Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
09/12/2024, 13:19
Behavioral task
behavioral1
Sample
52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70N.exe
-
Size
406KB
-
MD5
e1c38c8c70030187f2b55c6749014a30
-
SHA1
bf8d1da9efe186e96302ffff67a4e6b139839c3f
-
SHA256
52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70
-
SHA512
0c896f0c385916c003eda27e0a60c5f9105fee873aade86844613791984dfe2cc237bf28bccd4ac06600756d6afd23fb12fcb0502b466f02c86d43229f36a0cb
-
SSDEEP
6144:ptmH4iWH/VIU5TXH5U5Xj83XH5U1XH5U5Xj8s5DXH5U5qXH5XXH5U5oXH:p0YiWH53Ma3M3MvD3Mq3B3Mo3
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bimphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icabeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhhkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdedde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiofnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epcddopf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kelmbifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkaane32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmcfngde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpaehl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgnfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjhfjpdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afndjdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmpkpbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qblfkgqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aicfgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiqibj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jacibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonlkcho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mobaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chjjde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbdham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kenjgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgocid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckhdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Naegmabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llebnfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Liibgkoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqlfhjch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqjgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nckmpicl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkenikc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldbkbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obhpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgnkilf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfjkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aljmbknm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkbnap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifbaapfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qncfphff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chjjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdjpfgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mghfdcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gllnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gipngg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noohlkpc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blipno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbqcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfoeel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfpmbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigkbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgnkilf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdlacfca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdbbnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efmckpko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckmpicl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pefhlcdk.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1688 Aklabp32.exe 2944 Addfkeid.exe 2676 Acnlgajg.exe 2580 Blinefnd.exe 2568 Bcbfbp32.exe 3008 Bnapnm32.exe 1252 Ccnifd32.exe 1596 Cmfmojcb.exe 2792 Cqfbjhgf.exe 2164 Cbgobp32.exe 1856 Ckpckece.exe 2152 Cehhdkjf.exe 2156 Dblhmoio.exe 1472 Dgiaefgg.exe 1936 Daaenlng.exe 1752 Dnefhpma.exe 1536 Dgnjqe32.exe 1712 Dafoikjb.exe 780 Gaojnq32.exe 2968 Hqgddm32.exe 2940 Hgqlafap.exe 888 Hnkdnqhm.exe 1748 Hmbndmkb.exe 1592 Hclfag32.exe 2764 Ifolhann.exe 2928 Iegeonpc.exe 2720 Iclbpj32.exe 2556 Jmdgipkk.exe 2840 Jpgmpk32.exe 1044 Jedehaea.exe 872 Kidjdpie.exe 1992 Kbmome32.exe 2184 Kocpbfei.exe 1872 Kfaalh32.exe 2220 Kpieengb.exe 2516 Libjncnc.exe 1964 Llepen32.exe 2108 Llgljn32.exe 1896 Lljipmdl.exe 1012 Lnkege32.exe 1504 Mkofaj32.exe 2012 Mnmbme32.exe 2060 Mhcfjnhm.exe 1636 Makkcc32.exe 660 Mkcplien.exe 608 Mnblhddb.exe 2296 Mgjpaj32.exe 3028 Mlgiiaij.exe 2704 Mfpmbf32.exe 2808 Mlieoqgg.exe 2728 Nfbjhf32.exe 2588 Nkobpmlo.exe 2396 Nhbciaki.exe 1884 Nomkfk32.exe 2436 Ndicnb32.exe 2368 Noohlkpc.exe 1140 Ndlpdbnj.exe 1056 Nkehql32.exe 1016 Ndnmialh.exe 3068 Okhefl32.exe 2076 Oqennbbl.exe 1160 Ogofkm32.exe 2392 Omlncc32.exe 696 Opjkpo32.exe -
Loads dropped DLL 64 IoCs
pid Process 1908 52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70N.exe 1908 52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70N.exe 1688 Aklabp32.exe 1688 Aklabp32.exe 2944 Addfkeid.exe 2944 Addfkeid.exe 2676 Acnlgajg.exe 2676 Acnlgajg.exe 2580 Blinefnd.exe 2580 Blinefnd.exe 2568 Bcbfbp32.exe 2568 Bcbfbp32.exe 3008 Bnapnm32.exe 3008 Bnapnm32.exe 1252 Ccnifd32.exe 1252 Ccnifd32.exe 1596 Cmfmojcb.exe 1596 Cmfmojcb.exe 2792 Cqfbjhgf.exe 2792 Cqfbjhgf.exe 2164 Cbgobp32.exe 2164 Cbgobp32.exe 1856 Ckpckece.exe 1856 Ckpckece.exe 2152 Cehhdkjf.exe 2152 Cehhdkjf.exe 2156 Dblhmoio.exe 2156 Dblhmoio.exe 1472 Dgiaefgg.exe 1472 Dgiaefgg.exe 1936 Daaenlng.exe 1936 Daaenlng.exe 1752 Dnefhpma.exe 1752 Dnefhpma.exe 1536 Dgnjqe32.exe 1536 Dgnjqe32.exe 1712 Dafoikjb.exe 1712 Dafoikjb.exe 780 Gaojnq32.exe 780 Gaojnq32.exe 2968 Hqgddm32.exe 2968 Hqgddm32.exe 2940 Hgqlafap.exe 2940 Hgqlafap.exe 888 Hnkdnqhm.exe 888 Hnkdnqhm.exe 1748 Hmbndmkb.exe 1748 Hmbndmkb.exe 1592 Hclfag32.exe 1592 Hclfag32.exe 2764 Ifolhann.exe 2764 Ifolhann.exe 2928 Iegeonpc.exe 2928 Iegeonpc.exe 2720 Iclbpj32.exe 2720 Iclbpj32.exe 2556 Jmdgipkk.exe 2556 Jmdgipkk.exe 2840 Jpgmpk32.exe 2840 Jpgmpk32.exe 1044 Jedehaea.exe 1044 Jedehaea.exe 872 Kidjdpie.exe 872 Kidjdpie.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fogiamne.dll Lhfpdi32.exe File created C:\Windows\SysWOW64\Pehebbbh.exe Pbjifgcd.exe File opened for modification C:\Windows\SysWOW64\Dbdagg32.exe Djmiejji.exe File created C:\Windows\SysWOW64\Aphcppmo.exe Abdbflnf.exe File opened for modification C:\Windows\SysWOW64\Bjbqmi32.exe Bpjldc32.exe File created C:\Windows\SysWOW64\Lkcbkhnk.dll Cgogealf.exe File created C:\Windows\SysWOW64\Hipfaokh.dll Eldbkbop.exe File opened for modification C:\Windows\SysWOW64\Ijlaloaf.exe Iqcmcj32.exe File created C:\Windows\SysWOW64\Gfoeel32.exe Fpemhb32.exe File opened for modification C:\Windows\SysWOW64\Iqllghon.exe Igcgnbim.exe File created C:\Windows\SysWOW64\Flhbop32.dll Bpfebmia.exe File created C:\Windows\SysWOW64\Mkehop32.dll Kidjdpie.exe File opened for modification C:\Windows\SysWOW64\Nhhehpbc.exe Nckmpicl.exe File created C:\Windows\SysWOW64\Ipodji32.dll Bhpqcpkm.exe File created C:\Windows\SysWOW64\Pggcij32.dll Efoifiep.exe File opened for modification C:\Windows\SysWOW64\Hdbbnd32.exe Hofjem32.exe File created C:\Windows\SysWOW64\Bimphc32.exe Bbchkime.exe File opened for modification C:\Windows\SysWOW64\Boobki32.exe Bggjjlnb.exe File created C:\Windows\SysWOW64\Fbfjkj32.exe Egpena32.exe File created C:\Windows\SysWOW64\Cbkgog32.exe Biccfalm.exe File created C:\Windows\SysWOW64\Cdgjcl32.dll Eegmhhie.exe File created C:\Windows\SysWOW64\Neplhe32.dll Pefhlcdk.exe File created C:\Windows\SysWOW64\Akbieg32.dll Boleejag.exe File created C:\Windows\SysWOW64\Hofjem32.exe Hgoadp32.exe File created C:\Windows\SysWOW64\Jpllfe32.dll Opccallb.exe File created C:\Windows\SysWOW64\Bcbfbp32.exe Blinefnd.exe File created C:\Windows\SysWOW64\Gibbgmfe.exe Ggdekbgb.exe File created C:\Windows\SysWOW64\Mokkegmm.exe Lcdjpfgh.exe File created C:\Windows\SysWOW64\Fdcbqe32.dll Jfojpn32.exe File opened for modification C:\Windows\SysWOW64\Kgocid32.exe Kaekljjo.exe File created C:\Windows\SysWOW64\Lljipmdl.exe Llgljn32.exe File created C:\Windows\SysWOW64\Qpamoa32.exe Qigebglj.exe File created C:\Windows\SysWOW64\Boleejag.exe Bhbmip32.exe File created C:\Windows\SysWOW64\Bpjldc32.exe Bedhgj32.exe File opened for modification C:\Windows\SysWOW64\Efmckpko.exe Eaqkcimg.exe File created C:\Windows\SysWOW64\Oepbmk32.dll Gkmefaan.exe File opened for modification C:\Windows\SysWOW64\Lpaehl32.exe Lkelpd32.exe File created C:\Windows\SysWOW64\Pfmpgd32.dll Negeln32.exe File created C:\Windows\SysWOW64\Lhimji32.exe Lpaehl32.exe File created C:\Windows\SysWOW64\Meljbqna.exe Mobaef32.exe File opened for modification C:\Windows\SysWOW64\Ncipjieo.exe Nnlhab32.exe File opened for modification C:\Windows\SysWOW64\Dfngll32.exe Dijfch32.exe File opened for modification C:\Windows\SysWOW64\Dinpnged.exe Decdmi32.exe File created C:\Windows\SysWOW64\Enbogmnc.exe Eldbkbop.exe File created C:\Windows\SysWOW64\Hhaanh32.exe Hkmaed32.exe File created C:\Windows\SysWOW64\Dmcjgd32.dll Ijlaloaf.exe File opened for modification C:\Windows\SysWOW64\Onoqfehp.exe Okpdjjil.exe File created C:\Windows\SysWOW64\Qjgjpi32.exe Qblfkgqb.exe File created C:\Windows\SysWOW64\Fcphaglh.dll Dhgccbhp.exe File created C:\Windows\SysWOW64\Lmmlbi32.dll Ikapdqoc.exe File opened for modification C:\Windows\SysWOW64\Coindgbi.exe Cdcjgnbc.exe File created C:\Windows\SysWOW64\Blobmm32.exe Biqfpb32.exe File created C:\Windows\SysWOW64\Kdemhj32.dll Cgdqpq32.exe File created C:\Windows\SysWOW64\Fpemhb32.exe Fikelhib.exe File created C:\Windows\SysWOW64\Niedol32.dll Jqeomfgc.exe File created C:\Windows\SysWOW64\Kcajceke.exe Kenjgi32.exe File created C:\Windows\SysWOW64\Kgocid32.exe Kaekljjo.exe File created C:\Windows\SysWOW64\Oamcoejo.dll Djmiejji.exe File created C:\Windows\SysWOW64\Allapi32.dll Pjahakgb.exe File created C:\Windows\SysWOW64\Dilchhgg.exe Dfngll32.exe File opened for modification C:\Windows\SysWOW64\Njalacon.exe Naegmabc.exe File opened for modification C:\Windows\SysWOW64\Blipno32.exe Baclaf32.exe File created C:\Windows\SysWOW64\Ebmbnn32.dll Knikfnih.exe File created C:\Windows\SysWOW64\Knoegqbp.dll Bbfnchfb.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbmlkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljmbknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmclmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnngi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehhdkjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmljcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebialmjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apnfno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcedne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bckefnki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkdnqhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noohlkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afbnec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkbjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qanolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcbfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbafalph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofaolcmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcgnbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlgiiaij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobaef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjddaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiiahgjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpmog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbffjmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Negeln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicfgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqcmcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgocid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biqfpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmpkpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmefaan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkegmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daaenlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fheoiqgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedifo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nomkfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akadpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpcjeaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilchhgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnkglj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egpena32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghidcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdedde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnehado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fenphjei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbnap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkgeehnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcajceke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcacochk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhehpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbbcail.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokfjf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfglml32.dll" Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oidhelof.dll" Fjfhkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oemmkpog.dll" Gplcia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Limiaafb.dll" Chocodch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dghjkpck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkmljcdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bimlibmn.dll" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhkqcl32.dll" Pkjqcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aekabb32.dll" Ifolhann.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lljipmdl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeokba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjoilfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnbjpqoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljipmdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Allapi32.dll" Pjahakgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpcjeaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkbpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajldkhjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojkhjabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dngdfinb.dll" Pdnkanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abgacn32.dll" Dblhmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgnjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjgjpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efffpjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpnlndkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalieb32.dll" Kjhfjpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jedehaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebockkal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icabeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfbgoj32.dll" Okpdjjil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Empomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caenkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akfnkmei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilgjhena.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apclnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inngpj32.dll" Almihjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Comjjjlc.dll" Aicfgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caokmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakmpf32.dll" Elieipej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhbbcail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onipqp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blobmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcbfbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phcgcahd.dll" Nhbciaki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qbafalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofofolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pecelm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajdfk32.dll" Cnnimkom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obhpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfbjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjdnoa32.dll" Jacibm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcgalk32.dll" Lmeebpkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpnngi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnifdmnc.dll" Nedifo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aicfgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcedne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcbdnmap.dll" Cehhdkjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfbjhf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1908 wrote to memory of 1688 1908 52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70N.exe 30 PID 1908 wrote to memory of 1688 1908 52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70N.exe 30 PID 1908 wrote to memory of 1688 1908 52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70N.exe 30 PID 1908 wrote to memory of 1688 1908 52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70N.exe 30 PID 1688 wrote to memory of 2944 1688 Aklabp32.exe 31 PID 1688 wrote to memory of 2944 1688 Aklabp32.exe 31 PID 1688 wrote to memory of 2944 1688 Aklabp32.exe 31 PID 1688 wrote to memory of 2944 1688 Aklabp32.exe 31 PID 2944 wrote to memory of 2676 2944 Addfkeid.exe 32 PID 2944 wrote to memory of 2676 2944 Addfkeid.exe 32 PID 2944 wrote to memory of 2676 2944 Addfkeid.exe 32 PID 2944 wrote to memory of 2676 2944 Addfkeid.exe 32 PID 2676 wrote to memory of 2580 2676 Acnlgajg.exe 33 PID 2676 wrote to memory of 2580 2676 Acnlgajg.exe 33 PID 2676 wrote to memory of 2580 2676 Acnlgajg.exe 33 PID 2676 wrote to memory of 2580 2676 Acnlgajg.exe 33 PID 2580 wrote to memory of 2568 2580 Blinefnd.exe 34 PID 2580 wrote to memory of 2568 2580 Blinefnd.exe 34 PID 2580 wrote to memory of 2568 2580 Blinefnd.exe 34 PID 2580 wrote to memory of 2568 2580 Blinefnd.exe 34 PID 2568 wrote to memory of 3008 2568 Bcbfbp32.exe 35 PID 2568 wrote to memory of 3008 2568 Bcbfbp32.exe 35 PID 2568 wrote to memory of 3008 2568 Bcbfbp32.exe 35 PID 2568 wrote to memory of 3008 2568 Bcbfbp32.exe 35 PID 3008 wrote to memory of 1252 3008 Bnapnm32.exe 36 PID 3008 wrote to memory of 1252 3008 Bnapnm32.exe 36 PID 3008 wrote to memory of 1252 3008 Bnapnm32.exe 36 PID 3008 wrote to memory of 1252 3008 Bnapnm32.exe 36 PID 1252 wrote to memory of 1596 1252 Ccnifd32.exe 37 PID 1252 wrote to memory of 1596 1252 Ccnifd32.exe 37 PID 1252 wrote to memory of 1596 1252 Ccnifd32.exe 37 PID 1252 wrote to memory of 1596 1252 Ccnifd32.exe 37 PID 1596 wrote to memory of 2792 1596 Cmfmojcb.exe 38 PID 1596 wrote to memory of 2792 1596 Cmfmojcb.exe 38 PID 1596 wrote to memory of 2792 1596 Cmfmojcb.exe 38 PID 1596 wrote to memory of 2792 1596 Cmfmojcb.exe 38 PID 2792 wrote to memory of 2164 2792 Cqfbjhgf.exe 39 PID 2792 wrote to memory of 2164 2792 Cqfbjhgf.exe 39 PID 2792 wrote to memory of 2164 2792 Cqfbjhgf.exe 39 PID 2792 wrote to memory of 2164 2792 Cqfbjhgf.exe 39 PID 2164 wrote to memory of 1856 2164 Cbgobp32.exe 40 PID 2164 wrote to memory of 1856 2164 Cbgobp32.exe 40 PID 2164 wrote to memory of 1856 2164 Cbgobp32.exe 40 PID 2164 wrote to memory of 1856 2164 Cbgobp32.exe 40 PID 1856 wrote to memory of 2152 1856 Ckpckece.exe 41 PID 1856 wrote to memory of 2152 1856 Ckpckece.exe 41 PID 1856 wrote to memory of 2152 1856 Ckpckece.exe 41 PID 1856 wrote to memory of 2152 1856 Ckpckece.exe 41 PID 2152 wrote to memory of 2156 2152 Cehhdkjf.exe 42 PID 2152 wrote to memory of 2156 2152 Cehhdkjf.exe 42 PID 2152 wrote to memory of 2156 2152 Cehhdkjf.exe 42 PID 2152 wrote to memory of 2156 2152 Cehhdkjf.exe 42 PID 2156 wrote to memory of 1472 2156 Dblhmoio.exe 43 PID 2156 wrote to memory of 1472 2156 Dblhmoio.exe 43 PID 2156 wrote to memory of 1472 2156 Dblhmoio.exe 43 PID 2156 wrote to memory of 1472 2156 Dblhmoio.exe 43 PID 1472 wrote to memory of 1936 1472 Dgiaefgg.exe 44 PID 1472 wrote to memory of 1936 1472 Dgiaefgg.exe 44 PID 1472 wrote to memory of 1936 1472 Dgiaefgg.exe 44 PID 1472 wrote to memory of 1936 1472 Dgiaefgg.exe 44 PID 1936 wrote to memory of 1752 1936 Daaenlng.exe 45 PID 1936 wrote to memory of 1752 1936 Daaenlng.exe 45 PID 1936 wrote to memory of 1752 1936 Daaenlng.exe 45 PID 1936 wrote to memory of 1752 1936 Daaenlng.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70N.exe"C:\Users\Admin\AppData\Local\Temp\52a4f611860f35d05b696a0f3aab419e362f12b607845ae4e409e61a30c62a70N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Acnlgajg.exeC:\Windows\system32\Acnlgajg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Blinefnd.exeC:\Windows\system32\Blinefnd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Bcbfbp32.exeC:\Windows\system32\Bcbfbp32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Bnapnm32.exeC:\Windows\system32\Bnapnm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Ccnifd32.exeC:\Windows\system32\Ccnifd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Cmfmojcb.exeC:\Windows\system32\Cmfmojcb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Cqfbjhgf.exeC:\Windows\system32\Cqfbjhgf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Ckpckece.exeC:\Windows\system32\Ckpckece.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Dblhmoio.exeC:\Windows\system32\Dblhmoio.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Dgiaefgg.exeC:\Windows\system32\Dgiaefgg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1472 -
C:\Windows\SysWOW64\Daaenlng.exeC:\Windows\system32\Daaenlng.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Dnefhpma.exeC:\Windows\system32\Dnefhpma.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Dgnjqe32.exeC:\Windows\system32\Dgnjqe32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Dafoikjb.exeC:\Windows\system32\Dafoikjb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Gaojnq32.exeC:\Windows\system32\Gaojnq32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Hgqlafap.exeC:\Windows\system32\Hgqlafap.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Hnkdnqhm.exeC:\Windows\system32\Hnkdnqhm.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:888 -
C:\Windows\SysWOW64\Hmbndmkb.exeC:\Windows\system32\Hmbndmkb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Hclfag32.exeC:\Windows\system32\Hclfag32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Ifolhann.exeC:\Windows\system32\Ifolhann.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Iegeonpc.exeC:\Windows\system32\Iegeonpc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Iclbpj32.exeC:\Windows\system32\Iclbpj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Jmdgipkk.exeC:\Windows\system32\Jmdgipkk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2556 -
C:\Windows\SysWOW64\Jpgmpk32.exeC:\Windows\system32\Jpgmpk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Jedehaea.exeC:\Windows\system32\Jedehaea.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Kidjdpie.exeC:\Windows\system32\Kidjdpie.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:872 -
C:\Windows\SysWOW64\Kbmome32.exeC:\Windows\system32\Kbmome32.exe33⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Kocpbfei.exeC:\Windows\system32\Kocpbfei.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2184 -
C:\Windows\SysWOW64\Kfaalh32.exeC:\Windows\system32\Kfaalh32.exe35⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Kpieengb.exeC:\Windows\system32\Kpieengb.exe36⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Libjncnc.exeC:\Windows\system32\Libjncnc.exe37⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Llepen32.exeC:\Windows\system32\Llepen32.exe38⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Llgljn32.exeC:\Windows\system32\Llgljn32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Lljipmdl.exeC:\Windows\system32\Lljipmdl.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Lnkege32.exeC:\Windows\system32\Lnkege32.exe41⤵
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Mkofaj32.exeC:\Windows\system32\Mkofaj32.exe42⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe43⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe44⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Makkcc32.exeC:\Windows\system32\Makkcc32.exe45⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe46⤵
- Executes dropped EXE
PID:660 -
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe47⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe48⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Mlgiiaij.exeC:\Windows\system32\Mlgiiaij.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe51⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Nfbjhf32.exeC:\Windows\system32\Nfbjhf32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Nkobpmlo.exeC:\Windows\system32\Nkobpmlo.exe53⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Nhbciaki.exeC:\Windows\system32\Nhbciaki.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1884 -
C:\Windows\SysWOW64\Ndicnb32.exeC:\Windows\system32\Ndicnb32.exe56⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe58⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Nkehql32.exeC:\Windows\system32\Nkehql32.exe59⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe60⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe61⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe62⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe63⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe64⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe66⤵PID:2308
-
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe67⤵PID:2936
-
C:\Windows\SysWOW64\Offpbi32.exeC:\Windows\system32\Offpbi32.exe68⤵PID:1464
-
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe69⤵PID:616
-
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe70⤵PID:1032
-
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe71⤵PID:2668
-
C:\Windows\SysWOW64\Penihe32.exeC:\Windows\system32\Penihe32.exe72⤵PID:2688
-
C:\Windows\SysWOW64\Pbajbi32.exeC:\Windows\system32\Pbajbi32.exe73⤵PID:2864
-
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe74⤵PID:328
-
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe75⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe76⤵PID:2200
-
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:1868 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe78⤵PID:320
-
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe79⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe80⤵PID:1092
-
C:\Windows\SysWOW64\Qiiahgjh.exeC:\Windows\system32\Qiiahgjh.exe81⤵
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe82⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe83⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe84⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe85⤵PID:2876
-
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe86⤵PID:2080
-
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe87⤵
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe88⤵PID:2832
-
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe89⤵PID:996
-
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe90⤵PID:3040
-
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe91⤵PID:2216
-
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe92⤵
- Modifies registry class
PID:1580 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe93⤵PID:2592
-
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe94⤵PID:2804
-
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe95⤵PID:236
-
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe96⤵PID:3020
-
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe97⤵PID:2520
-
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe98⤵
- Drops file in System32 directory
PID:2892 -
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe99⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe100⤵PID:1804
-
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe101⤵PID:2000
-
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe102⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe103⤵PID:2596
-
C:\Windows\SysWOW64\Coafko32.exeC:\Windows\system32\Coafko32.exe104⤵PID:1892
-
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe106⤵PID:2464
-
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe107⤵
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe108⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe109⤵
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Cdedde32.exeC:\Windows\system32\Cdedde32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe112⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe113⤵
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Ddhaie32.exeC:\Windows\system32\Ddhaie32.exe114⤵PID:324
-
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe115⤵PID:2500
-
C:\Windows\SysWOW64\Dmcfngde.exeC:\Windows\system32\Dmcfngde.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe117⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe118⤵
- Drops file in System32 directory
PID:2900 -
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe119⤵
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe120⤵
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe121⤵PID:1260
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-