Analysis
-
max time kernel
39s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 01:41
Behavioral task
behavioral1
Sample
ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
150 seconds
Behavioral task
behavioral2
Sample
ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
150 seconds
General
-
Target
ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe
-
Size
163KB
-
MD5
fbf74539b975599b4f288add5271b3bf
-
SHA1
9256e6659d3940663f650feb88910ac7a096d028
-
SHA256
ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa
-
SHA512
75f4dfa070cf3df7e39f286eaa5e508cc5530e575c681b776d23afa7d1e4c8b41514845907ab3fb98afea0c65bf367cd48ab466c1b9bbefae78fc812ca687967
-
SSDEEP
1536:PJn/6gpELEAHo3/lBqxnoTVwl/o7gLMFU6riDa3ZVB5QNgLlProNVU4qNVUrk/9o:x/L53/lIk3Zz5QNWltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgcdcjpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jalolemm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmppm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdknfiea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpkaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Foqadnpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adekhkng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Annpaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eipekmjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjeid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpngkhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npieoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbokda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gomjckqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhnfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlcceboa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eplood32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeiggk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajpgkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfgeoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklibf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccceeqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnkblm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldokhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dieiap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebmjihqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbdadl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diklpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbolge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkbipdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeehe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpemob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfgdpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lldhldpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqhiab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kehgkgha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkglim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlcekgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfhficcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchjjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njobpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncggifep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hafbid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifoljn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlpmndba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekoljgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebmjihqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabgjeef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbljfdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgmjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djemfibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpplfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajbfeop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmelfeqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdpmljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Denglpkc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjimpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckdcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lednal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkelcenm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgkeol32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 2 IoCs
resource yara_rule behavioral1/files/0x000500000001a47b-347.dat family_bruteratel behavioral1/files/0x000400000001ded0-2873.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2216 Cakfcfoc.exe 3012 Cjfgalcq.exe 2136 Cpemob32.exe 2756 Ccceeqfl.exe 2728 Dlqgob32.exe 2256 Dlcceboa.exe 432 Dabicikf.exe 2308 Dkkmln32.exe 2952 Echoepmo.exe 2300 Eplood32.exe 2092 Eeiggk32.exe 632 Eleliepj.exe 2140 Fnkblm32.exe 2076 Fkapkq32.exe 2408 Fgjmfa32.exe 1036 Gqcaoghl.exe 1148 Gbfklolh.exe 2672 Gdjpcj32.exe 1516 Goodpb32.exe 928 Hjkbfpah.exe 1304 Hminbkql.exe 1676 Hgaoec32.exe 692 Hchpjddc.exe 264 Ifiilp32.exe 2368 Ienfml32.exe 1800 Iaegbmlq.exe 2992 Iecohl32.exe 2724 Jjbdfbnl.exe 2896 Jhfepfme.exe 2772 Jkfnaa32.exe 2552 Khcdijac.exe 2248 Knbjgq32.exe 752 Kkfjpemb.exe 1736 Kpeonkig.exe 3068 Lnipgp32.exe 2416 Ljpqlqmd.exe 2320 Lomidgkl.exe 2504 Loofjg32.exe 1756 Llcfck32.exe 2272 Ldokhn32.exe 2328 Lkhcdhmk.exe 2288 Mnilfc32.exe 268 Mjpmkdpp.exe 2512 Mgfjjh32.exe 2404 Mpaoojjb.exe 1332 Nijcgp32.exe 1664 Ncpgeh32.exe 1848 Nilpmo32.exe 1864 Nlklik32.exe 1384 Nmjicn32.exe 1476 Npieoi32.exe 2432 Nhdjdk32.exe 2824 Npkaei32.exe 2832 Nlabjj32.exe 1184 Nbljfdoh.exe 2560 Oaaghp32.exe 328 Ododdlcd.exe 1772 Oacdmpan.exe 2932 Odaqikaa.exe 1636 Oaeacppk.exe 1084 Obgmjh32.exe 2104 Opkndldc.exe 2456 Obijpgcf.exe 2612 Ppmkilbp.exe -
Loads dropped DLL 64 IoCs
pid Process 2608 ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe 2608 ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe 2216 Cakfcfoc.exe 2216 Cakfcfoc.exe 3012 Cjfgalcq.exe 3012 Cjfgalcq.exe 2136 Cpemob32.exe 2136 Cpemob32.exe 2756 Ccceeqfl.exe 2756 Ccceeqfl.exe 2728 Dlqgob32.exe 2728 Dlqgob32.exe 2256 Dlcceboa.exe 2256 Dlcceboa.exe 432 Dabicikf.exe 432 Dabicikf.exe 2308 Dkkmln32.exe 2308 Dkkmln32.exe 2952 Echoepmo.exe 2952 Echoepmo.exe 2300 Eplood32.exe 2300 Eplood32.exe 2092 Eeiggk32.exe 2092 Eeiggk32.exe 632 Eleliepj.exe 632 Eleliepj.exe 2140 Fnkblm32.exe 2140 Fnkblm32.exe 2076 Fkapkq32.exe 2076 Fkapkq32.exe 2408 Fgjmfa32.exe 2408 Fgjmfa32.exe 1036 Gqcaoghl.exe 1036 Gqcaoghl.exe 1148 Gbfklolh.exe 1148 Gbfklolh.exe 2672 Gdjpcj32.exe 2672 Gdjpcj32.exe 1516 Goodpb32.exe 1516 Goodpb32.exe 928 Hjkbfpah.exe 928 Hjkbfpah.exe 1304 Hminbkql.exe 1304 Hminbkql.exe 1676 Hgaoec32.exe 1676 Hgaoec32.exe 692 Hchpjddc.exe 692 Hchpjddc.exe 264 Ifiilp32.exe 264 Ifiilp32.exe 2368 Ienfml32.exe 2368 Ienfml32.exe 1800 Iaegbmlq.exe 1800 Iaegbmlq.exe 2992 Iecohl32.exe 2992 Iecohl32.exe 2724 Jjbdfbnl.exe 2724 Jjbdfbnl.exe 2896 Jhfepfme.exe 2896 Jhfepfme.exe 2772 Jkfnaa32.exe 2772 Jkfnaa32.exe 2552 Khcdijac.exe 2552 Khcdijac.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fomndhng.exe Fkpeojha.exe File created C:\Windows\SysWOW64\Ffabjf32.dll Pjlgna32.exe File opened for modification C:\Windows\SysWOW64\Ngoinfao.exe Nkhhie32.exe File created C:\Windows\SysWOW64\Njobpa32.exe Nnhakp32.exe File opened for modification C:\Windows\SysWOW64\Adqbml32.exe Akhndf32.exe File created C:\Windows\SysWOW64\Qlbhlf32.dll Bfieec32.exe File opened for modification C:\Windows\SysWOW64\Gmbagf32.exe Glpdbfek.exe File created C:\Windows\SysWOW64\Khbcbcmo.dll Ajpgkb32.exe File opened for modification C:\Windows\SysWOW64\Kbajci32.exe Kiifjd32.exe File created C:\Windows\SysWOW64\Oedclm32.exe Ohqbbi32.exe File created C:\Windows\SysWOW64\Pebbeq32.exe Pjhaec32.exe File created C:\Windows\SysWOW64\Alnndlmh.dll Gidgdcli.exe File created C:\Windows\SysWOW64\Cpkaai32.exe Colegflh.exe File created C:\Windows\SysWOW64\Ondnfndp.dll Ldokhn32.exe File opened for modification C:\Windows\SysWOW64\Djemfibq.exe Dpphipbk.exe File created C:\Windows\SysWOW64\Ebmjihqn.exe Eccdmmpk.exe File opened for modification C:\Windows\SysWOW64\Colegflh.exe Bgqqcd32.exe File created C:\Windows\SysWOW64\Jocnbj32.dll Dmllgo32.exe File created C:\Windows\SysWOW64\Ofqonp32.exe Onejjm32.exe File created C:\Windows\SysWOW64\Paemac32.exe Phmiimlf.exe File created C:\Windows\SysWOW64\Ikbndqnc.exe Ibjikk32.exe File created C:\Windows\SysWOW64\Adekhkng.exe Ajpgkb32.exe File created C:\Windows\SysWOW64\Cqcomn32.exe Cqqbgoba.exe File created C:\Windows\SysWOW64\Opfjnm32.dll Cjkcedgp.exe File created C:\Windows\SysWOW64\Lfnaec32.dll Iijdfc32.exe File opened for modification C:\Windows\SysWOW64\Eeiggk32.exe Eplood32.exe File created C:\Windows\SysWOW64\Abdpfmcb.dll Nbljfdoh.exe File created C:\Windows\SysWOW64\Hpmjno32.dll Faonqiod.exe File opened for modification C:\Windows\SysWOW64\Mkelcenm.exe Mnakjaoc.exe File opened for modification C:\Windows\SysWOW64\Bcgoolln.exe Bjnjfffm.exe File created C:\Windows\SysWOW64\Gdpfbd32.exe Gocnjn32.exe File created C:\Windows\SysWOW64\Gdilkpbo.dll Kaieai32.exe File created C:\Windows\SysWOW64\Adcobk32.exe Adqbml32.exe File created C:\Windows\SysWOW64\Joigkgel.dll Dabicikf.exe File created C:\Windows\SysWOW64\Cgcfia32.dll Iecohl32.exe File created C:\Windows\SysWOW64\Nbpalg32.dll Kpeonkig.exe File opened for modification C:\Windows\SysWOW64\Afqeaemk.exe Aogmdk32.exe File created C:\Windows\SysWOW64\Knmflijn.dll Jaolad32.exe File created C:\Windows\SysWOW64\Ajmdmpmb.dll Abgeiaaf.exe File created C:\Windows\SysWOW64\Iolohhpc.exe Igeggkoq.exe File created C:\Windows\SysWOW64\Ojldok32.dll Ieaekdkn.exe File created C:\Windows\SysWOW64\Fioajqmb.exe Fjjeid32.exe File created C:\Windows\SysWOW64\Ohfpehbh.dll Jhfepfme.exe File created C:\Windows\SysWOW64\Gfobjfcf.dll Foqadnpq.exe File created C:\Windows\SysWOW64\Hblhqf32.dll Kdeehe32.exe File created C:\Windows\SysWOW64\Lghgocek.exe Lnobfn32.exe File opened for modification C:\Windows\SysWOW64\Ikbndqnc.exe Ibjikk32.exe File created C:\Windows\SysWOW64\Cdgdlnop.exe Bgcdcjpf.exe File opened for modification C:\Windows\SysWOW64\Kmbeecaq.exe Kfhmhi32.exe File opened for modification C:\Windows\SysWOW64\Qckcdj32.exe Qkpnph32.exe File opened for modification C:\Windows\SysWOW64\Hkndiabh.exe Hiphmf32.exe File created C:\Windows\SysWOW64\Jekoljgo.exe Jlbjcd32.exe File created C:\Windows\SysWOW64\Mkelcenm.exe Mnakjaoc.exe File created C:\Windows\SysWOW64\Hfegfg32.dll Eeiggk32.exe File created C:\Windows\SysWOW64\Pbfgopei.dll Khcdijac.exe File created C:\Windows\SysWOW64\Nlklik32.exe Nilpmo32.exe File created C:\Windows\SysWOW64\Pdffcn32.exe Pknakhig.exe File created C:\Windows\SysWOW64\Ibncdgoo.dll Jajbfeop.exe File opened for modification C:\Windows\SysWOW64\Nkphmc32.exe Nkmkgc32.exe File opened for modification C:\Windows\SysWOW64\Enjand32.exe Emieflec.exe File created C:\Windows\SysWOW64\Cjfgalcq.exe Cakfcfoc.exe File created C:\Windows\SysWOW64\Pagmmn32.dll Pfjiod32.exe File created C:\Windows\SysWOW64\Kehgkgha.exe Khdgabih.exe File created C:\Windows\SysWOW64\Nkphmc32.exe Nkmkgc32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paemac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahdkhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqajqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpnmhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cakfcfoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqqbgoba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dieiap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feppqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjjeid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnnpolk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphipbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobgjhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnfpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmdql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eabgjeef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajbfeop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldhldpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplood32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibjikk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhfhnofg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmkilbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkndiabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibebeqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaieai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmeij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emieflec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npieoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gledgkfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkbipdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilpmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnbic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jalolemm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Picdejbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfgeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmiahlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gafcahil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahancp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaglc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opicgenj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiifjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacqlcdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pejcab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocnjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhndf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmppm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoilcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lomidgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iolohhpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelmei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpaoojjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oacdmpan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbenpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmnnakm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabcbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njobpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchpjddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieaekdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhnfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbqbioeb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Happkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meafpibb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igeggkoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkapkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hleogppk.dll" Pjchjcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpabid32.dll" Happkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekofg32.dll" Klgpmgod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncggifep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obfoioei.dll" Hgmhcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opkpme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joigkgel.dll" Dabicikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jekoljgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbpfk32.dll" Jbooen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpfpmonn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khdgabih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emieflec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohfpehbh.dll" Jhfepfme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhklj32.dll" Ppmkilbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhpmhgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iabcbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmelfeqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghlell32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flccjn32.dll" Ifiilp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnhjae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmbagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joceen32.dll" Legcjjjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjjeid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djffdk32.dll" Fgnfpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cqcomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnmnojj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbfdnijp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnpieceq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oedclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmhjhpn.dll" Eabgjeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikcakg32.dll" Jjmchhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjfgalcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcjqpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plgojd32.dll" Ncggifep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efllcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfbcpo32.dll" Likbpceb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjbdfbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahdkhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmdfjmdc.dll" Amfcfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjelpcob.dll" Lckdcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahqpjlb.dll" Mckpba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnbiqik.dll" Ghlell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdffcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcgoolln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkmkilcj.dll" Mkelcenm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfcncl32.dll" Lhgeao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qkpnph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgnfpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lldhldpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnealbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojdlkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqfgcf32.dll" Fdpmljan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpnpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Babbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diklpn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldokhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffofoi32.dll" Bcgoolln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmpgcd32.dll" Deonff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnaaicgh.dll" Gomjckqc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2608 wrote to memory of 2216 2608 ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe 29 PID 2608 wrote to memory of 2216 2608 ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe 29 PID 2608 wrote to memory of 2216 2608 ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe 29 PID 2608 wrote to memory of 2216 2608 ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe 29 PID 2216 wrote to memory of 3012 2216 Cakfcfoc.exe 30 PID 2216 wrote to memory of 3012 2216 Cakfcfoc.exe 30 PID 2216 wrote to memory of 3012 2216 Cakfcfoc.exe 30 PID 2216 wrote to memory of 3012 2216 Cakfcfoc.exe 30 PID 3012 wrote to memory of 2136 3012 Cjfgalcq.exe 31 PID 3012 wrote to memory of 2136 3012 Cjfgalcq.exe 31 PID 3012 wrote to memory of 2136 3012 Cjfgalcq.exe 31 PID 3012 wrote to memory of 2136 3012 Cjfgalcq.exe 31 PID 2136 wrote to memory of 2756 2136 Cpemob32.exe 32 PID 2136 wrote to memory of 2756 2136 Cpemob32.exe 32 PID 2136 wrote to memory of 2756 2136 Cpemob32.exe 32 PID 2136 wrote to memory of 2756 2136 Cpemob32.exe 32 PID 2756 wrote to memory of 2728 2756 Ccceeqfl.exe 33 PID 2756 wrote to memory of 2728 2756 Ccceeqfl.exe 33 PID 2756 wrote to memory of 2728 2756 Ccceeqfl.exe 33 PID 2756 wrote to memory of 2728 2756 Ccceeqfl.exe 33 PID 2728 wrote to memory of 2256 2728 Dlqgob32.exe 34 PID 2728 wrote to memory of 2256 2728 Dlqgob32.exe 34 PID 2728 wrote to memory of 2256 2728 Dlqgob32.exe 34 PID 2728 wrote to memory of 2256 2728 Dlqgob32.exe 34 PID 2256 wrote to memory of 432 2256 Dlcceboa.exe 35 PID 2256 wrote to memory of 432 2256 Dlcceboa.exe 35 PID 2256 wrote to memory of 432 2256 Dlcceboa.exe 35 PID 2256 wrote to memory of 432 2256 Dlcceboa.exe 35 PID 432 wrote to memory of 2308 432 Dabicikf.exe 36 PID 432 wrote to memory of 2308 432 Dabicikf.exe 36 PID 432 wrote to memory of 2308 432 Dabicikf.exe 36 PID 432 wrote to memory of 2308 432 Dabicikf.exe 36 PID 2308 wrote to memory of 2952 2308 Dkkmln32.exe 37 PID 2308 wrote to memory of 2952 2308 Dkkmln32.exe 37 PID 2308 wrote to memory of 2952 2308 Dkkmln32.exe 37 PID 2308 wrote to memory of 2952 2308 Dkkmln32.exe 37 PID 2952 wrote to memory of 2300 2952 Echoepmo.exe 38 PID 2952 wrote to memory of 2300 2952 Echoepmo.exe 38 PID 2952 wrote to memory of 2300 2952 Echoepmo.exe 38 PID 2952 wrote to memory of 2300 2952 Echoepmo.exe 38 PID 2300 wrote to memory of 2092 2300 Eplood32.exe 39 PID 2300 wrote to memory of 2092 2300 Eplood32.exe 39 PID 2300 wrote to memory of 2092 2300 Eplood32.exe 39 PID 2300 wrote to memory of 2092 2300 Eplood32.exe 39 PID 2092 wrote to memory of 632 2092 Eeiggk32.exe 40 PID 2092 wrote to memory of 632 2092 Eeiggk32.exe 40 PID 2092 wrote to memory of 632 2092 Eeiggk32.exe 40 PID 2092 wrote to memory of 632 2092 Eeiggk32.exe 40 PID 632 wrote to memory of 2140 632 Eleliepj.exe 41 PID 632 wrote to memory of 2140 632 Eleliepj.exe 41 PID 632 wrote to memory of 2140 632 Eleliepj.exe 41 PID 632 wrote to memory of 2140 632 Eleliepj.exe 41 PID 2140 wrote to memory of 2076 2140 Fnkblm32.exe 42 PID 2140 wrote to memory of 2076 2140 Fnkblm32.exe 42 PID 2140 wrote to memory of 2076 2140 Fnkblm32.exe 42 PID 2140 wrote to memory of 2076 2140 Fnkblm32.exe 42 PID 2076 wrote to memory of 2408 2076 Fkapkq32.exe 43 PID 2076 wrote to memory of 2408 2076 Fkapkq32.exe 43 PID 2076 wrote to memory of 2408 2076 Fkapkq32.exe 43 PID 2076 wrote to memory of 2408 2076 Fkapkq32.exe 43 PID 2408 wrote to memory of 1036 2408 Fgjmfa32.exe 44 PID 2408 wrote to memory of 1036 2408 Fgjmfa32.exe 44 PID 2408 wrote to memory of 1036 2408 Fgjmfa32.exe 44 PID 2408 wrote to memory of 1036 2408 Fgjmfa32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe"C:\Users\Admin\AppData\Local\Temp\ae3d32febcbf4ccc512d5c748580d6ee81440f091a80280c5426f27c5ffd55fa.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Cjfgalcq.exeC:\Windows\system32\Cjfgalcq.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Dlcceboa.exeC:\Windows\system32\Dlcceboa.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Dkkmln32.exeC:\Windows\system32\Dkkmln32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Eplood32.exeC:\Windows\system32\Eplood32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Eeiggk32.exeC:\Windows\system32\Eeiggk32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Eleliepj.exeC:\Windows\system32\Eleliepj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:632 -
C:\Windows\SysWOW64\Fnkblm32.exeC:\Windows\system32\Fnkblm32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Fkapkq32.exeC:\Windows\system32\Fkapkq32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2076 -
C:\Windows\SysWOW64\Fgjmfa32.exeC:\Windows\system32\Fgjmfa32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Gqcaoghl.exeC:\Windows\system32\Gqcaoghl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Gbfklolh.exeC:\Windows\system32\Gbfklolh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1148 -
C:\Windows\SysWOW64\Gdjpcj32.exeC:\Windows\system32\Gdjpcj32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Goodpb32.exeC:\Windows\system32\Goodpb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Hjkbfpah.exeC:\Windows\system32\Hjkbfpah.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:928 -
C:\Windows\SysWOW64\Hminbkql.exeC:\Windows\system32\Hminbkql.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Hgaoec32.exeC:\Windows\system32\Hgaoec32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:692 -
C:\Windows\SysWOW64\Ifiilp32.exeC:\Windows\system32\Ifiilp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:264 -
C:\Windows\SysWOW64\Ienfml32.exeC:\Windows\system32\Ienfml32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Iaegbmlq.exeC:\Windows\system32\Iaegbmlq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Iecohl32.exeC:\Windows\system32\Iecohl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2992 -
C:\Windows\SysWOW64\Jjbdfbnl.exeC:\Windows\system32\Jjbdfbnl.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Jhfepfme.exeC:\Windows\system32\Jhfepfme.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Jkfnaa32.exeC:\Windows\system32\Jkfnaa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Knbjgq32.exeC:\Windows\system32\Knbjgq32.exe33⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Kkfjpemb.exeC:\Windows\system32\Kkfjpemb.exe34⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Kpeonkig.exeC:\Windows\system32\Kpeonkig.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Lnipgp32.exeC:\Windows\system32\Lnipgp32.exe36⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ljpqlqmd.exeC:\Windows\system32\Ljpqlqmd.exe37⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Lomidgkl.exeC:\Windows\system32\Lomidgkl.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Loofjg32.exeC:\Windows\system32\Loofjg32.exe39⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Llcfck32.exeC:\Windows\system32\Llcfck32.exe40⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Ldokhn32.exeC:\Windows\system32\Ldokhn32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Lkhcdhmk.exeC:\Windows\system32\Lkhcdhmk.exe42⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Mnilfc32.exeC:\Windows\system32\Mnilfc32.exe43⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Mjpmkdpp.exeC:\Windows\system32\Mjpmkdpp.exe44⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Mgfjjh32.exeC:\Windows\system32\Mgfjjh32.exe45⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe47⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Ncpgeh32.exeC:\Windows\system32\Ncpgeh32.exe48⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Nilpmo32.exeC:\Windows\system32\Nilpmo32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1848 -
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe50⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Nmjicn32.exeC:\Windows\system32\Nmjicn32.exe51⤵
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Npieoi32.exeC:\Windows\system32\Npieoi32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1476 -
C:\Windows\SysWOW64\Nhdjdk32.exeC:\Windows\system32\Nhdjdk32.exe53⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe54⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Nlabjj32.exeC:\Windows\system32\Nlabjj32.exe55⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Nbljfdoh.exeC:\Windows\system32\Nbljfdoh.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1184 -
C:\Windows\SysWOW64\Oaaghp32.exeC:\Windows\system32\Oaaghp32.exe57⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ododdlcd.exeC:\Windows\system32\Ododdlcd.exe58⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\Odaqikaa.exeC:\Windows\system32\Odaqikaa.exe60⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe61⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Obgmjh32.exeC:\Windows\system32\Obgmjh32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Opkndldc.exeC:\Windows\system32\Opkndldc.exe63⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe64⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Ppmkilbp.exeC:\Windows\system32\Ppmkilbp.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe66⤵
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Pobgjhgh.exeC:\Windows\system32\Pobgjhgh.exe67⤵
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\Pelpgb32.exeC:\Windows\system32\Pelpgb32.exe68⤵PID:2444
-
C:\Windows\SysWOW64\Pacqlcdi.exeC:\Windows\system32\Pacqlcdi.exe69⤵
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe70⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Paemac32.exeC:\Windows\system32\Paemac32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Pknakhig.exeC:\Windows\system32\Pknakhig.exe72⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Pdffcn32.exeC:\Windows\system32\Pdffcn32.exe73⤵
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Qkpnph32.exeC:\Windows\system32\Qkpnph32.exe74⤵
- Drops file in System32 directory
- Modifies registry class
PID:2716 -
C:\Windows\SysWOW64\Qckcdj32.exeC:\Windows\system32\Qckcdj32.exe75⤵PID:1188
-
C:\Windows\SysWOW64\Qiekadkl.exeC:\Windows\system32\Qiekadkl.exe76⤵PID:2532
-
C:\Windows\SysWOW64\Agilkijf.exeC:\Windows\system32\Agilkijf.exe77⤵PID:2900
-
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe78⤵PID:2664
-
C:\Windows\SysWOW64\Aglhph32.exeC:\Windows\system32\Aglhph32.exe79⤵PID:1132
-
C:\Windows\SysWOW64\Ajjeld32.exeC:\Windows\system32\Ajjeld32.exe80⤵PID:2128
-
C:\Windows\SysWOW64\Aogmdk32.exeC:\Windows\system32\Aogmdk32.exe81⤵
- Drops file in System32 directory
PID:2332 -
C:\Windows\SysWOW64\Afqeaemk.exeC:\Windows\system32\Afqeaemk.exe82⤵PID:2616
-
C:\Windows\SysWOW64\Aoijjjcl.exeC:\Windows\system32\Aoijjjcl.exe83⤵PID:1956
-
C:\Windows\SysWOW64\Ahancp32.exeC:\Windows\system32\Ahancp32.exe84⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Anngkg32.exeC:\Windows\system32\Anngkg32.exe85⤵PID:2528
-
C:\Windows\SysWOW64\Ahdkhp32.exeC:\Windows\system32\Ahdkhp32.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1020 -
C:\Windows\SysWOW64\Bblpae32.exeC:\Windows\system32\Bblpae32.exe87⤵PID:1504
-
C:\Windows\SysWOW64\Bhfhnofg.exeC:\Windows\system32\Bhfhnofg.exe88⤵
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\Bbolge32.exeC:\Windows\system32\Bbolge32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2436 -
C:\Windows\SysWOW64\Bgkeol32.exeC:\Windows\system32\Bgkeol32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Bmhmgbif.exeC:\Windows\system32\Bmhmgbif.exe91⤵PID:2912
-
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe92⤵
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Bjnjfffm.exeC:\Windows\system32\Bjnjfffm.exe93⤵
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Bcgoolln.exeC:\Windows\system32\Bcgoolln.exe94⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Cmocha32.exeC:\Windows\system32\Cmocha32.exe95⤵
- System Location Discovery: System Language Discovery
PID:836 -
C:\Windows\SysWOW64\Cfghagio.exeC:\Windows\system32\Cfghagio.exe96⤵PID:2452
-
C:\Windows\SysWOW64\Cmmcae32.exeC:\Windows\system32\Cmmcae32.exe97⤵PID:1732
-
C:\Windows\SysWOW64\Dcfknooi.exeC:\Windows\system32\Dcfknooi.exe98⤵PID:932
-
C:\Windows\SysWOW64\Dfgdpj32.exeC:\Windows\system32\Dfgdpj32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:956 -
C:\Windows\SysWOW64\Dpphipbk.exeC:\Windows\system32\Dpphipbk.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\Djemfibq.exeC:\Windows\system32\Djemfibq.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2044 -
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe102⤵
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Deonff32.exeC:\Windows\system32\Deonff32.exe103⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Dmffhd32.exeC:\Windows\system32\Dmffhd32.exe104⤵PID:2564
-
C:\Windows\SysWOW64\Elkbipdi.exeC:\Windows\system32\Elkbipdi.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Elnonp32.exeC:\Windows\system32\Elnonp32.exe106⤵PID:3036
-
C:\Windows\SysWOW64\Ekblplgo.exeC:\Windows\system32\Ekblplgo.exe107⤵PID:1920
-
C:\Windows\SysWOW64\Ekeiel32.exeC:\Windows\system32\Ekeiel32.exe108⤵PID:2396
-
C:\Windows\SysWOW64\Edmnnakm.exeC:\Windows\system32\Edmnnakm.exe109⤵
- System Location Discovery: System Language Discovery
PID:572 -
C:\Windows\SysWOW64\Fgnfpm32.exeC:\Windows\system32\Fgnfpm32.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Fmholgpj.exeC:\Windows\system32\Fmholgpj.exe111⤵PID:1600
-
C:\Windows\SysWOW64\Fcgdjmlo.exeC:\Windows\system32\Fcgdjmlo.exe112⤵PID:1768
-
C:\Windows\SysWOW64\Fcjqpm32.exeC:\Windows\system32\Fcjqpm32.exe113⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Foqadnpq.exeC:\Windows\system32\Foqadnpq.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Faonqiod.exeC:\Windows\system32\Faonqiod.exe115⤵
- Drops file in System32 directory
PID:1968 -
C:\Windows\SysWOW64\Gocnjn32.exeC:\Windows\system32\Gocnjn32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Gdpfbd32.exeC:\Windows\system32\Gdpfbd32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1380 -
C:\Windows\SysWOW64\Gacgli32.exeC:\Windows\system32\Gacgli32.exe118⤵PID:3000
-
C:\Windows\SysWOW64\Gafcahil.exeC:\Windows\system32\Gafcahil.exe119⤵
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe120⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Gmbagf32.exeC:\Windows\system32\Gmbagf32.exe121⤵
- Modifies registry class
PID:3040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-