Analysis
-
max time kernel
27s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
25-12-2024 17:27
Behavioral task
behavioral1
Sample
9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe
Resource
win10v2004-20241007-en
General
-
Target
9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe
-
Size
320KB
-
MD5
f4a9fe9300ab053d58180bf8c053718a
-
SHA1
67889f8978ce0c188bc0d0972069d4d1bdae4afd
-
SHA256
9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df
-
SHA512
4e846a46023caa2a565cb140861de8aa580a7d5b1beaa4a4e16cc41f6c017f286f97d7475bbfaa69c8a3087f7e3f0e2e782982845bc9d1a77d1d91a0eead12ba
-
SSDEEP
6144:H24T3mosVQ///NR5fLvQ///NREQ///NR5fLYG3eujD:H24Luw/Nq/NZ/NcZq
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiekpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idgglb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elibpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjilgdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkbcbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjcppidk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlnpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdecea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paocnkph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfgnnhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpopddd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjmbaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjebdfnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbepdhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dddimn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmeeepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gconbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnngfna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nameek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekkjheja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhdkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obeacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bacihmoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hieiqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qoeamo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogjaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoebgcol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhhkapeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmmbqegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdkelolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgknkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mobfgdcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfcodkcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laqojfli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iknafhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoagccfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khadpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdcpkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioeclg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elajgpmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icfpbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahfdihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnkdnqhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifmocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jacfidem.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2352 Bckjhl32.exe 2500 Bjebdfnn.exe 2304 Cillkbac.exe 2180 Cbepdhgc.exe 2660 Clpabm32.exe 1440 Cnnnnh32.exe 2904 Dldkmlhl.exe 2784 Dobgihgp.exe 1744 Dogpdg32.exe 1656 Dddimn32.exe 1952 Elajgpmj.exe 2512 Eiekpd32.exe 1768 Eobchk32.exe 2236 Eeohkeoe.exe 576 Eoiiijcc.exe 404 Eecafd32.exe 296 Fdkklp32.exe 816 Fgigil32.exe 1720 Fnflke32.exe 1556 Fgnadkic.exe 804 Goiehm32.exe 1840 Gbhbdi32.exe 540 Gdhkfd32.exe 480 Gkbcbn32.exe 2412 Gncldi32.exe 1608 Giipab32.exe 3052 Ggnmbn32.exe 2356 Hjlioj32.exe 2408 Hmmbqegc.exe 2120 Hcgjmo32.exe 2560 Hfegij32.exe 2888 Hakkgc32.exe 2200 Hcigco32.exe 2664 Hjcppidk.exe 2612 Hcldhnkk.exe 1176 Hihlqeib.exe 372 Hpbdmo32.exe 2540 Iikifegp.exe 2652 Ieajkfmd.exe 2880 Ihpfgalh.exe 3000 Idgglb32.exe 1864 Ilnomp32.exe 1124 Inlkik32.exe 2640 Ijclol32.exe 2240 Iamdkfnc.exe 1676 Jaoqqflp.exe 760 Jpbalb32.exe 572 Jhbold32.exe 2416 Jolghndm.exe 1616 Jajcdjca.exe 1944 Jhdlad32.exe 284 Kdklfe32.exe 2936 Kkeecogo.exe 2168 Kncaojfb.exe 2568 Kekiphge.exe 2596 Khielcfh.exe 2016 Kkgahoel.exe 1964 Kdpfadlm.exe 2036 Kjmnjkjd.exe 2980 Knhjjj32.exe 2136 Kpgffe32.exe 2184 Kcecbq32.exe 1660 Kjokokha.exe 2792 Klngkfge.exe -
Loads dropped DLL 64 IoCs
pid Process 2316 9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe 2316 9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe 2352 Bckjhl32.exe 2352 Bckjhl32.exe 2500 Bjebdfnn.exe 2500 Bjebdfnn.exe 2304 Cillkbac.exe 2304 Cillkbac.exe 2180 Cbepdhgc.exe 2180 Cbepdhgc.exe 2660 Clpabm32.exe 2660 Clpabm32.exe 1440 Cnnnnh32.exe 1440 Cnnnnh32.exe 2904 Dldkmlhl.exe 2904 Dldkmlhl.exe 2784 Dobgihgp.exe 2784 Dobgihgp.exe 1744 Dogpdg32.exe 1744 Dogpdg32.exe 1656 Dddimn32.exe 1656 Dddimn32.exe 1952 Elajgpmj.exe 1952 Elajgpmj.exe 2512 Eiekpd32.exe 2512 Eiekpd32.exe 1768 Eobchk32.exe 1768 Eobchk32.exe 2236 Eeohkeoe.exe 2236 Eeohkeoe.exe 576 Eoiiijcc.exe 576 Eoiiijcc.exe 404 Eecafd32.exe 404 Eecafd32.exe 296 Fdkklp32.exe 296 Fdkklp32.exe 816 Fgigil32.exe 816 Fgigil32.exe 1720 Fnflke32.exe 1720 Fnflke32.exe 1556 Fgnadkic.exe 1556 Fgnadkic.exe 804 Goiehm32.exe 804 Goiehm32.exe 1840 Gbhbdi32.exe 1840 Gbhbdi32.exe 540 Gdhkfd32.exe 540 Gdhkfd32.exe 480 Gkbcbn32.exe 480 Gkbcbn32.exe 2412 Gncldi32.exe 2412 Gncldi32.exe 1608 Giipab32.exe 1608 Giipab32.exe 3052 Ggnmbn32.exe 3052 Ggnmbn32.exe 2356 Hjlioj32.exe 2356 Hjlioj32.exe 2408 Hmmbqegc.exe 2408 Hmmbqegc.exe 2120 Hcgjmo32.exe 2120 Hcgjmo32.exe 2560 Hfegij32.exe 2560 Hfegij32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jlkglm32.exe Jdcpkp32.exe File opened for modification C:\Windows\SysWOW64\Ncmglp32.exe Nmcopebh.exe File opened for modification C:\Windows\SysWOW64\Dddimn32.exe Dogpdg32.exe File opened for modification C:\Windows\SysWOW64\Lboiol32.exe Loqmba32.exe File created C:\Windows\SysWOW64\Fennoa32.exe Fkhibino.exe File opened for modification C:\Windows\SysWOW64\Gkmbmh32.exe Fepjea32.exe File opened for modification C:\Windows\SysWOW64\Ijnkifgp.exe Iphgln32.exe File created C:\Windows\SysWOW64\Fgocmc32.exe Fdpgph32.exe File created C:\Windows\SysWOW64\Ahmiofbn.dll Dobgihgp.exe File opened for modification C:\Windows\SysWOW64\Ceebklai.exe Cnkjnb32.exe File created C:\Windows\SysWOW64\Joggci32.exe Jlhkgm32.exe File opened for modification C:\Windows\SysWOW64\Mcfemmna.exe Mokilo32.exe File opened for modification C:\Windows\SysWOW64\Eimcjl32.exe Eeagimdf.exe File created C:\Windows\SysWOW64\Omfpmb32.dll Jnagmc32.exe File opened for modification C:\Windows\SysWOW64\Hjlioj32.exe Ggnmbn32.exe File created C:\Windows\SysWOW64\Jcfnin32.dll Hcgjmo32.exe File created C:\Windows\SysWOW64\Aplpbjee.dll Ieajkfmd.exe File created C:\Windows\SysWOW64\Lldmleam.exe Ljfapjbi.exe File created C:\Windows\SysWOW64\Nbmaon32.exe Neiaeiii.exe File opened for modification C:\Windows\SysWOW64\Mjhjdm32.exe Mobfgdcl.exe File created C:\Windows\SysWOW64\Qoblpdnf.dll Aakjdo32.exe File opened for modification C:\Windows\SysWOW64\Eabepp32.exe Ekhmcelc.exe File opened for modification C:\Windows\SysWOW64\Pmjaohol.exe Pioeoi32.exe File created C:\Windows\SysWOW64\Ipfpae32.dll Aahfdihn.exe File created C:\Windows\SysWOW64\Onlahm32.exe Olmela32.exe File opened for modification C:\Windows\SysWOW64\Jpbalb32.exe Jaoqqflp.exe File created C:\Windows\SysWOW64\Apgagg32.exe Aebmjo32.exe File created C:\Windows\SysWOW64\Cgfkmgnj.exe Ccjoli32.exe File opened for modification C:\Windows\SysWOW64\Ghacfmic.exe Gnkoid32.exe File created C:\Windows\SysWOW64\Olfknedh.dll Hokhbj32.exe File opened for modification C:\Windows\SysWOW64\Qppkfhlc.exe Pifbjn32.exe File created C:\Windows\SysWOW64\Ikfbbjdj.exe Heliepmn.exe File opened for modification C:\Windows\SysWOW64\Elibpg32.exe Ehnfpifm.exe File created C:\Windows\SysWOW64\Ilalae32.dll Fbegbacp.exe File created C:\Windows\SysWOW64\Fcmdnfad.exe Foahmh32.exe File created C:\Windows\SysWOW64\Jamkdghb.dll Kpojkp32.exe File created C:\Windows\SysWOW64\Ppddpd32.exe Ojglhm32.exe File opened for modification C:\Windows\SysWOW64\Ciokijfd.exe Cjljnn32.exe File opened for modification C:\Windows\SysWOW64\Dhpgfeao.exe Djlfma32.exe File created C:\Windows\SysWOW64\Ldikdp32.dll Dldkmlhl.exe File opened for modification C:\Windows\SysWOW64\Mnmpdlac.exe Mkndhabp.exe File created C:\Windows\SysWOW64\Mimgeigj.exe Mbcoio32.exe File opened for modification C:\Windows\SysWOW64\Foahmh32.exe Fiepea32.exe File created C:\Windows\SysWOW64\Lpcfmngo.dll Njbfnjeg.exe File opened for modification C:\Windows\SysWOW64\Fdqnkoep.exe Fennoa32.exe File created C:\Windows\SysWOW64\Knbnol32.dll Ojbbmnhc.exe File opened for modification C:\Windows\SysWOW64\Klcgpkhh.exe Kidjdpie.exe File opened for modification C:\Windows\SysWOW64\Eobchk32.exe Eiekpd32.exe File opened for modification C:\Windows\SysWOW64\Fgigil32.exe Fdkklp32.exe File opened for modification C:\Windows\SysWOW64\Kddomchg.exe Klngkfge.exe File created C:\Windows\SysWOW64\Oomgdcce.dll Opglafab.exe File opened for modification C:\Windows\SysWOW64\Fckhhgcf.exe Flapkmlj.exe File opened for modification C:\Windows\SysWOW64\Mqjefamk.exe Mcfemmna.exe File opened for modification C:\Windows\SysWOW64\Iogpag32.exe Ikldqile.exe File created C:\Windows\SysWOW64\Kcecbq32.exe Kpgffe32.exe File created C:\Windows\SysWOW64\Bjlkhpje.dll Lgehno32.exe File created C:\Windows\SysWOW64\Nhiejpim.dll Phcilf32.exe File opened for modification C:\Windows\SysWOW64\Cmfmojcb.exe Cjhabndo.exe File created C:\Windows\SysWOW64\Dppigchi.exe Dgiaefgg.exe File created C:\Windows\SysWOW64\Clpabm32.exe Cbepdhgc.exe File created C:\Windows\SysWOW64\Jpbalb32.exe Jaoqqflp.exe File created C:\Windows\SysWOW64\Dilfgala.dll Gconbj32.exe File created C:\Windows\SysWOW64\Mffbkj32.dll Gaojnq32.exe File created C:\Windows\SysWOW64\Hklhae32.exe Hqgddm32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcopebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhbdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lboiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkplgnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqfbjhgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnomjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djdgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbmfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceebklai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpcokdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgehno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnngfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibipmiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnocipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhenjmbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elcpbigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdklfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfbdci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhejhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmpdlac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glklejoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehiioaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaimipjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggoqimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giipab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjoli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paocnkph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfcabd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobfgdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aahfdihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbnpgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfgnnhkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objjnkie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cebeem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laqojfli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknimnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbepdhgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dipjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijbco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonpma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcppidk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkmie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flapkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhleh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feddombd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihlqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edoefl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpjofl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaoqqflp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lonpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncnngfna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkahgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfgnnhkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jclpkjad.dll" Eheglk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmeeepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhjikp32.dll" Lkdjglfo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onqkclni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohccp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnmpdlac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iacpmi32.dll" Oococb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jigbebhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmidcdi.dll" Kilgoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olbbhfld.dll" Jhjbqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkdffoij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppkjac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcjilgdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbnol32.dll" Ojbbmnhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qoeamo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hinbppna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Neghkn32.dll" Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oncobd32.dll" Kkgahoel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njjcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibkmp32.dll" Ppnnai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdcpkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfakep32.dll" Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chpmbe32.dll" Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inojhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cebeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djiqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnhhline.dll" Hcajhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfmkbebl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdphjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goiehm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poibnekg.dll" Mkfclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piaoqi32.dll" Glklejoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcqlkjae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmppehkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fijbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdkklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjahej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoagccfn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmlbjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bndneq32.dll" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcohghbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lanbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdoime32.dll" Fdkmeiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjcap32.dll" Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbnekdd.dll" Qgjccb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcohghbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhcafa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2352 2316 9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe 30 PID 2316 wrote to memory of 2352 2316 9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe 30 PID 2316 wrote to memory of 2352 2316 9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe 30 PID 2316 wrote to memory of 2352 2316 9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe 30 PID 2352 wrote to memory of 2500 2352 Bckjhl32.exe 31 PID 2352 wrote to memory of 2500 2352 Bckjhl32.exe 31 PID 2352 wrote to memory of 2500 2352 Bckjhl32.exe 31 PID 2352 wrote to memory of 2500 2352 Bckjhl32.exe 31 PID 2500 wrote to memory of 2304 2500 Bjebdfnn.exe 32 PID 2500 wrote to memory of 2304 2500 Bjebdfnn.exe 32 PID 2500 wrote to memory of 2304 2500 Bjebdfnn.exe 32 PID 2500 wrote to memory of 2304 2500 Bjebdfnn.exe 32 PID 2304 wrote to memory of 2180 2304 Cillkbac.exe 33 PID 2304 wrote to memory of 2180 2304 Cillkbac.exe 33 PID 2304 wrote to memory of 2180 2304 Cillkbac.exe 33 PID 2304 wrote to memory of 2180 2304 Cillkbac.exe 33 PID 2180 wrote to memory of 2660 2180 Cbepdhgc.exe 34 PID 2180 wrote to memory of 2660 2180 Cbepdhgc.exe 34 PID 2180 wrote to memory of 2660 2180 Cbepdhgc.exe 34 PID 2180 wrote to memory of 2660 2180 Cbepdhgc.exe 34 PID 2660 wrote to memory of 1440 2660 Clpabm32.exe 35 PID 2660 wrote to memory of 1440 2660 Clpabm32.exe 35 PID 2660 wrote to memory of 1440 2660 Clpabm32.exe 35 PID 2660 wrote to memory of 1440 2660 Clpabm32.exe 35 PID 1440 wrote to memory of 2904 1440 Cnnnnh32.exe 36 PID 1440 wrote to memory of 2904 1440 Cnnnnh32.exe 36 PID 1440 wrote to memory of 2904 1440 Cnnnnh32.exe 36 PID 1440 wrote to memory of 2904 1440 Cnnnnh32.exe 36 PID 2904 wrote to memory of 2784 2904 Dldkmlhl.exe 37 PID 2904 wrote to memory of 2784 2904 Dldkmlhl.exe 37 PID 2904 wrote to memory of 2784 2904 Dldkmlhl.exe 37 PID 2904 wrote to memory of 2784 2904 Dldkmlhl.exe 37 PID 2784 wrote to memory of 1744 2784 Dobgihgp.exe 38 PID 2784 wrote to memory of 1744 2784 Dobgihgp.exe 38 PID 2784 wrote to memory of 1744 2784 Dobgihgp.exe 38 PID 2784 wrote to memory of 1744 2784 Dobgihgp.exe 38 PID 1744 wrote to memory of 1656 1744 Dogpdg32.exe 39 PID 1744 wrote to memory of 1656 1744 Dogpdg32.exe 39 PID 1744 wrote to memory of 1656 1744 Dogpdg32.exe 39 PID 1744 wrote to memory of 1656 1744 Dogpdg32.exe 39 PID 1656 wrote to memory of 1952 1656 Dddimn32.exe 40 PID 1656 wrote to memory of 1952 1656 Dddimn32.exe 40 PID 1656 wrote to memory of 1952 1656 Dddimn32.exe 40 PID 1656 wrote to memory of 1952 1656 Dddimn32.exe 40 PID 1952 wrote to memory of 2512 1952 Elajgpmj.exe 41 PID 1952 wrote to memory of 2512 1952 Elajgpmj.exe 41 PID 1952 wrote to memory of 2512 1952 Elajgpmj.exe 41 PID 1952 wrote to memory of 2512 1952 Elajgpmj.exe 41 PID 2512 wrote to memory of 1768 2512 Eiekpd32.exe 42 PID 2512 wrote to memory of 1768 2512 Eiekpd32.exe 42 PID 2512 wrote to memory of 1768 2512 Eiekpd32.exe 42 PID 2512 wrote to memory of 1768 2512 Eiekpd32.exe 42 PID 1768 wrote to memory of 2236 1768 Eobchk32.exe 43 PID 1768 wrote to memory of 2236 1768 Eobchk32.exe 43 PID 1768 wrote to memory of 2236 1768 Eobchk32.exe 43 PID 1768 wrote to memory of 2236 1768 Eobchk32.exe 43 PID 2236 wrote to memory of 576 2236 Eeohkeoe.exe 44 PID 2236 wrote to memory of 576 2236 Eeohkeoe.exe 44 PID 2236 wrote to memory of 576 2236 Eeohkeoe.exe 44 PID 2236 wrote to memory of 576 2236 Eeohkeoe.exe 44 PID 576 wrote to memory of 404 576 Eoiiijcc.exe 45 PID 576 wrote to memory of 404 576 Eoiiijcc.exe 45 PID 576 wrote to memory of 404 576 Eoiiijcc.exe 45 PID 576 wrote to memory of 404 576 Eoiiijcc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe"C:\Users\Admin\AppData\Local\Temp\9afc682eb71408bdd48accf18d946c017a40e044710bc78c907e66ba1158c7df.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Bjebdfnn.exeC:\Windows\system32\Bjebdfnn.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Cnnnnh32.exeC:\Windows\system32\Cnnnnh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Dobgihgp.exeC:\Windows\system32\Dobgihgp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Eiekpd32.exeC:\Windows\system32\Eiekpd32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\Eecafd32.exeC:\Windows\system32\Eecafd32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:404 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Fgigil32.exeC:\Windows\system32\Fgigil32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:816 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1840 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:480 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2408 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2120 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe33⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe34⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe36⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1176 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe38⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe39⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2880 -
C:\Windows\SysWOW64\Idgglb32.exeC:\Windows\system32\Idgglb32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe44⤵
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe45⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe46⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1676 -
C:\Windows\SysWOW64\Jpbalb32.exeC:\Windows\system32\Jpbalb32.exe48⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1616 -
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe52⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:284 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe54⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe55⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Kekiphge.exeC:\Windows\system32\Kekiphge.exe56⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe57⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe59⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe61⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Kcecbq32.exeC:\Windows\system32\Kcecbq32.exe63⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe64⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe66⤵PID:2288
-
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe67⤵
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Klpdaf32.exeC:\Windows\system32\Klpdaf32.exe68⤵PID:1248
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe71⤵PID:2104
-
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe72⤵PID:2780
-
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe73⤵
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe74⤵
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe75⤵
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe76⤵PID:1356
-
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe77⤵PID:1960
-
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe78⤵PID:1204
-
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe79⤵PID:2848
-
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe80⤵PID:2172
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe81⤵PID:1240
-
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe82⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe83⤵PID:1792
-
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe84⤵
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe86⤵PID:2636
-
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe87⤵
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe88⤵PID:2752
-
C:\Windows\SysWOW64\Mdiefffn.exeC:\Windows\system32\Mdiefffn.exe89⤵PID:2608
-
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe90⤵PID:1256
-
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe91⤵PID:2308
-
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe94⤵PID:2020
-
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe95⤵PID:1504
-
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe97⤵PID:536
-
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe98⤵PID:2832
-
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe99⤵
- System Location Discovery: System Language Discovery
PID:544 -
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2484 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe101⤵PID:2148
-
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe102⤵
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe104⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe105⤵
- System Location Discovery: System Language Discovery
PID:624 -
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe107⤵PID:2156
-
C:\Windows\SysWOW64\Njjcip32.exeC:\Windows\system32\Njjcip32.exe108⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe109⤵
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe110⤵PID:1736
-
C:\Windows\SysWOW64\Obhdcanc.exeC:\Windows\system32\Obhdcanc.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe112⤵PID:2676
-
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe113⤵PID:2492
-
C:\Windows\SysWOW64\Oidiekdn.exeC:\Windows\system32\Oidiekdn.exe114⤵PID:1764
-
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe115⤵PID:1604
-
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe116⤵PID:1932
-
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe117⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe118⤵
- Modifies registry class
PID:2396 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe119⤵PID:3004
-
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2800 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe121⤵PID:2144
-
C:\Windows\SysWOW64\Pebpkk32.exeC:\Windows\system32\Pebpkk32.exe122⤵PID:2728
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-