Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/12/2024, 04:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b.exe
-
Size
92KB
-
MD5
ccca9ce68e3f3ecb8f157ff7017e42e4
-
SHA1
0239e317360206779704d5e62c1a3b0112567d2e
-
SHA256
fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b
-
SHA512
eca7b0a423b0fe5718c70cad0eb24c562fcb8aa4577244cd695fb0144b37d8e37db9913bf9b2f73bff4cd6bdde7b484f1d6bf392381c7ddaa21a2ea99bfa54b3
-
SSDEEP
1536:+ybwi3dim1rSwXjGQ28RhW8fmGbmVzrYXa7pZ9rQJiOYbnRqdMArSWG7:97tBXqgurYXaprxdbMqlWG7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghidcceo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mghfdcdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqjibkek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecelm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahfgbkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffjljmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nedifo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cofaog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjnenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nommodjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjaoplho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hafbghhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdidmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odcimipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qjdgpcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejglo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngoleb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhqhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecnpdnho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidhbgag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcgnbim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almihjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anmbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfmqigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdidmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anpooe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdodmlcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceqjla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcoanb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgodcich.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmepanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajipkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdfjnkne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbcien32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keiqlihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenjgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfacdqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdcnhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogohdeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peeabm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghekhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joebccpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgkbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilemce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keiqlihp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nanfqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfkkeq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbdipa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkjhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnibdmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclhjpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaggbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdjihgef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nndgeplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apfici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ongckp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmcclolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcmkhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenapck.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2660 Bdfahaaa.exe 2752 Bhbmip32.exe 2392 Boleejag.exe 2724 Befnbd32.exe 2584 Cgjgol32.exe 276 Cdngip32.exe 2648 Cglcek32.exe 2532 Clkicbfa.exe 2384 Cgqmpkfg.exe 2796 Dlpbna32.exe 1864 Dbmkfh32.exe 2916 Dfhgggim.exe 1768 Dboglhna.exe 1876 Dkjhjm32.exe 2152 Dbdagg32.exe 1820 Dqinhcoc.exe 1976 Efffpjmk.exe 2256 Empomd32.exe 2492 Epnkip32.exe 2080 Eiilge32.exe 2980 Ecnpdnho.exe 1664 Elieipej.exe 2340 Epeajo32.exe 2684 Fllaopcg.exe 2792 Fnjnkkbk.exe 2756 Fjaoplho.exe 2688 Fnmjpk32.exe 2568 Fefcmehe.exe 2344 Fheoiqgi.exe 1212 Flqkjo32.exe 2276 Ffjljmla.exe 1932 Ffmipmjn.exe 1368 Gbcien32.exe 2368 Gpgjnbnl.exe 2360 Gbffjmmp.exe 352 Gfabkl32.exe 2228 Gmkjgfmf.exe 2192 Golgon32.exe 2440 Gfcopl32.exe 1816 Gibkmgcj.exe 1824 Ghekhd32.exe 1716 Goocenaa.exe 1676 Gampaipe.exe 1196 Gidhbgag.exe 1728 Gkedjo32.exe 1008 Gaplfinb.exe 2160 Gdnibdmf.exe 2656 Ghidcceo.exe 2840 Gkhaooec.exe 2848 Hdpehd32.exe 2084 Hkjnenbp.exe 1704 Hmijajbd.exe 2788 Hpgfmeag.exe 1252 Hganjo32.exe 1908 Hkmjjn32.exe 2348 Hnkffi32.exe 2936 Hafbghhj.exe 2328 Hdeoccgn.exe 2904 Hgckoofa.exe 480 Hnmcli32.exe 2120 Hdgkicek.exe 1492 Hjddaj32.exe 2144 Hlbpme32.exe 1996 Hpnlndkp.exe -
Loads dropped DLL 64 IoCs
pid Process 1960 fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b.exe 1960 fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b.exe 2660 Bdfahaaa.exe 2660 Bdfahaaa.exe 2752 Bhbmip32.exe 2752 Bhbmip32.exe 2392 Boleejag.exe 2392 Boleejag.exe 2724 Befnbd32.exe 2724 Befnbd32.exe 2584 Cgjgol32.exe 2584 Cgjgol32.exe 276 Cdngip32.exe 276 Cdngip32.exe 2648 Cglcek32.exe 2648 Cglcek32.exe 2532 Clkicbfa.exe 2532 Clkicbfa.exe 2384 Cgqmpkfg.exe 2384 Cgqmpkfg.exe 2796 Dlpbna32.exe 2796 Dlpbna32.exe 1864 Dbmkfh32.exe 1864 Dbmkfh32.exe 2916 Dfhgggim.exe 2916 Dfhgggim.exe 1768 Dboglhna.exe 1768 Dboglhna.exe 1876 Dkjhjm32.exe 1876 Dkjhjm32.exe 2152 Dbdagg32.exe 2152 Dbdagg32.exe 1820 Dqinhcoc.exe 1820 Dqinhcoc.exe 1976 Efffpjmk.exe 1976 Efffpjmk.exe 2256 Empomd32.exe 2256 Empomd32.exe 2492 Epnkip32.exe 2492 Epnkip32.exe 2080 Eiilge32.exe 2080 Eiilge32.exe 2980 Ecnpdnho.exe 2980 Ecnpdnho.exe 1664 Elieipej.exe 1664 Elieipej.exe 2340 Epeajo32.exe 2340 Epeajo32.exe 2684 Fllaopcg.exe 2684 Fllaopcg.exe 2792 Fnjnkkbk.exe 2792 Fnjnkkbk.exe 2756 Fjaoplho.exe 2756 Fjaoplho.exe 2688 Fnmjpk32.exe 2688 Fnmjpk32.exe 2568 Fefcmehe.exe 2568 Fefcmehe.exe 2344 Fheoiqgi.exe 2344 Fheoiqgi.exe 1212 Flqkjo32.exe 1212 Flqkjo32.exe 2276 Ffjljmla.exe 2276 Ffjljmla.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hkmjjn32.exe Hganjo32.exe File created C:\Windows\SysWOW64\Jjejnabb.dll Hganjo32.exe File opened for modification C:\Windows\SysWOW64\Qcjoci32.exe Pegnglnm.exe File created C:\Windows\SysWOW64\Deeakhnj.dll Ldjmidcj.exe File created C:\Windows\SysWOW64\Hlggmcob.dll Bgdfjfmi.exe File created C:\Windows\SysWOW64\Madcho32.dll Cpohhk32.exe File opened for modification C:\Windows\SysWOW64\Ffmipmjn.exe Ffjljmla.exe File opened for modification C:\Windows\SysWOW64\Lodnjboi.exe Lmbabj32.exe File created C:\Windows\SysWOW64\Aejglo32.exe Anpooe32.exe File created C:\Windows\SysWOW64\Bopknhjd.exe Bpmkbl32.exe File created C:\Windows\SysWOW64\Dlpbna32.exe Cgqmpkfg.exe File opened for modification C:\Windows\SysWOW64\Jcckibfg.exe Jqeomfgc.exe File created C:\Windows\SysWOW64\Jbndmh32.dll Jipcbidn.exe File opened for modification C:\Windows\SysWOW64\Ngoleb32.exe Ncdpdcfh.exe File opened for modification C:\Windows\SysWOW64\Hkmjjn32.exe Hganjo32.exe File opened for modification C:\Windows\SysWOW64\Ihiabfhk.exe Hghdjn32.exe File created C:\Windows\SysWOW64\Jinfli32.exe Jgmjdaqb.exe File opened for modification C:\Windows\SysWOW64\Nkaane32.exe Nipefmkb.exe File opened for modification C:\Windows\SysWOW64\Pjpmdd32.exe Pgaahh32.exe File opened for modification C:\Windows\SysWOW64\Gmkjgfmf.exe Gfabkl32.exe File created C:\Windows\SysWOW64\Idghhf32.exe Iqllghon.exe File created C:\Windows\SysWOW64\Kpjhnfof.exe Kaggbihl.exe File opened for modification C:\Windows\SysWOW64\Pcmoie32.exe Poacighp.exe File created C:\Windows\SysWOW64\Eejanc32.dll Qpaohjkk.exe File opened for modification C:\Windows\SysWOW64\Bdcnhk32.exe Bkkioeig.exe File created C:\Windows\SysWOW64\Ohodgb32.dll Cgbfcjag.exe File created C:\Windows\SysWOW64\Icoepohq.exe Iocioq32.exe File created C:\Windows\SysWOW64\Iqllghon.exe Iojopp32.exe File created C:\Windows\SysWOW64\Qfcekf32.dll Jfddkmch.exe File created C:\Windows\SysWOW64\Pipfnehe.dll Mebpakbq.exe File created C:\Windows\SysWOW64\Nhqhmj32.exe Ninhamne.exe File opened for modification C:\Windows\SysWOW64\Nakikpin.exe Nommodjj.exe File opened for modification C:\Windows\SysWOW64\Ogmkne32.exe Ohjkcile.exe File created C:\Windows\SysWOW64\Ekbcekpd.dll Poacighp.exe File created C:\Windows\SysWOW64\Qpaohjkk.exe Qmcclolh.exe File opened for modification C:\Windows\SysWOW64\Epnkip32.exe Empomd32.exe File created C:\Windows\SysWOW64\Fnjnkkbk.exe Fllaopcg.exe File created C:\Windows\SysWOW64\Ffmipmjn.exe Ffjljmla.exe File opened for modification C:\Windows\SysWOW64\Ihlnhffh.exe Ijimli32.exe File created C:\Windows\SysWOW64\Icabeo32.exe Ihlnhffh.exe File created C:\Windows\SysWOW64\Monann32.dll Kgjjndeq.exe File created C:\Windows\SysWOW64\Cidffnka.dll Nanfqo32.exe File created C:\Windows\SysWOW64\Ochenfdn.exe Oqjibkek.exe File created C:\Windows\SysWOW64\Clhecl32.exe Cdamao32.exe File opened for modification C:\Windows\SysWOW64\Dlpbna32.exe Cgqmpkfg.exe File opened for modification C:\Windows\SysWOW64\Goocenaa.exe Ghekhd32.exe File created C:\Windows\SysWOW64\Hganjo32.exe Hpgfmeag.exe File created C:\Windows\SysWOW64\Jmlobg32.exe Jipcbidn.exe File created C:\Windows\SysWOW64\Mcofid32.exe Mmbnam32.exe File opened for modification C:\Windows\SysWOW64\Ofgbkacb.exe Ochenfdn.exe File created C:\Windows\SysWOW64\Pohoplja.dll Afpapcnc.exe File created C:\Windows\SysWOW64\Befima32.dll Anpooe32.exe File created C:\Windows\SysWOW64\Pfapgnji.dll Ccnddg32.exe File opened for modification C:\Windows\SysWOW64\Dkjhjm32.exe Dboglhna.exe File opened for modification C:\Windows\SysWOW64\Gampaipe.exe Goocenaa.exe File opened for modification C:\Windows\SysWOW64\Jqpebg32.exe Jnbifl32.exe File created C:\Windows\SysWOW64\Cblaaajo.dll Knfopnkk.exe File opened for modification C:\Windows\SysWOW64\Kfacdqhf.exe Kmiolk32.exe File opened for modification C:\Windows\SysWOW64\Mgfiocfl.exe Meemgk32.exe File created C:\Windows\SysWOW64\Alofnj32.exe Aeenapck.exe File opened for modification C:\Windows\SysWOW64\Chofhm32.exe Ceqjla32.exe File opened for modification C:\Windows\SysWOW64\Gdnibdmf.exe Gaplfinb.exe File created C:\Windows\SysWOW64\Knaeeo32.exe Kpoejbhe.exe File created C:\Windows\SysWOW64\Lmbabj32.exe Ligfakaa.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokdja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqinhcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbcien32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkedjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffmpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nommodjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoanb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqlfhjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjhnfof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcofid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pegnglnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpohhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglcek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbpme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghqia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaggbihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdodmlcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfmqigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clfhml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipcbidn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anmbje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiilge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmgfgham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfahaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcgnbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chofhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgfmeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcandb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aegkfpah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihiabfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keiqlihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alofnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljplkonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdjihgef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Occlcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjnkkbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iocioq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icoepohq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqjibkek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldpiifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidhbgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpehd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmjjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhocfnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhoohgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndgeplo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogohdeam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfjnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idghhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmiolk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmkhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboglhna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klhbdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbhje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcopl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjaoplho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffmipmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Almihjlj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Laoekk32.dll" Hgckoofa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimpofjk.dll" Ninhamne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhjdcghg.dll" Ollqllod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bldpiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdaabk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chhpgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhaooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqeomfgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnqjk32.dll" Kkefoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kenjgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klhbdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdleiobf.dll" Lidilk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbfjmik.dll" Mkohjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moafnqhk.dll" Hkmjjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jemffb32.dll" Hafbghhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhqhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjdgpcmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lecaooal.dll" Ankedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bopknhjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nepokogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Occlcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anmbje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Beldao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepcmgbf.dll" Gdnibdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pklqifff.dll" Hnmcli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqeomfgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfacdqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liblfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgnapb32.dll" Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncdpdcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pohoplja.dll" Afpapcnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffjljmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apnjbhgo.dll" Gbffjmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kndbko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgkbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poacighp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pofldf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pecelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkggemii.dll" Qmepanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chobmj32.dll" Gfabkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kghmhegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcofid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kegmaomi.dll" Oabplobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjhjkfi.dll" Bldpiifb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knoegqbp.dll" Bknfeege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdjihgef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipddpjfp.dll" Iafofkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcckibfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njldiiel.dll" Lffmpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmobd32.dll" Llhocfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omnmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeenapck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clhecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbffjmmp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2660 1960 fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b.exe 30 PID 1960 wrote to memory of 2660 1960 fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b.exe 30 PID 1960 wrote to memory of 2660 1960 fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b.exe 30 PID 1960 wrote to memory of 2660 1960 fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b.exe 30 PID 2660 wrote to memory of 2752 2660 Bdfahaaa.exe 31 PID 2660 wrote to memory of 2752 2660 Bdfahaaa.exe 31 PID 2660 wrote to memory of 2752 2660 Bdfahaaa.exe 31 PID 2660 wrote to memory of 2752 2660 Bdfahaaa.exe 31 PID 2752 wrote to memory of 2392 2752 Bhbmip32.exe 32 PID 2752 wrote to memory of 2392 2752 Bhbmip32.exe 32 PID 2752 wrote to memory of 2392 2752 Bhbmip32.exe 32 PID 2752 wrote to memory of 2392 2752 Bhbmip32.exe 32 PID 2392 wrote to memory of 2724 2392 Boleejag.exe 33 PID 2392 wrote to memory of 2724 2392 Boleejag.exe 33 PID 2392 wrote to memory of 2724 2392 Boleejag.exe 33 PID 2392 wrote to memory of 2724 2392 Boleejag.exe 33 PID 2724 wrote to memory of 2584 2724 Befnbd32.exe 34 PID 2724 wrote to memory of 2584 2724 Befnbd32.exe 34 PID 2724 wrote to memory of 2584 2724 Befnbd32.exe 34 PID 2724 wrote to memory of 2584 2724 Befnbd32.exe 34 PID 2584 wrote to memory of 276 2584 Cgjgol32.exe 35 PID 2584 wrote to memory of 276 2584 Cgjgol32.exe 35 PID 2584 wrote to memory of 276 2584 Cgjgol32.exe 35 PID 2584 wrote to memory of 276 2584 Cgjgol32.exe 35 PID 276 wrote to memory of 2648 276 Cdngip32.exe 36 PID 276 wrote to memory of 2648 276 Cdngip32.exe 36 PID 276 wrote to memory of 2648 276 Cdngip32.exe 36 PID 276 wrote to memory of 2648 276 Cdngip32.exe 36 PID 2648 wrote to memory of 2532 2648 Cglcek32.exe 37 PID 2648 wrote to memory of 2532 2648 Cglcek32.exe 37 PID 2648 wrote to memory of 2532 2648 Cglcek32.exe 37 PID 2648 wrote to memory of 2532 2648 Cglcek32.exe 37 PID 2532 wrote to memory of 2384 2532 Clkicbfa.exe 38 PID 2532 wrote to memory of 2384 2532 Clkicbfa.exe 38 PID 2532 wrote to memory of 2384 2532 Clkicbfa.exe 38 PID 2532 wrote to memory of 2384 2532 Clkicbfa.exe 38 PID 2384 wrote to memory of 2796 2384 Cgqmpkfg.exe 39 PID 2384 wrote to memory of 2796 2384 Cgqmpkfg.exe 39 PID 2384 wrote to memory of 2796 2384 Cgqmpkfg.exe 39 PID 2384 wrote to memory of 2796 2384 Cgqmpkfg.exe 39 PID 2796 wrote to memory of 1864 2796 Dlpbna32.exe 40 PID 2796 wrote to memory of 1864 2796 Dlpbna32.exe 40 PID 2796 wrote to memory of 1864 2796 Dlpbna32.exe 40 PID 2796 wrote to memory of 1864 2796 Dlpbna32.exe 40 PID 1864 wrote to memory of 2916 1864 Dbmkfh32.exe 41 PID 1864 wrote to memory of 2916 1864 Dbmkfh32.exe 41 PID 1864 wrote to memory of 2916 1864 Dbmkfh32.exe 41 PID 1864 wrote to memory of 2916 1864 Dbmkfh32.exe 41 PID 2916 wrote to memory of 1768 2916 Dfhgggim.exe 42 PID 2916 wrote to memory of 1768 2916 Dfhgggim.exe 42 PID 2916 wrote to memory of 1768 2916 Dfhgggim.exe 42 PID 2916 wrote to memory of 1768 2916 Dfhgggim.exe 42 PID 1768 wrote to memory of 1876 1768 Dboglhna.exe 43 PID 1768 wrote to memory of 1876 1768 Dboglhna.exe 43 PID 1768 wrote to memory of 1876 1768 Dboglhna.exe 43 PID 1768 wrote to memory of 1876 1768 Dboglhna.exe 43 PID 1876 wrote to memory of 2152 1876 Dkjhjm32.exe 44 PID 1876 wrote to memory of 2152 1876 Dkjhjm32.exe 44 PID 1876 wrote to memory of 2152 1876 Dkjhjm32.exe 44 PID 1876 wrote to memory of 2152 1876 Dkjhjm32.exe 44 PID 2152 wrote to memory of 1820 2152 Dbdagg32.exe 45 PID 2152 wrote to memory of 1820 2152 Dbdagg32.exe 45 PID 2152 wrote to memory of 1820 2152 Dbdagg32.exe 45 PID 2152 wrote to memory of 1820 2152 Dbdagg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b.exe"C:\Users\Admin\AppData\Local\Temp\fc599f715d1815944d5ef2704da57293c1b526dba807182e934bd5530dbe7c4b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Bhbmip32.exeC:\Windows\system32\Bhbmip32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Boleejag.exeC:\Windows\system32\Boleejag.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Cgjgol32.exeC:\Windows\system32\Cgjgol32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Cdngip32.exeC:\Windows\system32\Cdngip32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Efffpjmk.exeC:\Windows\system32\Efffpjmk.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Empomd32.exeC:\Windows\system32\Empomd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2492 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1664 -
C:\Windows\SysWOW64\Epeajo32.exeC:\Windows\system32\Epeajo32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Fllaopcg.exeC:\Windows\system32\Fllaopcg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Flqkjo32.exeC:\Windows\system32\Flqkjo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1212 -
C:\Windows\SysWOW64\Ffjljmla.exeC:\Windows\system32\Ffjljmla.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2276 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe35⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Gfabkl32.exeC:\Windows\system32\Gfabkl32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:352 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe38⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe39⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Gfcopl32.exeC:\Windows\system32\Gfcopl32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe41⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe44⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1728 -
C:\Windows\SysWOW64\Gaplfinb.exeC:\Windows\system32\Gaplfinb.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1008 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Ghidcceo.exeC:\Windows\system32\Ghidcceo.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe53⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Hkmjjn32.exeC:\Windows\system32\Hkmjjn32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1908 -
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe57⤵
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2936 -
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe59⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:480 -
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe62⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Hjddaj32.exeC:\Windows\system32\Hjddaj32.exe63⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144 -
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe65⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2028 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe67⤵
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe68⤵
- System Location Discovery: System Language Discovery
PID:2240 -
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Iocioq32.exeC:\Windows\system32\Iocioq32.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe71⤵
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Ijimli32.exeC:\Windows\system32\Ijimli32.exe72⤵
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe73⤵
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe74⤵PID:2716
-
C:\Windows\SysWOW64\Idbnmgll.exeC:\Windows\system32\Idbnmgll.exe75⤵PID:2604
-
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe76⤵PID:2944
-
C:\Windows\SysWOW64\Iohbjpkb.exeC:\Windows\system32\Iohbjpkb.exe77⤵PID:900
-
C:\Windows\SysWOW64\Iafofkkf.exeC:\Windows\system32\Iafofkkf.exe78⤵
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe79⤵PID:2316
-
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe81⤵PID:2148
-
C:\Windows\SysWOW64\Iojopp32.exeC:\Windows\system32\Iojopp32.exe82⤵
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe83⤵
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe84⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Ijdppm32.exeC:\Windows\system32\Ijdppm32.exe85⤵PID:1048
-
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe86⤵PID:2288
-
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1912 -
C:\Windows\SysWOW64\Jghqia32.exeC:\Windows\system32\Jghqia32.exe88⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe89⤵
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe90⤵PID:2572
-
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe92⤵PID:1004
-
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe93⤵PID:1324
-
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe94⤵
- System Location Discovery: System Language Discovery
PID:2640 -
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2808 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe97⤵
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe100⤵
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Jipcbidn.exeC:\Windows\system32\Jipcbidn.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe102⤵PID:2864
-
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe103⤵PID:2696
-
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe104⤵
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Jibpghbk.exeC:\Windows\system32\Jibpghbk.exe105⤵PID:1896
-
C:\Windows\SysWOW64\Knohpo32.exeC:\Windows\system32\Knohpo32.exe106⤵PID:3008
-
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Kghmhegc.exeC:\Windows\system32\Kghmhegc.exe108⤵
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe109⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe110⤵PID:2592
-
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe111⤵PID:1812
-
C:\Windows\SysWOW64\Kgjjndeq.exeC:\Windows\system32\Kgjjndeq.exe112⤵
- Drops file in System32 directory
PID:836 -
C:\Windows\SysWOW64\Kkefoc32.exeC:\Windows\system32\Kkefoc32.exe113⤵
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Kndbko32.exeC:\Windows\system32\Kndbko32.exe114⤵
- Modifies registry class
PID:1372 -
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe115⤵PID:2680
-
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1632 -
C:\Windows\SysWOW64\Kcajceke.exeC:\Windows\system32\Kcajceke.exe117⤵PID:1308
-
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe118⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe119⤵
- Drops file in System32 directory
PID:2472 -
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1208 -
C:\Windows\SysWOW64\Kfacdqhf.exeC:\Windows\system32\Kfacdqhf.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:960
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-