcfjk32.exe 2668 Bkcfjk32.exe 2224 Cnabffeo.exe 2224 Cnabffeo.exe 2596 Ckecpjdh.exe 2596 Ckecpjdh.exe 276 Ccqhdmbc.exe 276 Ccqhdmbc.exe 1592 Ckhpejbf.exe 1592 Ckhpejbf.exe 1004 Cpdhna32.exe 1004 Cpdhna32.exe 1708 Cccdjl32.exe 1708 Cccdjl32.exe 2832 Clkicbfa.exe 2832 Clkicbfa.exe 2352 Cojeomee.exe 2352 Cojeomee.exe 2260 Coladm32.exe 2260 Coladm32.exe 1712 Djafaf32.exe 1712 Djafaf32.exe 2016 Dbmkfh32.exe 2016 Dbmkfh32.exe 2196 Ddkgbc32.exe 2196 Ddkgbc32.exe 264 Dnckki32.exe 264 Dnckki32.exe 1348 Dboglhna.exe 1348 Dboglhna.exe 844 Dkgldm32.exe 844 Dkgldm32.exe 1552 Dbadagln.exe 1552 Dbadagln.exe 884 Ddppmclb.exe 884 Ddppmclb.exe 2728 Dkjhjm32.exe 2728 Dkjhjm32.exe 1604 Djmiejji.exe 1604 Djmiejji.exe 2492 Djoeki32.exe 2492 Djoeki32.exe 2528 Dmmbge32.exe 2528 Dmmbge32.exe 2164 Ecgjdong.exe 2164 Ecgjdong.exe 1616 Eqkjmcmq.exe 1616 Eqkjmcmq.exe 2756 Egebjmdn.exe 2756 Egebjmdn.exe 2764 Eclcon32.exe 2764 Eclcon32.exe 2176 Efjpkj32.exe 2176 Efjpkj32.exe 2776 Ebappk32.exe 2776 Ebappk32.exe 552 Eikimeff.exe 552 Eikimeff.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Cggcofkf.exe Bopknhjd.exe File opened for modification C:\Windows\SysWOW64\Clclhmin.exe Chhpgn32.exe File created C:\Windows\SysWOW64\Celpqbon.exe Clclhmin.exe File opened for modification C:\Windows\SysWOW64\Celpqbon.exe Clclhmin.exe File created C:\Windows\SysWOW64\Kjhfjpdd.exe Kgjjndeq.exe File created C:\Windows\SysWOW64\Bfbjdf32.exe Bdcnhk32.exe File created C:\Windows\SysWOW64\Hcjldp32.exe Hlpchfdi.exe File opened for modification C:\Windows\SysWOW64\Bfpmog32.exe Bdaabk32.exe File created C:\Windows\SysWOW64\Blaobmkq.exe Biccfalm.exe File created C:\Windows\SysWOW64\Fjhdpk32.exe Ffmipmjn.exe File opened for modification C:\Windows\SysWOW64\Fjhdpk32.exe Ffmipmjn.exe File created C:\Windows\SysWOW64\Jqpebg32.exe Jjfmem32.exe File opened for modification C:\Windows\SysWOW64\Mheeif32.exe Mmpakm32.exe File created C:\Windows\SysWOW64\Ogohdeam.exe Ongckp32.exe File created C:\Windows\SysWOW64\Qmcclolh.exe Qfikod32.exe File created C:\Windows\SysWOW64\Biccfalm.exe Bbikig32.exe File created C:\Windows\SysWOW64\Edhnbelc.dll Gleqdb32.exe File created C:\Windows\SysWOW64\Ilemce32.exe Ihiabfhk.exe File opened for modification C:\Windows\SysWOW64\Habili32.exe Gleqdb32.exe File created C:\Windows\SysWOW64\Aqodfpah.dll Jjfmem32.exe File created C:\Windows\SysWOW64\Qcoljb32.dll Mgkbjb32.exe File created C:\Windows\SysWOW64\Aicfgn32.exe Aalofa32.exe File created C:\Windows\SysWOW64\Abkkpd32.exe Alaccj32.exe File created C:\Windows\SysWOW64\Lbogaf32.dll Coladm32.exe File created C:\Windows\SysWOW64\Goapjnoo.exe Gkedjo32.exe File opened for modification C:\Windows\SysWOW64\Mdgmbhgh.exe Mmndfnpl.exe File opened for modification C:\Windows\SysWOW64\Nipefmkb.exe Naimepkp.exe File created C:\Windows\SysWOW64\Nhjdcghg.dll Ollqllod.exe File created C:\Windows\SysWOW64\Fhoedaep.dll Eikimeff.exe File opened for modification C:\Windows\SysWOW64\Kabngjla.exe Kbpnkm32.exe File opened for modification C:\Windows\SysWOW64\Ngoleb32.exe Npechhgd.exe File created C:\Windows\SysWOW64\Elnlcjph.dll Chmibmlo.exe File created C:\Windows\SysWOW64\Mknlhcol.dll Llcehg32.exe File opened for modification C:\Windows\SysWOW64\Nepokogo.exe Mdoccg32.exe File opened for modification C:\Windows\SysWOW64\Gminbfoh.exe Gjjafkpe.exe File created C:\Windows\SysWOW64\Lhoohgdg.exe Lilomj32.exe File created C:\Windows\SysWOW64\Pkjqcg32.exe Pildgl32.exe File created C:\Windows\SysWOW64\Ceqjla32.exe Cniajdkg.exe File opened for modification C:\Windows\SysWOW64\Idekbgji.exe Iohbjpkb.exe File created C:\Windows\SysWOW64\Kolhdbjh.exe Kmnlhg32.exe File opened for modification C:\Windows\SysWOW64\Cojeomee.exe Clkicbfa.exe File created C:\Windows\SysWOW64\Ejcfme32.dll Knohpo32.exe File opened for modification C:\Windows\SysWOW64\Kjhfjpdd.exe Kgjjndeq.exe File created C:\Windows\SysWOW64\Peeabm32.exe Pbgefa32.exe File created C:\Windows\SysWOW64\Amljgema.dll Ciglaa32.exe File created C:\Windows\SysWOW64\Ckecpjdh.exe Cnabffeo.exe File created C:\Windows\SysWOW64\Cljamifd.dll Cpdhna32.exe File created C:\Windows\SysWOW64\Jjfmem32.exe Jkcmjpma.exe File created C:\Windows\SysWOW64\Knohpo32.exe Kolhdbjh.exe File opened for modification C:\Windows\SysWOW64\Knaeeo32.exe Kkciic32.exe File opened for modification C:\Windows\SysWOW64\Kapaaj32.exe Knaeeo32.exe File created C:\Windows\SysWOW64\Ebmjec32.dll Kjmoeo32.exe File created C:\Windows\SysWOW64\Liblfl32.exe Lfdpjp32.exe File created C:\Windows\SysWOW64\Ccqhdmbc.exe Ckecpjdh.exe File created C:\Windows\SysWOW64\Mpqijqhf.dll Jqnhmgmk.exe File created C:\Windows\SysWOW64\Pbgefa32.exe Pkmmigjo.exe File opened for modification C:\Windows\SysWOW64\Qmcclolh.exe Qfikod32.exe File created C:\Windows\SysWOW64\Nakikpin.exe Nchipb32.exe File opened for modification C:\Windows\SysWOW64\Nnbjpqoa.exe Nkdndeon.exe File created C:\Windows\SysWOW64\Nlldmimi.exe Nhqhmj32.exe File created C:\Windows\SysWOW64\Jllaig32.dll Ihiabfhk.exe File created C:\Windows\SysWOW64\Jegdgj32.exe Jbhhkn32.exe File created C:\Windows\SysWOW64\Kgjjndeq.exe Kelmbifm.exe File opened for modification C:\Windows\SysWOW64\Llcehg32.exe Ljbipolj.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faijggao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmkhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahcjmkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biccfalm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijimli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojloc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdoccg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbjpqoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llcehg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollqllod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djoeki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gampaipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpchfdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkaane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacefpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgckoofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Celpqbon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijgbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chofhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccdjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplcia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gleqdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcjldp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kabngjla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboglhna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcleiclo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaekljjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdcepcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ochenfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikocoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kccgheib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jegdgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipefmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpgibbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbikig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clclhmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkgbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elieipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfhiepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbagpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgmbhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjkcile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciglaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceqjla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkjmcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaplfinb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfacdqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokdja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcnhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpehd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnjmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcandb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgcecja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdamao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmijajbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqbbhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baqhapdj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfacdqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmecbkgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdamao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhlaiccm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlgai32.dll" Hlbpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpqijqhf.dll" Jqnhmgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lchqcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbdcepcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmpakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kakabjnn.dll" Mdoccg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omqjgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnnfkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bacefpbg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cggcofkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niienepq.dll" Cabaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cabaec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgckoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqpebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbogqphi.dll" Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaekljjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmklak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdleiobf.dll" Ljbipolj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnbjpqoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qmcclolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgioeh32.dll" Aejglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkjhjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikjjda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iklfia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngonaccp.dll" Npechhgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkjqcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmmbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdlacfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbndmh32.dll" Jbfkeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nloachkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onkmfofg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbhje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coladm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inmpklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdlnnal.dll" Bfmqigba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecgjdong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjijkmbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibfmgg32.dll" Kkciic32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liblfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmnpoagb.dll" Mbdcepcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimpofjk.dll" Ngoleb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahcjmkbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beldao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elnlcjph.dll" Chmibmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kapaaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monmegdp.dll" Mokdja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onkmfofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oellihpf.dll" Qfikod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djmiejji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcjldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbojjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnfpjc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1900 wrote to memory of 1924 1900 8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe 30 PID 1900 wrote to memory of 1924 1900 8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe 30 PID 1900 wrote to memory of 1924 1900 8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe 30 PID 1900 wrote to memory of 1924 1900 8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe 30 PID 1924 wrote to memory of 2704 1924 Befnbd32.exe 31 PID 1924 wrote to memory of 2704 1924 Befnbd32.exe 31 PID 1924 wrote to memory of 2704 1924 Befnbd32.exe 31 PID 1924 wrote to memory of 2704 1924 Befnbd32.exe 31 PID 2704 wrote to memory of 2668 2704 Bdinnqon.exe 32 PID 2704 wrote to memory of 2668 2704 Bdinnqon.exe 32 PID 2704 wrote to memory of 2668 2704 Bdinnqon.exe 32 PID 2704 wrote to memory of 2668 2704 Bdinnqon.exe 32 PID 2668 wrote to memory of 2224 2668 Bkcfjk32.exe 33 PID 2668 wrote to memory of 2224 2668 Bkcfjk32.exe 33 PID 2668 wrote to memory of 2224 2668 Bkcfjk32.exe 33 PID 2668 wrote to memory of 2224 2668 Bkcfjk32.exe 33 PID 2224 wrote to memory of 2596 2224 Cnabffeo.exe 34 PID 2224 wrote to memory of 2596 2224 Cnabffeo.exe 34 PID 2224 wrote to memory of 2596 2224 Cnabffeo.exe 34 PID 2224 wrote to memory of 2596 2224 Cnabffeo.exe 34 PID 2596 wrote to memory of 276 2596 Ckecpjdh.exe 35 PID 2596 wrote to memory of 276 2596 Ckecpjdh.exe 35 PID 2596 wrote to memory of 276 2596 Ckecpjdh.exe 35 PID 2596 wrote to memory of 276 2596 Ckecpjdh.exe 35 PID 276 wrote to memory of 1592 276 Ccqhdmbc.exe 36 PID 276 wrote to memory of 1592 276 Ccqhdmbc.exe 36 PID 276 wrote to memory of 1592 276 Ccqhdmbc.exe 36 PID 276 wrote to memory of 1592 276 Ccqhdmbc.exe 36 PID 1592 wrote to memory of 1004 1592 Ckhpejbf.exe 37 PID 1592 wrote to memory of 1004 1592 Ckhpejbf.exe 37 PID 1592 wrote to memory of 1004 1592 Ckhpejbf.exe 37 PID 1592 wrote to memory of 1004 1592 Ckhpejbf.exe 37 PID 1004 wrote to memory of 1708 1004 Cpdhna32.exe 38 PID 1004 wrote to memory of 1708 1004 Cpdhna32.exe 38 PID 1004 wrote to memory of 1708 1004 Cpdhna32.exe 38 PID 1004 wrote to memory of 1708 1004 Cpdhna32.exe 38 PID 1708 wrote to memory of 2832 1708 Cccdjl32.exe 39 PID 1708 wrote to memory of 2832 1708 Cccdjl32.exe 39 PID 1708 wrote to memory of 2832 1708 Cccdjl32.exe 39 PID 1708 wrote to memory of 2832 1708 Cccdjl32.exe 39 PID 2832 wrote to memory of 2352 2832 Clkicbfa.exe 40 PID 2832 wrote to memory of 2352 2832 Clkicbfa.exe 40 PID 2832 wrote to memory of 2352 2832 Clkicbfa.exe 40 PID 2832 wrote to memory of 2352 2832 Clkicbfa.exe 40 PID 2352 wrote to memory of 2260 2352 Cojeomee.exe 41 PID 2352 wrote to memory of 2260 2352 Cojeomee.exe 41 PID 2352 wrote to memory of 2260 2352 Cojeomee.exe 41 PID 2352 wrote to memory of 2260 2352 Cojeomee.exe 41 PID 2260 wrote to memory of 1712 2260 Coladm32.exe 42 PID 2260 wrote to memory of 1712 2260 Coladm32.exe 42 PID 2260 wrote to memory of 1712 2260 Coladm32.exe 42 PID 2260 wrote to memory of 1712 2260 Coladm32.exe 42 PID 1712 wrote to memory of 2016 1712 Djafaf32.exe 43 PID 1712 wrote to memory of 2016 1712 Djafaf32.exe 43 PID 1712 wrote to memory of 2016 1712 Djafaf32.exe 43 PID 1712 wrote to memory of 2016 1712 Djafaf32.exe 43 PID 2016 wrote to memory of 2196 2016 Dbmkfh32.exe 44 PID 2016 wrote to memory of 2196 2016 Dbmkfh32.exe 44 PID 2016 wrote to memory of 2196 2016 Dbmkfh32.exe 44 PID 2016 wrote to memory of 2196 2016 Dbmkfh32.exe 44 PID 2196 wrote to memory of 264 2196 Ddkgbc32.exe 45 PID 2196 wrote to memory of 264 2196 Ddkgbc32.exe 45 PID 2196 wrote to memory of 264 2196 Ddkgbc32.exe 45 PID 2196 wrote to memory of 264 2196 Ddkgbc32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe"C:\Users\Admin\AppData\Local\Temp\8d6ca2536547b488190199281a3c8cb6d8520e64f23aa658e4ad5056fe06bcc3.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Bkcfjk32.exeC:\Windows\system32\Bkcfjk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Cnabffeo.exeC:\Windows\system32\Cnabffeo.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Ckecpjdh.exeC:\Windows\system32\Ckecpjdh.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Coladm32.exeC:\Windows\system32\Coladm32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Ddkgbc32.exeC:\Windows\system32\Ddkgbc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Dkgldm32.exeC:\Windows\system32\Dkgldm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Ddppmclb.exeC:\Windows\system32\Ddppmclb.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Djmiejji.exeC:\Windows\system32\Djmiejji.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Dmmbge32.exeC:\Windows\system32\Dmmbge32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2528 -
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2164 -
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Eclcon32.exeC:\Windows\system32\Eclcon32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Efjpkj32.exeC:\Windows\system32\Efjpkj32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Ebappk32.exeC:\Windows\system32\Ebappk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:552 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Enhaeldn.exeC:\Windows\system32\Enhaeldn.exe34⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe37⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe38⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe39⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Feipbefb.exeC:\Windows\system32\Feipbefb.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe41⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe42⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe44⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Gfabkl32.exeC:\Windows\system32\Gfabkl32.exe48⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Gfcopl32.exeC:\Windows\system32\Gfcopl32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe50⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Windows\SysWOW64\Gplcia32.exeC:\Windows\system32\Gplcia32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe53⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe55⤵
- Executes dropped EXE
PID:2624 -
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Goapjnoo.exeC:\Windows\system32\Goapjnoo.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Gaplfinb.exeC:\Windows\system32\Gaplfinb.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe61⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Habili32.exeC:\Windows\system32\Habili32.exe63⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1364 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe66⤵PID:288
-
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe68⤵PID:2848
-
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe69⤵PID:2780
-
C:\Windows\SysWOW64\Hipkfkgh.exeC:\Windows\system32\Hipkfkgh.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe71⤵PID:2172
-
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe72⤵PID:2844
-
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:432 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1568 -
C:\Windows\SysWOW64\Hcjldp32.exeC:\Windows\system32\Hcjldp32.exe76⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe77⤵PID:2472
-
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe78⤵PID:2112
-
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe80⤵PID:2244
-
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe81⤵PID:1820
-
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe82⤵
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe83⤵PID:780
-
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe84⤵PID:2104
-
C:\Windows\SysWOW64\Ijimli32.exeC:\Windows\system32\Ijimli32.exe85⤵
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe86⤵
- Modifies registry class
PID:2680 -
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe87⤵PID:2628
-
C:\Windows\SysWOW64\Idbnmgll.exeC:\Windows\system32\Idbnmgll.exe88⤵PID:2232
-
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe90⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Iohbjpkb.exeC:\Windows\system32\Iohbjpkb.exe91⤵
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe92⤵PID:548
-
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Inmpklpj.exeC:\Windows\system32\Inmpklpj.exe94⤵
- Modifies registry class
PID:2428 -
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe95⤵PID:2976
-
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe96⤵PID:1904
-
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe97⤵PID:3000
-
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe99⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Jkcmjpma.exeC:\Windows\system32\Jkcmjpma.exe100⤵
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Jjfmem32.exeC:\Windows\system32\Jjfmem32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe102⤵
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe103⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe104⤵PID:796
-
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe105⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe106⤵
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe107⤵PID:2448
-
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe108⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe109⤵
- System Location Discovery: System Language Discovery
PID:308 -
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe110⤵PID:3060
-
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2588 -
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe113⤵PID:1720
-
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe115⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Jegdgj32.exeC:\Windows\system32\Jegdgj32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe117⤵
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe118⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Knohpo32.exeC:\Windows\system32\Knohpo32.exe119⤵
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe120⤵PID:2836
-
C:\Windows\SysWOW64\Kiemmh32.exeC:\Windows\system32\Kiemmh32.exe121⤵PID:2840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-