Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/03/2025, 02:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe
-
Size
93KB
-
MD5
4c051a3c7269a7fb719a2bd598e8e65e
-
SHA1
23ede1c00397072255e7cda211fedb642b6b5285
-
SHA256
579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be
-
SHA512
b28a752f4016d94522a9e72ee171b85715ff99b0c79813cf1dde6a5590e4b44cdbedc40d3c1ec9b5d2e120b315b8ec69de569ed9f29ad5a1256283d6c2daa28a
-
SSDEEP
1536:nS2ad/3r+TpC5gSAnRs8PKbp9sVLnO53q52IrFzTXMtDhGJ5taRFkt:S2aB7DDOng3q/haRA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fahhnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gagkjbaf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmofdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibacbcgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojeobm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoqjqhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqnapb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifolhann.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohbikbkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aahfdihn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacihmoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncfcgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oecmogln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alddjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgpdglhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbabho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kablnadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkmollme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpggei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hqkmplen.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmppehkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famaimfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmmbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfnmmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjaeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmqmod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcgpkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjihmmbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cogfqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpgfeao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeelf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koflgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpcokdo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcginj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feachqgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnejim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fglfgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glchpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgpij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmhejhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bknjfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefqdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbbccgmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfalqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anogijnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeclebja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omckoi32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2952 Ekhmcelc.exe 2976 Eabepp32.exe 2768 Edaalk32.exe 2200 Eaebeoan.exe 1800 Flocfmnl.exe 2588 Fdekgjno.exe 2652 Fibcoalf.exe 1356 Fplllkdc.exe 1848 Fgfdie32.exe 1660 Fhgppnan.exe 624 Fcmdnfad.exe 1144 Figmjq32.exe 2820 Fkhibino.exe 1552 Fodebh32.exe 2216 Fhljkm32.exe 1308 Fkkfgi32.exe 1652 Fepjea32.exe 1948 Gdcjpncm.exe 1496 Ghofam32.exe 1728 Gagkjbaf.exe 1904 Ggdcbi32.exe 2264 Gnnlocgk.exe 808 Gckdgjeb.exe 316 Gkalhgfd.exe 2108 Glchpp32.exe 1656 Gnbejb32.exe 532 Gconbj32.exe 2680 Gmhbkohm.exe 2684 Gqcnln32.exe 2864 Hinbppna.exe 2548 Hkmollme.exe 2984 Hfbcidmk.exe 480 Hiqoeplo.exe 1972 Hokhbj32.exe 1964 Hbidne32.exe 1912 Hnpdcf32.exe 1412 Hqnapb32.exe 852 Hghillnd.exe 1200 Hbnmienj.exe 2868 Ikfbbjdj.exe 1724 Iacjjacb.exe 680 Igmbgk32.exe 1228 Imjkpb32.exe 2096 Iaegpaao.exe 1464 Ifbphh32.exe 2068 Imlhebfc.exe 1188 Ipjdameg.exe 2164 Ifdlng32.exe 2960 Ijphofem.exe 2896 Imodkadq.exe 2676 Ipmqgmcd.exe 2568 Ifgicg32.exe 2700 Iieepbje.exe 2576 Imaapa32.exe 1932 Inbnhihl.exe 1416 Jfieigio.exe 2284 Jhjbqo32.exe 2860 Jpajbl32.exe 1860 Jbpfnh32.exe 952 Jenbjc32.exe 900 Jhmofo32.exe 956 Joggci32.exe 616 Jbbccgmp.exe 2056 Jeqopcld.exe -
Loads dropped DLL 64 IoCs
pid Process 2296 579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe 2296 579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe 2952 Ekhmcelc.exe 2952 Ekhmcelc.exe 2976 Eabepp32.exe 2976 Eabepp32.exe 2768 Edaalk32.exe 2768 Edaalk32.exe 2200 Eaebeoan.exe 2200 Eaebeoan.exe 1800 Flocfmnl.exe 1800 Flocfmnl.exe 2588 Fdekgjno.exe 2588 Fdekgjno.exe 2652 Fibcoalf.exe 2652 Fibcoalf.exe 1356 Fplllkdc.exe 1356 Fplllkdc.exe 1848 Fgfdie32.exe 1848 Fgfdie32.exe 1660 Fhgppnan.exe 1660 Fhgppnan.exe 624 Fcmdnfad.exe 624 Fcmdnfad.exe 1144 Figmjq32.exe 1144 Figmjq32.exe 2820 Fkhibino.exe 2820 Fkhibino.exe 1552 Fodebh32.exe 1552 Fodebh32.exe 2216 Fhljkm32.exe 2216 Fhljkm32.exe 1308 Fkkfgi32.exe 1308 Fkkfgi32.exe 1652 Fepjea32.exe 1652 Fepjea32.exe 1948 Gdcjpncm.exe 1948 Gdcjpncm.exe 1496 Ghofam32.exe 1496 Ghofam32.exe 1728 Gagkjbaf.exe 1728 Gagkjbaf.exe 1904 Ggdcbi32.exe 1904 Ggdcbi32.exe 2264 Gnnlocgk.exe 2264 Gnnlocgk.exe 808 Gckdgjeb.exe 808 Gckdgjeb.exe 316 Gkalhgfd.exe 316 Gkalhgfd.exe 3016 Gjgiidkl.exe 3016 Gjgiidkl.exe 1656 Gnbejb32.exe 1656 Gnbejb32.exe 532 Gconbj32.exe 532 Gconbj32.exe 2680 Gmhbkohm.exe 2680 Gmhbkohm.exe 2684 Gqcnln32.exe 2684 Gqcnln32.exe 2864 Hinbppna.exe 2864 Hinbppna.exe 2548 Hkmollme.exe 2548 Hkmollme.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nfnidhlj.dll Fodebh32.exe File created C:\Windows\SysWOW64\Kmqmod32.exe Jkbaci32.exe File opened for modification C:\Windows\SysWOW64\Pbemboof.exe Ppfafcpb.exe File opened for modification C:\Windows\SysWOW64\Dblhmoio.exe Dnqlmq32.exe File opened for modification C:\Windows\SysWOW64\Gqdgom32.exe Gockgdeh.exe File opened for modification C:\Windows\SysWOW64\Hgqlafap.exe Hcepqh32.exe File opened for modification C:\Windows\SysWOW64\Jfmkbebl.exe Jcnoejch.exe File created C:\Windows\SysWOW64\Lpgcln32.dll Jefbnacn.exe File opened for modification C:\Windows\SysWOW64\Kidjdpie.exe Keioca32.exe File created C:\Windows\SysWOW64\Caefjg32.dll Kapohbfp.exe File created C:\Windows\SysWOW64\Kocpbfei.exe Kjhcag32.exe File created C:\Windows\SysWOW64\Libjncnc.exe Kgcnahoo.exe File created C:\Windows\SysWOW64\Ifbphh32.exe Iaegpaao.exe File created C:\Windows\SysWOW64\Jmnqje32.exe Jfdhmk32.exe File created C:\Windows\SysWOW64\Mflcaaja.dll Llmmpcfe.exe File created C:\Windows\SysWOW64\Nkkmgncb.exe Mimpkcdn.exe File opened for modification C:\Windows\SysWOW64\Ponklpcg.exe Ppkjac32.exe File created C:\Windows\SysWOW64\Eogolc32.exe Elibpg32.exe File created C:\Windows\SysWOW64\Ikedjg32.dll Fglfgd32.exe File opened for modification C:\Windows\SysWOW64\Jhenjmbb.exe Jefbnacn.exe File created C:\Windows\SysWOW64\Iacjjacb.exe Ikfbbjdj.exe File created C:\Windows\SysWOW64\Fljelj32.dll Nmcopebh.exe File created C:\Windows\SysWOW64\Cfanmogq.exe Ccbbachm.exe File opened for modification C:\Windows\SysWOW64\Gcgqgd32.exe Gpidki32.exe File created C:\Windows\SysWOW64\Dmbfkh32.dll Giaidnkf.exe File opened for modification C:\Windows\SysWOW64\Jnagmc32.exe Jjfkmdlg.exe File created C:\Windows\SysWOW64\Kkmmlgik.exe Khnapkjg.exe File created C:\Windows\SysWOW64\Jpmmfp32.exe Jmnqje32.exe File created C:\Windows\SysWOW64\Olmela32.exe Ohbikbkb.exe File created C:\Windows\SysWOW64\Ifgicg32.exe Ipmqgmcd.exe File created C:\Windows\SysWOW64\Hjmicg32.dll Lngpog32.exe File created C:\Windows\SysWOW64\Hlklph32.dll Ppkjac32.exe File opened for modification C:\Windows\SysWOW64\Ckbpqe32.exe Cmppehkh.exe File opened for modification C:\Windows\SysWOW64\Hgnokgcc.exe Hdpcokdo.exe File created C:\Windows\SysWOW64\Chpmbe32.dll Hbofmcij.exe File created C:\Windows\SysWOW64\Kbjbge32.exe Jplfkjbd.exe File created C:\Windows\SysWOW64\Ofglaipf.dll Mneohj32.exe File created C:\Windows\SysWOW64\Fmfocnjg.exe Fijbco32.exe File created C:\Windows\SysWOW64\Gagkjbaf.exe Ghofam32.exe File created C:\Windows\SysWOW64\Kbpbmkan.exe Kdmban32.exe File created C:\Windows\SysWOW64\Lkggmldl.exe Lhhkapeh.exe File created C:\Windows\SysWOW64\Nqmnjd32.exe Nmabjfek.exe File opened for modification C:\Windows\SysWOW64\Epbbkf32.exe Emdeok32.exe File opened for modification C:\Windows\SysWOW64\Imjkpb32.exe Igmbgk32.exe File created C:\Windows\SysWOW64\Nhbcdh32.dll Khohkamc.exe File opened for modification C:\Windows\SysWOW64\Laqojfli.exe Lnecigcp.exe File created C:\Windows\SysWOW64\Mhjcec32.exe Mflgih32.exe File opened for modification C:\Windows\SysWOW64\Pmehdh32.exe Ojglhm32.exe File opened for modification C:\Windows\SysWOW64\Ppddpd32.exe Pmehdh32.exe File created C:\Windows\SysWOW64\Bmbhcoif.dll Aklabp32.exe File created C:\Windows\SysWOW64\Bqolji32.exe Bnapnm32.exe File created C:\Windows\SysWOW64\Gkalhgfd.exe Gckdgjeb.exe File created C:\Windows\SysWOW64\Mfjgiobf.dll Lgpdglhn.exe File opened for modification C:\Windows\SysWOW64\Bolcma32.exe Bgdkkc32.exe File created C:\Windows\SysWOW64\Igbnok32.dll Dcbnpgkh.exe File created C:\Windows\SysWOW64\Ljfepegb.dll Epbbkf32.exe File opened for modification C:\Windows\SysWOW64\Hgeelf32.exe Honnki32.exe File opened for modification C:\Windows\SysWOW64\Jedehaea.exe Jbfilffm.exe File opened for modification C:\Windows\SysWOW64\Jeqopcld.exe Jbbccgmp.exe File opened for modification C:\Windows\SysWOW64\Bogjaamh.exe Bkknac32.exe File opened for modification C:\Windows\SysWOW64\Dnqlmq32.exe Ckbpqe32.exe File created C:\Windows\SysWOW64\Cbpjnb32.dll Deakjjbk.exe File created C:\Windows\SysWOW64\Gpggei32.exe Glklejoo.exe File created C:\Windows\SysWOW64\Hnmacpfj.exe Hjaeba32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imodkadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbfnjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alddjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadbdkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjmmdbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipmqgmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flocfmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihmmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboeco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfodfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Libjncnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooembgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehiioaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbclgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpkmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kablnadm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcghkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnhpglg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebqngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnqje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boemlbpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kapohbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olmela32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojeobm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgqlafap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenbjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbdabog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfehhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjjad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcqjfeja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmplen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdflqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmqmod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdppqbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeclg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baefnmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnkdmec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbnhihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbbmnhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimoiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfkmdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhibino.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaapa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhleh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acicla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgidfcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfanmogq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifadkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcedad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpepkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhmofo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbkfdba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aklabp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnejim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnagmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcmedli.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakpkfka.dll" Hkmollme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlilqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahildbb.dll" Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efedga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghofam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkggmldl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nihcog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oajndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akpkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejaphpnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eogolc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjbpqjma.dll" Glpepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiqoeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdcpkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnejim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkbaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdilhpcp.dll" Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igejec32.dll" Apmcefmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djocbqpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgcln32.dll" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll" Kjhcag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnnlocgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfoaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgfah32.dll" Dcghkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keioca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koaclfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gconbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdhdfgep.dll" Jkbaci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nckkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlilqbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fooembgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmbfkh32.dll" Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qnhhline.dll" Gqcnln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anjnnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agbbgqhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldaomc32.dll" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glpepj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjcaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gagkjbaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjdameg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpdglhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qaacem32.dll" Ppfafcpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkpeem32.dll" Glbaei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mobafhlg.dll" Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhfnkqgk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obeacl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpajbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acblbcob.dll" Efedga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqdgom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdmihcc.dll" Ibcphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdmban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dokggo32.dll" Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcgmfgfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjgiidkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnmmn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 2952 2296 579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe 31 PID 2296 wrote to memory of 2952 2296 579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe 31 PID 2296 wrote to memory of 2952 2296 579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe 31 PID 2296 wrote to memory of 2952 2296 579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe 31 PID 2952 wrote to memory of 2976 2952 Ekhmcelc.exe 32 PID 2952 wrote to memory of 2976 2952 Ekhmcelc.exe 32 PID 2952 wrote to memory of 2976 2952 Ekhmcelc.exe 32 PID 2952 wrote to memory of 2976 2952 Ekhmcelc.exe 32 PID 2976 wrote to memory of 2768 2976 Eabepp32.exe 33 PID 2976 wrote to memory of 2768 2976 Eabepp32.exe 33 PID 2976 wrote to memory of 2768 2976 Eabepp32.exe 33 PID 2976 wrote to memory of 2768 2976 Eabepp32.exe 33 PID 2768 wrote to memory of 2200 2768 Edaalk32.exe 34 PID 2768 wrote to memory of 2200 2768 Edaalk32.exe 34 PID 2768 wrote to memory of 2200 2768 Edaalk32.exe 34 PID 2768 wrote to memory of 2200 2768 Edaalk32.exe 34 PID 2200 wrote to memory of 1800 2200 Eaebeoan.exe 35 PID 2200 wrote to memory of 1800 2200 Eaebeoan.exe 35 PID 2200 wrote to memory of 1800 2200 Eaebeoan.exe 35 PID 2200 wrote to memory of 1800 2200 Eaebeoan.exe 35 PID 1800 wrote to memory of 2588 1800 Flocfmnl.exe 36 PID 1800 wrote to memory of 2588 1800 Flocfmnl.exe 36 PID 1800 wrote to memory of 2588 1800 Flocfmnl.exe 36 PID 1800 wrote to memory of 2588 1800 Flocfmnl.exe 36 PID 2588 wrote to memory of 2652 2588 Fdekgjno.exe 37 PID 2588 wrote to memory of 2652 2588 Fdekgjno.exe 37 PID 2588 wrote to memory of 2652 2588 Fdekgjno.exe 37 PID 2588 wrote to memory of 2652 2588 Fdekgjno.exe 37 PID 2652 wrote to memory of 1356 2652 Fibcoalf.exe 38 PID 2652 wrote to memory of 1356 2652 Fibcoalf.exe 38 PID 2652 wrote to memory of 1356 2652 Fibcoalf.exe 38 PID 2652 wrote to memory of 1356 2652 Fibcoalf.exe 38 PID 1356 wrote to memory of 1848 1356 Fplllkdc.exe 39 PID 1356 wrote to memory of 1848 1356 Fplllkdc.exe 39 PID 1356 wrote to memory of 1848 1356 Fplllkdc.exe 39 PID 1356 wrote to memory of 1848 1356 Fplllkdc.exe 39 PID 1848 wrote to memory of 1660 1848 Fgfdie32.exe 40 PID 1848 wrote to memory of 1660 1848 Fgfdie32.exe 40 PID 1848 wrote to memory of 1660 1848 Fgfdie32.exe 40 PID 1848 wrote to memory of 1660 1848 Fgfdie32.exe 40 PID 1660 wrote to memory of 624 1660 Fhgppnan.exe 41 PID 1660 wrote to memory of 624 1660 Fhgppnan.exe 41 PID 1660 wrote to memory of 624 1660 Fhgppnan.exe 41 PID 1660 wrote to memory of 624 1660 Fhgppnan.exe 41 PID 624 wrote to memory of 1144 624 Fcmdnfad.exe 42 PID 624 wrote to memory of 1144 624 Fcmdnfad.exe 42 PID 624 wrote to memory of 1144 624 Fcmdnfad.exe 42 PID 624 wrote to memory of 1144 624 Fcmdnfad.exe 42 PID 1144 wrote to memory of 2820 1144 Figmjq32.exe 43 PID 1144 wrote to memory of 2820 1144 Figmjq32.exe 43 PID 1144 wrote to memory of 2820 1144 Figmjq32.exe 43 PID 1144 wrote to memory of 2820 1144 Figmjq32.exe 43 PID 2820 wrote to memory of 1552 2820 Fkhibino.exe 44 PID 2820 wrote to memory of 1552 2820 Fkhibino.exe 44 PID 2820 wrote to memory of 1552 2820 Fkhibino.exe 44 PID 2820 wrote to memory of 1552 2820 Fkhibino.exe 44 PID 1552 wrote to memory of 2216 1552 Fodebh32.exe 45 PID 1552 wrote to memory of 2216 1552 Fodebh32.exe 45 PID 1552 wrote to memory of 2216 1552 Fodebh32.exe 45 PID 1552 wrote to memory of 2216 1552 Fodebh32.exe 45 PID 2216 wrote to memory of 1308 2216 Fhljkm32.exe 46 PID 2216 wrote to memory of 1308 2216 Fhljkm32.exe 46 PID 2216 wrote to memory of 1308 2216 Fhljkm32.exe 46 PID 2216 wrote to memory of 1308 2216 Fhljkm32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe"C:\Users\Admin\AppData\Local\Temp\579e41d7ad518c963e919e572901801b275e8b8bd9b6c2eb7989b96f278160be.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Fkkfgi32.exeC:\Windows\system32\Fkkfgi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:808 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:316 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe27⤵
- Loads dropped DLL
- Modifies registry class
PID:3016 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1656 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:532 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Hinbppna.exeC:\Windows\system32\Hinbppna.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe34⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Hiqoeplo.exeC:\Windows\system32\Hiqoeplo.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:480 -
C:\Windows\SysWOW64\Hokhbj32.exeC:\Windows\system32\Hokhbj32.exe36⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe37⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe38⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe40⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe41⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe43⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe45⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe47⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe48⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe50⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe51⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2676 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe54⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe55⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1932 -
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe58⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe59⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe61⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:952 -
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe64⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:616 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe66⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe67⤵
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe68⤵PID:2064
-
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe69⤵PID:3008
-
C:\Windows\SysWOW64\Jeclebja.exeC:\Windows\system32\Jeclebja.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3004 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe71⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe72⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Jmnqje32.exeC:\Windows\system32\Jmnqje32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe74⤵PID:2324
-
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe75⤵PID:2988
-
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:2332 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe78⤵PID:1868
-
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe79⤵PID:2036
-
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe80⤵PID:660
-
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe81⤵PID:2032
-
C:\Windows\SysWOW64\Kdmban32.exeC:\Windows\system32\Kdmban32.exe82⤵
- Drops file in System32 directory
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe83⤵PID:788
-
C:\Windows\SysWOW64\Kenoifpb.exeC:\Windows\system32\Kenoifpb.exe84⤵PID:2088
-
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe85⤵PID:2044
-
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe86⤵PID:1540
-
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe87⤵PID:2764
-
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe88⤵
- Drops file in System32 directory
PID:2564 -
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe89⤵PID:1896
-
C:\Windows\SysWOW64\Kaglcgdc.exeC:\Windows\system32\Kaglcgdc.exe90⤵PID:2052
-
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe91⤵PID:336
-
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe92⤵PID:2600
-
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2400 -
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe94⤵PID:1900
-
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1672 -
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe96⤵PID:2420
-
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe97⤵PID:1012
-
C:\Windows\SysWOW64\Legaoehg.exeC:\Windows\system32\Legaoehg.exe98⤵PID:488
-
C:\Windows\SysWOW64\Lhfnkqgk.exeC:\Windows\system32\Lhfnkqgk.exe99⤵
- Modifies registry class
PID:564 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe100⤵PID:2800
-
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Lanbdf32.exeC:\Windows\system32\Lanbdf32.exe102⤵PID:2736
-
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe103⤵
- Drops file in System32 directory
PID:2060 -
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe104⤵
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe105⤵
- Drops file in System32 directory
PID:1224 -
C:\Windows\SysWOW64\Laqojfli.exeC:\Windows\system32\Laqojfli.exe106⤵PID:2844
-
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe107⤵PID:824
-
C:\Windows\SysWOW64\Lkicbk32.exeC:\Windows\system32\Lkicbk32.exe108⤵PID:1740
-
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe109⤵
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Lpflkb32.exeC:\Windows\system32\Lpflkb32.exe110⤵PID:896
-
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe111⤵PID:1776
-
C:\Windows\SysWOW64\Lgpdglhn.exeC:\Windows\system32\Lgpdglhn.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2376 -
C:\Windows\SysWOW64\Lnjldf32.exeC:\Windows\system32\Lnjldf32.exe113⤵PID:2832
-
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe114⤵
- Drops file in System32 directory
PID:1448 -
C:\Windows\SysWOW64\Mokilo32.exeC:\Windows\system32\Mokilo32.exe115⤵PID:1968
-
C:\Windows\SysWOW64\Mfeaiime.exeC:\Windows\system32\Mfeaiime.exe116⤵PID:2396
-
C:\Windows\SysWOW64\Mhcmedli.exeC:\Windows\system32\Mhcmedli.exe117⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Mqjefamk.exeC:\Windows\system32\Mqjefamk.exe118⤵PID:988
-
C:\Windows\SysWOW64\Mciabmlo.exeC:\Windows\system32\Mciabmlo.exe119⤵PID:1260
-
C:\Windows\SysWOW64\Mjcjog32.exeC:\Windows\system32\Mjcjog32.exe120⤵PID:2772
-
C:\Windows\SysWOW64\Mkdffoij.exeC:\Windows\system32\Mkdffoij.exe121⤵PID:2696
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-