Analysis
-
max time kernel
114s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/11/2024, 12:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646N.exe
-
Size
91KB
-
MD5
9904fe5d56f249c0c12b885eb4fc84a0
-
SHA1
8231418172c190ba9a264bef65c235c9ac2a3906
-
SHA256
7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646
-
SHA512
0f29d07566ec39c6002ee1005c3bf37597023086a7eb843949331345b2ecfdc12770e7d89bf92717b74327ca5cdae9ceafce8995dbe4533c02337df48a9010fd
-
SSDEEP
1536:VypcgsHF7jmR0gba1mLB1FD+riC3FSr7TiwkU6joqqIVLg+:VmcguF6Y1gBvYvFSr7TSUurU+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lncfcgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqehjecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocefpnom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahmefdcp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmnghfhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpiaipmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgoelh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldbkbop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkaoemjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icbipe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlhkgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhfajia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giolnomh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjbmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qncfphff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgnminke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obokcqhk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onqkclni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Offpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbqmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecadddjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnicbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epkepakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adblnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfcfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmehdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfabgch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeiecfga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddppmclb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nphpng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diidjpbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilifndlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llomfpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opialpld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mopdpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkbbinig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkhbgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejfllhao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpeiligo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnbaif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcokpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfoeel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcacochk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agbbgqhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khagijcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miapbpmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekghcq32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2876 Mimgeigj.exe 1740 Mcckcbgp.exe 3044 Nbflno32.exe 2812 Ngealejo.exe 2628 Nhgnaehm.exe 2776 Nbmaon32.exe 2544 Nhjjgd32.exe 2980 Nncbdomg.exe 1772 Nenkqi32.exe 2008 Nfoghakb.exe 2716 Oadkej32.exe 496 Ojmpooah.exe 2860 Opihgfop.exe 2156 Ofcqcp32.exe 1864 Oplelf32.exe 2944 Oeindm32.exe 692 Olbfagca.exe 576 Ofhjopbg.exe 644 Opqoge32.exe 1536 Obokcqhk.exe 1016 Oemgplgo.exe 1188 Plgolf32.exe 2068 Pkjphcff.exe 2176 Pepcelel.exe 880 Pkmlmbcd.exe 3008 Pafdjmkq.exe 2268 Pdeqfhjd.exe 2312 Pkoicb32.exe 2652 Pgfjhcge.exe 2772 Ppnnai32.exe 3020 Pcljmdmj.exe 2680 Pnbojmmp.exe 2576 Qkfocaki.exe 324 Qlgkki32.exe 1412 Qdncmgbj.exe 580 Qgmpibam.exe 1816 Aohdmdoh.exe 1724 Agolnbok.exe 2600 Aaimopli.exe 2152 Ahbekjcf.exe 408 Aoojnc32.exe 2712 Adlcfjgh.exe 1336 Agjobffl.exe 1732 Andgop32.exe 2788 Adnpkjde.exe 876 Bnfddp32.exe 3048 Bgoime32.exe 2396 Bkjdndjo.exe 2940 Bqgmfkhg.exe 1596 Bdcifi32.exe 3028 Bjpaop32.exe 3024 Bmnnkl32.exe 2756 Bchfhfeh.exe 2352 Bjbndpmd.exe 2568 Bmpkqklh.exe 2992 Bcjcme32.exe 1328 Bfioia32.exe 856 Bmbgfkje.exe 1908 Ccmpce32.exe 2964 Cenljmgq.exe 2100 Ckhdggom.exe 2096 Cnfqccna.exe 1956 Cfmhdpnc.exe 1736 Cgoelh32.exe -
Loads dropped DLL 64 IoCs
pid Process 540 7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646N.exe 540 7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646N.exe 2876 Mimgeigj.exe 2876 Mimgeigj.exe 1740 Mcckcbgp.exe 1740 Mcckcbgp.exe 3044 Nbflno32.exe 3044 Nbflno32.exe 2812 Ngealejo.exe 2812 Ngealejo.exe 2628 Nhgnaehm.exe 2628 Nhgnaehm.exe 2776 Nbmaon32.exe 2776 Nbmaon32.exe 2544 Nhjjgd32.exe 2544 Nhjjgd32.exe 2980 Nncbdomg.exe 2980 Nncbdomg.exe 1772 Nenkqi32.exe 1772 Nenkqi32.exe 2008 Nfoghakb.exe 2008 Nfoghakb.exe 2716 Oadkej32.exe 2716 Oadkej32.exe 496 Ojmpooah.exe 496 Ojmpooah.exe 2860 Opihgfop.exe 2860 Opihgfop.exe 2156 Ofcqcp32.exe 2156 Ofcqcp32.exe 1864 Oplelf32.exe 1864 Oplelf32.exe 2944 Oeindm32.exe 2944 Oeindm32.exe 692 Olbfagca.exe 692 Olbfagca.exe 576 Ofhjopbg.exe 576 Ofhjopbg.exe 644 Opqoge32.exe 644 Opqoge32.exe 1536 Obokcqhk.exe 1536 Obokcqhk.exe 1016 Oemgplgo.exe 1016 Oemgplgo.exe 1188 Plgolf32.exe 1188 Plgolf32.exe 2068 Pkjphcff.exe 2068 Pkjphcff.exe 2176 Pepcelel.exe 2176 Pepcelel.exe 880 Pkmlmbcd.exe 880 Pkmlmbcd.exe 3008 Pafdjmkq.exe 3008 Pafdjmkq.exe 2268 Pdeqfhjd.exe 2268 Pdeqfhjd.exe 2312 Pkoicb32.exe 2312 Pkoicb32.exe 2652 Pgfjhcge.exe 2652 Pgfjhcge.exe 2772 Ppnnai32.exe 2772 Ppnnai32.exe 3020 Pcljmdmj.exe 3020 Pcljmdmj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Adnpkjde.exe Andgop32.exe File created C:\Windows\SysWOW64\Dkaegg32.dll Cgdqpq32.exe File created C:\Windows\SysWOW64\Mhklji32.dll Onfabgch.exe File created C:\Windows\SysWOW64\Anbmbi32.exe Akdafn32.exe File created C:\Windows\SysWOW64\Cidcinlc.dll Ajjgei32.exe File created C:\Windows\SysWOW64\Fpohakbp.exe Fiepea32.exe File opened for modification C:\Windows\SysWOW64\Oninhgae.exe Ogofkm32.exe File created C:\Windows\SysWOW64\Cogqoale.dll Obgnhkkh.exe File created C:\Windows\SysWOW64\Mhcqcl32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dbadagln.exe Dkgldm32.exe File opened for modification C:\Windows\SysWOW64\Ilemce32.exe Ijfqfj32.exe File opened for modification C:\Windows\SysWOW64\Opqoge32.exe Ofhjopbg.exe File opened for modification C:\Windows\SysWOW64\Aeghng32.exe Abhlak32.exe File created C:\Windows\SysWOW64\Kcacil32.dll Cgjgol32.exe File created C:\Windows\SysWOW64\Plbmom32.exe Pidaba32.exe File created C:\Windows\SysWOW64\Ndjfgkha.exe Process not Found File created C:\Windows\SysWOW64\Befima32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Bbikig32.exe Process not Found File created C:\Windows\SysWOW64\Anljck32.exe Agbbgqhh.exe File created C:\Windows\SysWOW64\Hmpaom32.exe Hjaeba32.exe File created C:\Windows\SysWOW64\Mgjpaj32.exe Mdldeo32.exe File opened for modification C:\Windows\SysWOW64\Cjmmffgn.exe Cgnpjkhj.exe File created C:\Windows\SysWOW64\Hkogpn32.exe Hchoop32.exe File opened for modification C:\Windows\SysWOW64\Hdpcokdo.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Piieicgl.exe Penihe32.exe File opened for modification C:\Windows\SysWOW64\Cfckcoen.exe Cceogcfj.exe File opened for modification C:\Windows\SysWOW64\Nanfqo32.exe Process not Found File created C:\Windows\SysWOW64\Qhkipdeb.exe Qbnphngk.exe File created C:\Windows\SysWOW64\Blfapfpg.exe Afliclij.exe File created C:\Windows\SysWOW64\Ladebd32.exe Lofifi32.exe File created C:\Windows\SysWOW64\Abbhje32.exe Process not Found File created C:\Windows\SysWOW64\Famaimfe.exe Fooembgb.exe File created C:\Windows\SysWOW64\Ocamldcp.dll Nckkgp32.exe File opened for modification C:\Windows\SysWOW64\Dppigchi.exe Difqji32.exe File opened for modification C:\Windows\SysWOW64\Ofaolcmh.exe Onjgkf32.exe File opened for modification C:\Windows\SysWOW64\Jqbbhg32.exe Jndflk32.exe File opened for modification C:\Windows\SysWOW64\Ogdaod32.exe Process not Found File created C:\Windows\SysWOW64\Lmcilp32.exe Lkelpd32.exe File opened for modification C:\Windows\SysWOW64\Pbglpg32.exe Ppipdl32.exe File created C:\Windows\SysWOW64\Ndlmhi32.dll Iieepbje.exe File created C:\Windows\SysWOW64\Ggiofa32.exe Gdjcjf32.exe File opened for modification C:\Windows\SysWOW64\Kfggkc32.exe Jcikog32.exe File created C:\Windows\SysWOW64\Mkhanokh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Domccejd.exe Dlofgj32.exe File created C:\Windows\SysWOW64\Ehhdaj32.exe Eeiheo32.exe File opened for modification C:\Windows\SysWOW64\Emeobj32.exe Eldbkbop.exe File opened for modification C:\Windows\SysWOW64\Lmcilp32.exe Lkelpd32.exe File created C:\Windows\SysWOW64\Jmccgf32.dll Onldqejb.exe File opened for modification C:\Windows\SysWOW64\Lnkege32.exe Lklikj32.exe File created C:\Windows\SysWOW64\Pehebbbh.exe Pbjifgcd.exe File opened for modification C:\Windows\SysWOW64\Cggcofkf.exe Process not Found File created C:\Windows\SysWOW64\Moohhbcf.dll Nhgnaehm.exe File opened for modification C:\Windows\SysWOW64\Ofhjopbg.exe Olbfagca.exe File created C:\Windows\SysWOW64\Oopqjabc.dll Llgljn32.exe File opened for modification C:\Windows\SysWOW64\Djmiejji.exe Dgnminke.exe File created C:\Windows\SysWOW64\Fnbkfl32.dll Cbdiia32.exe File created C:\Windows\SysWOW64\Pcqejkep.dll Hieiqo32.exe File opened for modification C:\Windows\SysWOW64\Eeagimdf.exe Eogolc32.exe File opened for modification C:\Windows\SysWOW64\Fliook32.exe Fkhbgbkc.exe File created C:\Windows\SysWOW64\Npechhgd.exe Nikkkn32.exe File created C:\Windows\SysWOW64\Bmbgfkje.exe Bfioia32.exe File created C:\Windows\SysWOW64\Eiilephi.dll Lgngbmjp.exe File created C:\Windows\SysWOW64\Jgnapb32.dll Lpldcfmd.exe File opened for modification C:\Windows\SysWOW64\Oepjoa32.exe Onfabgch.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbfnjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacajg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijqjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgoelh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpajbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngdjaofc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbnpgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pndalkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnicbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clojhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjifjdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leikbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnjqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmcopebh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabponba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfojakp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlemlnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbadagln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnmjpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbcen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpafapbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbabho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akdafn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifengpdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljpjchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lifcib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpemhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Golgon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goapjnoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbffjmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdbea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flapkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijibng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcmedli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjicjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giolnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmqcmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehhqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honnki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcfdmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopdpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcichb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepjoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdefnjkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icoepohq.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oggeokoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ponklpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfbdci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfbjhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnfoepmg.dll" Embkbdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfnqbdc.dll" Pjjkfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnckki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Offpbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahchdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acbbhobn.dll" Dpfkeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbflno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkebafoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjaeba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjkibehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdkmeiei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Immjnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnibcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knbnol32.dll" Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfgpaco.dll" Ifmocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgjbpi32.dll" Bjembh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdjkbh32.dll" Jecnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eogffk32.dll" Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knijnb32.dll" Genlgnhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lljpjchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjlmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bldainid.dll" Odacbpee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqnablhp.dll" Mejmmqpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Malmllfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnnjlmid.dll" Dppigchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aknpmobg.dll" Pljnkodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bedhgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonnhc32.dll" Mbqkiind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koflgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgiked32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpohakbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blnpddeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijlibjp.dll" Edcqjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhhgkj32.dll" Ifpcchai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdgdji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdeopaj.dll" Lalhgogb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdjaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pehebbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmmneg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfenf32.dll" Ccnifd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omfnnnhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmojdiin.dll" Fopnpaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgfooe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knohpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diidjpbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehpcehcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Appbcn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 540 wrote to memory of 2876 540 7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646N.exe 31 PID 540 wrote to memory of 2876 540 7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646N.exe 31 PID 540 wrote to memory of 2876 540 7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646N.exe 31 PID 540 wrote to memory of 2876 540 7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646N.exe 31 PID 2876 wrote to memory of 1740 2876 Mimgeigj.exe 32 PID 2876 wrote to memory of 1740 2876 Mimgeigj.exe 32 PID 2876 wrote to memory of 1740 2876 Mimgeigj.exe 32 PID 2876 wrote to memory of 1740 2876 Mimgeigj.exe 32 PID 1740 wrote to memory of 3044 1740 Mcckcbgp.exe 33 PID 1740 wrote to memory of 3044 1740 Mcckcbgp.exe 33 PID 1740 wrote to memory of 3044 1740 Mcckcbgp.exe 33 PID 1740 wrote to memory of 3044 1740 Mcckcbgp.exe 33 PID 3044 wrote to memory of 2812 3044 Nbflno32.exe 34 PID 3044 wrote to memory of 2812 3044 Nbflno32.exe 34 PID 3044 wrote to memory of 2812 3044 Nbflno32.exe 34 PID 3044 wrote to memory of 2812 3044 Nbflno32.exe 34 PID 2812 wrote to memory of 2628 2812 Ngealejo.exe 35 PID 2812 wrote to memory of 2628 2812 Ngealejo.exe 35 PID 2812 wrote to memory of 2628 2812 Ngealejo.exe 35 PID 2812 wrote to memory of 2628 2812 Ngealejo.exe 35 PID 2628 wrote to memory of 2776 2628 Nhgnaehm.exe 36 PID 2628 wrote to memory of 2776 2628 Nhgnaehm.exe 36 PID 2628 wrote to memory of 2776 2628 Nhgnaehm.exe 36 PID 2628 wrote to memory of 2776 2628 Nhgnaehm.exe 36 PID 2776 wrote to memory of 2544 2776 Nbmaon32.exe 37 PID 2776 wrote to memory of 2544 2776 Nbmaon32.exe 37 PID 2776 wrote to memory of 2544 2776 Nbmaon32.exe 37 PID 2776 wrote to memory of 2544 2776 Nbmaon32.exe 37 PID 2544 wrote to memory of 2980 2544 Nhjjgd32.exe 38 PID 2544 wrote to memory of 2980 2544 Nhjjgd32.exe 38 PID 2544 wrote to memory of 2980 2544 Nhjjgd32.exe 38 PID 2544 wrote to memory of 2980 2544 Nhjjgd32.exe 38 PID 2980 wrote to memory of 1772 2980 Nncbdomg.exe 39 PID 2980 wrote to memory of 1772 2980 Nncbdomg.exe 39 PID 2980 wrote to memory of 1772 2980 Nncbdomg.exe 39 PID 2980 wrote to memory of 1772 2980 Nncbdomg.exe 39 PID 1772 wrote to memory of 2008 1772 Nenkqi32.exe 40 PID 1772 wrote to memory of 2008 1772 Nenkqi32.exe 40 PID 1772 wrote to memory of 2008 1772 Nenkqi32.exe 40 PID 1772 wrote to memory of 2008 1772 Nenkqi32.exe 40 PID 2008 wrote to memory of 2716 2008 Nfoghakb.exe 41 PID 2008 wrote to memory of 2716 2008 Nfoghakb.exe 41 PID 2008 wrote to memory of 2716 2008 Nfoghakb.exe 41 PID 2008 wrote to memory of 2716 2008 Nfoghakb.exe 41 PID 2716 wrote to memory of 496 2716 Oadkej32.exe 42 PID 2716 wrote to memory of 496 2716 Oadkej32.exe 42 PID 2716 wrote to memory of 496 2716 Oadkej32.exe 42 PID 2716 wrote to memory of 496 2716 Oadkej32.exe 42 PID 496 wrote to memory of 2860 496 Ojmpooah.exe 43 PID 496 wrote to memory of 2860 496 Ojmpooah.exe 43 PID 496 wrote to memory of 2860 496 Ojmpooah.exe 43 PID 496 wrote to memory of 2860 496 Ojmpooah.exe 43 PID 2860 wrote to memory of 2156 2860 Opihgfop.exe 44 PID 2860 wrote to memory of 2156 2860 Opihgfop.exe 44 PID 2860 wrote to memory of 2156 2860 Opihgfop.exe 44 PID 2860 wrote to memory of 2156 2860 Opihgfop.exe 44 PID 2156 wrote to memory of 1864 2156 Ofcqcp32.exe 45 PID 2156 wrote to memory of 1864 2156 Ofcqcp32.exe 45 PID 2156 wrote to memory of 1864 2156 Ofcqcp32.exe 45 PID 2156 wrote to memory of 1864 2156 Ofcqcp32.exe 45 PID 1864 wrote to memory of 2944 1864 Oplelf32.exe 46 PID 1864 wrote to memory of 2944 1864 Oplelf32.exe 46 PID 1864 wrote to memory of 2944 1864 Oplelf32.exe 46 PID 1864 wrote to memory of 2944 1864 Oplelf32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646N.exe"C:\Users\Admin\AppData\Local\Temp\7d2b8c59a7e046f7eec98bfbbf403240fedf5161e36a74f446924efc1b6ad646N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Nbmaon32.exeC:\Windows\system32\Nbmaon32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2944 -
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:576 -
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:644 -
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1016 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Pepcelel.exeC:\Windows\system32\Pepcelel.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2176 -
C:\Windows\SysWOW64\Pkmlmbcd.exeC:\Windows\system32\Pkmlmbcd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Pafdjmkq.exeC:\Windows\system32\Pafdjmkq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Pdeqfhjd.exeC:\Windows\system32\Pdeqfhjd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2312 -
C:\Windows\SysWOW64\Pgfjhcge.exeC:\Windows\system32\Pgfjhcge.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Ppnnai32.exeC:\Windows\system32\Ppnnai32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Pcljmdmj.exeC:\Windows\system32\Pcljmdmj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3020 -
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe33⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe34⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe35⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Qdncmgbj.exeC:\Windows\system32\Qdncmgbj.exe36⤵
- Executes dropped EXE
PID:1412 -
C:\Windows\SysWOW64\Qgmpibam.exeC:\Windows\system32\Qgmpibam.exe37⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Aohdmdoh.exeC:\Windows\system32\Aohdmdoh.exe38⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe39⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe40⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Ahbekjcf.exeC:\Windows\system32\Ahbekjcf.exe41⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Aoojnc32.exeC:\Windows\system32\Aoojnc32.exe42⤵
- Executes dropped EXE
PID:408 -
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe43⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Agjobffl.exeC:\Windows\system32\Agjobffl.exe44⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Andgop32.exeC:\Windows\system32\Andgop32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1732 -
C:\Windows\SysWOW64\Adnpkjde.exeC:\Windows\system32\Adnpkjde.exe46⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe47⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Bgoime32.exeC:\Windows\system32\Bgoime32.exe48⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe50⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Bjpaop32.exeC:\Windows\system32\Bjpaop32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe53⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe54⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Bjbndpmd.exeC:\Windows\system32\Bjbndpmd.exe55⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Bcjcme32.exeC:\Windows\system32\Bcjcme32.exe57⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1328 -
C:\Windows\SysWOW64\Bmbgfkje.exeC:\Windows\system32\Bmbgfkje.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe60⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Cenljmgq.exeC:\Windows\system32\Cenljmgq.exe61⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe62⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Cnfqccna.exeC:\Windows\system32\Cnfqccna.exe63⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe64⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Cgoelh32.exeC:\Windows\system32\Cgoelh32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe66⤵
- Drops file in System32 directory
PID:936 -
C:\Windows\SysWOW64\Cebeem32.exeC:\Windows\system32\Cebeem32.exe67⤵PID:1936
-
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe68⤵PID:2344
-
C:\Windows\SysWOW64\Cbffoabe.exeC:\Windows\system32\Cbffoabe.exe69⤵PID:888
-
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe70⤵PID:1588
-
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Cjakccop.exeC:\Windows\system32\Cjakccop.exe72⤵PID:2668
-
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe73⤵PID:2824
-
C:\Windows\SysWOW64\Cegoqlof.exeC:\Windows\system32\Cegoqlof.exe74⤵PID:2560
-
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe75⤵PID:2588
-
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe76⤵PID:584
-
C:\Windows\SysWOW64\Dmbcen32.exeC:\Windows\system32\Dmbcen32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Dcllbhdn.exeC:\Windows\system32\Dcllbhdn.exe78⤵PID:1976
-
C:\Windows\SysWOW64\Dfkhndca.exeC:\Windows\system32\Dfkhndca.exe79⤵PID:2552
-
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe81⤵PID:900
-
C:\Windows\SysWOW64\Dcohghbk.exeC:\Windows\system32\Dcohghbk.exe82⤵PID:1516
-
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe83⤵PID:2368
-
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe85⤵PID:2212
-
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe86⤵PID:1236
-
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe87⤵PID:2040
-
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe88⤵PID:2020
-
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe89⤵PID:2888
-
C:\Windows\SysWOW64\Dlofgj32.exeC:\Windows\system32\Dlofgj32.exe90⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Domccejd.exeC:\Windows\system32\Domccejd.exe91⤵PID:780
-
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe92⤵PID:2572
-
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe93⤵PID:1776
-
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe94⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe95⤵PID:2844
-
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe96⤵PID:1728
-
C:\Windows\SysWOW64\Eaphjp32.exeC:\Windows\system32\Eaphjp32.exe97⤵PID:908
-
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe98⤵PID:2908
-
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe99⤵PID:2084
-
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe100⤵PID:3016
-
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe101⤵PID:2224
-
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe102⤵PID:3068
-
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe103⤵PID:2644
-
C:\Windows\SysWOW64\Emifeqid.exeC:\Windows\system32\Emifeqid.exe104⤵PID:2524
-
C:\Windows\SysWOW64\Edcnakpa.exeC:\Windows\system32\Edcnakpa.exe105⤵PID:1792
-
C:\Windows\SysWOW64\Egajnfoe.exeC:\Windows\system32\Egajnfoe.exe106⤵PID:2036
-
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe107⤵PID:2848
-
C:\Windows\SysWOW64\Flocfmnl.exeC:\Windows\system32\Flocfmnl.exe108⤵PID:2192
-
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe109⤵PID:2372
-
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe110⤵PID:1820
-
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe111⤵PID:2440
-
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe112⤵
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe113⤵PID:1948
-
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe114⤵PID:2640
-
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe115⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe116⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe117⤵PID:2740
-
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe118⤵PID:2160
-
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe119⤵PID:448
-
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe120⤵PID:680
-
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe121⤵PID:1384
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-