Analysis
-
max time kernel
141s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 22:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95.exe
-
Size
64KB
-
MD5
55562d0c204e6bd46e4c663a95277cb7
-
SHA1
9fe7ee8c888ba8d26ec2e7f5d77a58c385137f9e
-
SHA256
44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95
-
SHA512
27ca8509252d8a7a78bcf078585e1bf74f01897973f214a7ff6ff362244815d8034d888eb30cfd757c100ab9784d24ed79500837f4c3722617d4e6bf977eeee6
-
SSDEEP
1536:V6hl14vPoBPPoqDvPaapgu8XDIGWl6RVL6YXUwXfzwP:VugvKPPoqbPfiDQlO9FPzwP
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdlfngcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajipkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jqbbhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbmnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Momapqgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gleqdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkhaooec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdiahco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahhchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icabeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjgcecja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgmjdaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kelmbifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfllhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gedbfimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kffqqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohengmcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gllnnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjmcfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naimepkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pofldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkmmigjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baealp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifobe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkopndcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neibanod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojndpqpq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajeanhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjalhpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hclhjpjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchipb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpnlndkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjkfqlpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pqgilnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajipkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aljmbknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgnminke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdeoccgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlpchfdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfnchfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpaohjkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjnenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmpklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpldcfmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Inmpklpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibillk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nloachkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmecbkgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkbbinig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eddjhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glbdnbpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkopndcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkdbea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmcgmkil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ninhamne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdnibdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpnkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohhea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nchipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkkioeig.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2660 Befnbd32.exe 2752 Bggjjlnb.exe 2668 Cdkkcp32.exe 2720 Cjhckg32.exe 2616 Ccqhdmbc.exe 276 Cnflae32.exe 2908 Cccdjl32.exe 1004 Cpgecq32.exe 1708 Cceapl32.exe 2832 Clnehado.exe 2352 Ccgnelll.exe 2260 Dkbbinig.exe 560 Dbmkfh32.exe 1768 Dlboca32.exe 2120 Dnckki32.exe 2440 Dhiphb32.exe 1628 Dochelmj.exe 996 Dhklna32.exe 1364 Dgnminke.exe 1060 Dbdagg32.exe 2728 Ddbmcb32.exe 2512 Djoeki32.exe 1676 Dnjalhpp.exe 1296 Eddjhb32.exe 2212 Enmnahnm.exe 2280 Ecjgio32.exe 2844 Eifobe32.exe 2856 Eclcon32.exe 2696 Ejfllhao.exe 2576 Ecnpdnho.exe 2672 Elieipej.exe 2604 Efoifiep.exe 1252 Egpena32.exe 2412 Fipbhd32.exe 3020 Fnmjpk32.exe 900 Fbhfajia.exe 2472 Flqkjo32.exe 1208 Fjckelfm.exe 556 Fdlpnamm.exe 2016 Fnadkjlc.exe 2132 Fpbqcb32.exe 264 Ffmipmjn.exe 1108 Fabmmejd.exe 1716 Gjjafkpe.exe 908 Gllnnc32.exe 1812 Gedbfimc.exe 2028 Gmkjgfmf.exe 1316 Gpjfcali.exe 1780 Gbhcpmkm.exe 2340 Gibkmgcj.exe 1620 Glpgibbn.exe 2852 Gplcia32.exe 2588 Gbjpem32.exe 2556 Geilah32.exe 2084 Gidhbgag.exe 432 Glbdnbpk.exe 1276 Gkedjo32.exe 1368 Gaplfinb.exe 2640 Gdnibdmf.exe 1864 Gleqdb32.exe 1688 Gkhaooec.exe 2196 Hememgdi.exe 2056 Hhlaiccm.exe 1816 Hkjnenbp.exe -
Loads dropped DLL 64 IoCs
pid Process 1960 44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95.exe 1960 44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95.exe 2660 Befnbd32.exe 2660 Befnbd32.exe 2752 Bggjjlnb.exe 2752 Bggjjlnb.exe 2668 Cdkkcp32.exe 2668 Cdkkcp32.exe 2720 Cjhckg32.exe 2720 Cjhckg32.exe 2616 Ccqhdmbc.exe 2616 Ccqhdmbc.exe 276 Cnflae32.exe 276 Cnflae32.exe 2908 Cccdjl32.exe 2908 Cccdjl32.exe 1004 Cpgecq32.exe 1004 Cpgecq32.exe 1708 Cceapl32.exe 1708 Cceapl32.exe 2832 Clnehado.exe 2832 Clnehado.exe 2352 Ccgnelll.exe 2352 Ccgnelll.exe 2260 Dkbbinig.exe 2260 Dkbbinig.exe 560 Dbmkfh32.exe 560 Dbmkfh32.exe 1768 Dlboca32.exe 1768 Dlboca32.exe 2120 Dnckki32.exe 2120 Dnckki32.exe 2440 Dhiphb32.exe 2440 Dhiphb32.exe 1628 Dochelmj.exe 1628 Dochelmj.exe 996 Dhklna32.exe 996 Dhklna32.exe 1364 Dgnminke.exe 1364 Dgnminke.exe 1060 Dbdagg32.exe 1060 Dbdagg32.exe 2728 Ddbmcb32.exe 2728 Ddbmcb32.exe 2512 Djoeki32.exe 2512 Djoeki32.exe 1676 Dnjalhpp.exe 1676 Dnjalhpp.exe 1296 Eddjhb32.exe 1296 Eddjhb32.exe 2212 Enmnahnm.exe 2212 Enmnahnm.exe 2280 Ecjgio32.exe 2280 Ecjgio32.exe 2844 Eifobe32.exe 2844 Eifobe32.exe 2856 Eclcon32.exe 2856 Eclcon32.exe 2696 Ejfllhao.exe 2696 Ejfllhao.exe 2576 Ecnpdnho.exe 2576 Ecnpdnho.exe 2672 Elieipej.exe 2672 Elieipej.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jllaig32.dll Ihiabfhk.exe File created C:\Windows\SysWOW64\Ifpnaj32.exe Icabeo32.exe File created C:\Windows\SysWOW64\Idlmjnop.dll Ihbdhepp.exe File created C:\Windows\SysWOW64\Lbkaoalg.exe Lpldcfmd.exe File opened for modification C:\Windows\SysWOW64\Lofkoamf.exe Llhocfnb.exe File created C:\Windows\SysWOW64\Hmmobd32.dll Llhocfnb.exe File opened for modification C:\Windows\SysWOW64\Mdlfngcc.exe Manjaldo.exe File created C:\Windows\SysWOW64\Abfdhg32.dll Hcjldp32.exe File created C:\Windows\SysWOW64\Ngjoif32.exe Neibanod.exe File opened for modification C:\Windows\SysWOW64\Pfkkeq32.exe Pcmoie32.exe File created C:\Windows\SysWOW64\Pnnfkb32.exe Pchbmigj.exe File created C:\Windows\SysWOW64\Peiejhfb.dll Nlanhh32.exe File created C:\Windows\SysWOW64\Gmkjgfmf.exe Gedbfimc.exe File opened for modification C:\Windows\SysWOW64\Ihlnhffh.exe Iaaekl32.exe File opened for modification C:\Windows\SysWOW64\Ninhamne.exe Npechhgd.exe File created C:\Windows\SysWOW64\Igpfoieh.dll Ogdaod32.exe File opened for modification C:\Windows\SysWOW64\Ofiopaap.exe Ohengmcf.exe File opened for modification C:\Windows\SysWOW64\Bacefpbg.exe Bodhjdcc.exe File opened for modification C:\Windows\SysWOW64\Clfhml32.exe Ciglaa32.exe File opened for modification C:\Windows\SysWOW64\Fpbqcb32.exe Fnadkjlc.exe File created C:\Windows\SysWOW64\Deeakhnj.dll Lbmnea32.exe File created C:\Windows\SysWOW64\Enjqlaec.dll Mdgmbhgh.exe File created C:\Windows\SysWOW64\Cbjcpc32.dll Nokqidll.exe File opened for modification C:\Windows\SysWOW64\Ndjfgkha.exe Nchipb32.exe File created C:\Windows\SysWOW64\Eiefbk32.dll Oabplobe.exe File created C:\Windows\SysWOW64\Omnmal32.exe Ocfiif32.exe File opened for modification C:\Windows\SysWOW64\Aeenapck.exe Aphehidc.exe File created C:\Windows\SysWOW64\Mmgkii32.dll Lmpeljkm.exe File created C:\Windows\SysWOW64\Kbmamh32.dll Bdfjnkne.exe File created C:\Windows\SysWOW64\Eiabmg32.dll Ejfllhao.exe File opened for modification C:\Windows\SysWOW64\Gplcia32.exe Glpgibbn.exe File created C:\Windows\SysWOW64\Ihbdhepp.exe Idghhf32.exe File created C:\Windows\SysWOW64\Ikimqk32.dll Jjkfqlpf.exe File created C:\Windows\SysWOW64\Pejkoijd.dll Kenjgi32.exe File created C:\Windows\SysWOW64\Opccallb.exe Oapcfo32.exe File created C:\Windows\SysWOW64\Dkbbinig.exe Ccgnelll.exe File opened for modification C:\Windows\SysWOW64\Hememgdi.exe Gkhaooec.exe File created C:\Windows\SysWOW64\Kolhdbjh.exe Jibpghbk.exe File opened for modification C:\Windows\SysWOW64\Omnmal32.exe Ocfiif32.exe File created C:\Windows\SysWOW64\Qfkgdd32.exe Qpaohjkk.exe File created C:\Windows\SysWOW64\Kneibo32.dll Ffmipmjn.exe File opened for modification C:\Windows\SysWOW64\Pmqffonj.exe Pnnfkb32.exe File opened for modification C:\Windows\SysWOW64\Qcjoci32.exe Pmqffonj.exe File created C:\Windows\SysWOW64\Qmcclolh.exe Qnpcpa32.exe File opened for modification C:\Windows\SysWOW64\Ajipkb32.exe Acohnhab.exe File opened for modification C:\Windows\SysWOW64\Abdeoe32.exe Aljmbknm.exe File opened for modification C:\Windows\SysWOW64\Anmbje32.exe Ahcjmkbo.exe File created C:\Windows\SysWOW64\Aicfgn32.exe Aalofa32.exe File opened for modification C:\Windows\SysWOW64\Mheeif32.exe Momapqgn.exe File opened for modification C:\Windows\SysWOW64\Eclcon32.exe Eifobe32.exe File created C:\Windows\SysWOW64\Liibgkoo.exe Lbojjq32.exe File opened for modification C:\Windows\SysWOW64\Manjaldo.exe Mkdbea32.exe File created C:\Windows\SysWOW64\Ndmdqcnk.dll Odcimipf.exe File created C:\Windows\SysWOW64\Pqgilnji.exe Pofldf32.exe File opened for modification C:\Windows\SysWOW64\Binikb32.exe Bkkioeig.exe File created C:\Windows\SysWOW64\Dgnminke.exe Dhklna32.exe File created C:\Windows\SysWOW64\Icoepohq.exe Ilemce32.exe File created C:\Windows\SysWOW64\Imlkdf32.dll Lffmpp32.exe File created C:\Windows\SysWOW64\Lpoaheja.exe Lmpeljkm.exe File opened for modification C:\Windows\SysWOW64\Naimepkp.exe Nokqidll.exe File created C:\Windows\SysWOW64\Hpnlndkp.exe Hnppaill.exe File opened for modification C:\Windows\SysWOW64\Kgjjndeq.exe Kelmbifm.exe File opened for modification C:\Windows\SysWOW64\Liblfl32.exe Lfdpjp32.exe File created C:\Windows\SysWOW64\Llhocfnb.exe Liibgkoo.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kelmbifm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmklak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpqjfnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggjjlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icoepohq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keiqlihp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgcecja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibpghbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkdpnil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opccallb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjalhpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfllhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnlndkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjkbpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmmigjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcclolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgmjdaqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npechhgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odqlhjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicfgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbfnchfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnehado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elieipej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcleiclo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgbfcjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeanhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcjgnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhfjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhckg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hekefkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neibanod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainmlomf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaaekl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Manjaldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchipb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momapqgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfjnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceapl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclhjpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inplqlng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahcjmkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blaobmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cccdjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqbbhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmndfnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmkbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdlpnamm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjpem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikocoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkedjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmecbkgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpoaheja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiofn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhiphb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifobe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkopndcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdgmbhgh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmobd32.dll" Llhocfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjlop32.dll" Magdam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligleljk.dll" Mdlfngcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nokqidll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nliqma32.dll" Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinefnpo.dll" Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhlaiccm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelgfoke.dll" Jkopndcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqbii32.dll" Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aceakpbh.dll" Chmibmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdkooael.dll" Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgocef32.dll" Hhlaiccm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmecge32.dll" Aalofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flffpf32.dll" Baealp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcngcc32.dll" Egpena32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnkffi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfdkng32.dll" Iklfia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgmej32.dll" Lpldcfmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Neibanod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgkgm32.dll" Ngjoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acdlnnal.dll" Bjiljf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Befnbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifobe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbjpem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcleiclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kenjgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcfhi32.dll" Lpoaheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aeojifki.dll" Momapqgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nikkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhklna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieoeff32.dll" Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgnedp32.dll" Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlpchfdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inplqlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bchmahjj.dll" Pmqffonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkcbpni.dll" Qfkgdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bodhjdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ceickb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckkenikc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdgmbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkdbea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcoomf32.dll" Omnmal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqjibkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enihha32.dll" Ofiopaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikocoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmaalgf.dll" Jgmjdaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cccdlddl.dll" Lofkoamf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjqnkk32.dll" Aicfgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jggdmb32.dll" Bmlbaqfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjjafkpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gleqdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjqkgfdn.dll" Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoalia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbhhkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Capdpcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faiglonh.dll" Nloachkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll" Bbfnchfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cniajdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgnminke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glbdnbpk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1960 wrote to memory of 2660 1960 44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95.exe 30 PID 1960 wrote to memory of 2660 1960 44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95.exe 30 PID 1960 wrote to memory of 2660 1960 44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95.exe 30 PID 1960 wrote to memory of 2660 1960 44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95.exe 30 PID 2660 wrote to memory of 2752 2660 Befnbd32.exe 31 PID 2660 wrote to memory of 2752 2660 Befnbd32.exe 31 PID 2660 wrote to memory of 2752 2660 Befnbd32.exe 31 PID 2660 wrote to memory of 2752 2660 Befnbd32.exe 31 PID 2752 wrote to memory of 2668 2752 Bggjjlnb.exe 32 PID 2752 wrote to memory of 2668 2752 Bggjjlnb.exe 32 PID 2752 wrote to memory of 2668 2752 Bggjjlnb.exe 32 PID 2752 wrote to memory of 2668 2752 Bggjjlnb.exe 32 PID 2668 wrote to memory of 2720 2668 Cdkkcp32.exe 33 PID 2668 wrote to memory of 2720 2668 Cdkkcp32.exe 33 PID 2668 wrote to memory of 2720 2668 Cdkkcp32.exe 33 PID 2668 wrote to memory of 2720 2668 Cdkkcp32.exe 33 PID 2720 wrote to memory of 2616 2720 Cjhckg32.exe 34 PID 2720 wrote to memory of 2616 2720 Cjhckg32.exe 34 PID 2720 wrote to memory of 2616 2720 Cjhckg32.exe 34 PID 2720 wrote to memory of 2616 2720 Cjhckg32.exe 34 PID 2616 wrote to memory of 276 2616 Ccqhdmbc.exe 35 PID 2616 wrote to memory of 276 2616 Ccqhdmbc.exe 35 PID 2616 wrote to memory of 276 2616 Ccqhdmbc.exe 35 PID 2616 wrote to memory of 276 2616 Ccqhdmbc.exe 35 PID 276 wrote to memory of 2908 276 Cnflae32.exe 36 PID 276 wrote to memory of 2908 276 Cnflae32.exe 36 PID 276 wrote to memory of 2908 276 Cnflae32.exe 36 PID 276 wrote to memory of 2908 276 Cnflae32.exe 36 PID 2908 wrote to memory of 1004 2908 Cccdjl32.exe 37 PID 2908 wrote to memory of 1004 2908 Cccdjl32.exe 37 PID 2908 wrote to memory of 1004 2908 Cccdjl32.exe 37 PID 2908 wrote to memory of 1004 2908 Cccdjl32.exe 37 PID 1004 wrote to memory of 1708 1004 Cpgecq32.exe 38 PID 1004 wrote to memory of 1708 1004 Cpgecq32.exe 38 PID 1004 wrote to memory of 1708 1004 Cpgecq32.exe 38 PID 1004 wrote to memory of 1708 1004 Cpgecq32.exe 38 PID 1708 wrote to memory of 2832 1708 Cceapl32.exe 39 PID 1708 wrote to memory of 2832 1708 Cceapl32.exe 39 PID 1708 wrote to memory of 2832 1708 Cceapl32.exe 39 PID 1708 wrote to memory of 2832 1708 Cceapl32.exe 39 PID 2832 wrote to memory of 2352 2832 Clnehado.exe 40 PID 2832 wrote to memory of 2352 2832 Clnehado.exe 40 PID 2832 wrote to memory of 2352 2832 Clnehado.exe 40 PID 2832 wrote to memory of 2352 2832 Clnehado.exe 40 PID 2352 wrote to memory of 2260 2352 Ccgnelll.exe 41 PID 2352 wrote to memory of 2260 2352 Ccgnelll.exe 41 PID 2352 wrote to memory of 2260 2352 Ccgnelll.exe 41 PID 2352 wrote to memory of 2260 2352 Ccgnelll.exe 41 PID 2260 wrote to memory of 560 2260 Dkbbinig.exe 42 PID 2260 wrote to memory of 560 2260 Dkbbinig.exe 42 PID 2260 wrote to memory of 560 2260 Dkbbinig.exe 42 PID 2260 wrote to memory of 560 2260 Dkbbinig.exe 42 PID 560 wrote to memory of 1768 560 Dbmkfh32.exe 43 PID 560 wrote to memory of 1768 560 Dbmkfh32.exe 43 PID 560 wrote to memory of 1768 560 Dbmkfh32.exe 43 PID 560 wrote to memory of 1768 560 Dbmkfh32.exe 43 PID 1768 wrote to memory of 2120 1768 Dlboca32.exe 44 PID 1768 wrote to memory of 2120 1768 Dlboca32.exe 44 PID 1768 wrote to memory of 2120 1768 Dlboca32.exe 44 PID 1768 wrote to memory of 2120 1768 Dlboca32.exe 44 PID 2120 wrote to memory of 2440 2120 Dnckki32.exe 45 PID 2120 wrote to memory of 2440 2120 Dnckki32.exe 45 PID 2120 wrote to memory of 2440 2120 Dnckki32.exe 45 PID 2120 wrote to memory of 2440 2120 Dnckki32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95.exe"C:\Users\Admin\AppData\Local\Temp\44c403ac327d2eb82ea18573f9c621e2d07275a7c9baea92bcc955f4fddc4c95.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1960 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Bggjjlnb.exeC:\Windows\system32\Bggjjlnb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Cjhckg32.exeC:\Windows\system32\Cjhckg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:276 -
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Windows\SysWOW64\Cceapl32.exeC:\Windows\system32\Cceapl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Windows\SysWOW64\Clnehado.exeC:\Windows\system32\Clnehado.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Dkbbinig.exeC:\Windows\system32\Dkbbinig.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Windows\SysWOW64\Dbmkfh32.exeC:\Windows\system32\Dbmkfh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Dhiphb32.exeC:\Windows\system32\Dhiphb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:996 -
C:\Windows\SysWOW64\Dgnminke.exeC:\Windows\system32\Dgnminke.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Dbdagg32.exeC:\Windows\system32\Dbdagg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Windows\SysWOW64\Ddbmcb32.exeC:\Windows\system32\Ddbmcb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2512 -
C:\Windows\SysWOW64\Dnjalhpp.exeC:\Windows\system32\Dnjalhpp.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Eddjhb32.exeC:\Windows\system32\Eddjhb32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1296 -
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Ecjgio32.exeC:\Windows\system32\Ecjgio32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Eifobe32.exeC:\Windows\system32\Eifobe32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Eclcon32.exeC:\Windows\system32\Eclcon32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Egpena32.exeC:\Windows\system32\Egpena32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe35⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe36⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe37⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Flqkjo32.exeC:\Windows\system32\Flqkjo32.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe39⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:556 -
C:\Windows\SysWOW64\Fnadkjlc.exeC:\Windows\system32\Fnadkjlc.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2016 -
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe42⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe44⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe48⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe49⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe50⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe51⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Glpgibbn.exeC:\Windows\system32\Glpgibbn.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Gplcia32.exeC:\Windows\system32\Gplcia32.exe53⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe55⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe56⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:432 -
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Gaplfinb.exeC:\Windows\system32\Gaplfinb.exe59⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe63⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe66⤵
- Modifies registry class
PID:2292 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe67⤵PID:780
-
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe68⤵PID:3048
-
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe69⤵PID:1636
-
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe70⤵
- Modifies registry class
PID:2160 -
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1588 -
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe72⤵PID:2560
-
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2548 -
C:\Windows\SysWOW64\Hcjldp32.exeC:\Windows\system32\Hcjldp32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Hnppaill.exeC:\Windows\system32\Hnppaill.exe75⤵
- Drops file in System32 directory
PID:2964 -
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Hoalia32.exeC:\Windows\system32\Hoalia32.exe77⤵
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Ihiabfhk.exeC:\Windows\system32\Ihiabfhk.exe80⤵
- Drops file in System32 directory
PID:776 -
C:\Windows\SysWOW64\Ilemce32.exeC:\Windows\system32\Ilemce32.exe81⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe82⤵
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Iaaekl32.exeC:\Windows\system32\Iaaekl32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe84⤵PID:1808
-
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe85⤵PID:1984
-
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1728 -
C:\Windows\SysWOW64\Ifpnaj32.exeC:\Windows\system32\Ifpnaj32.exe87⤵PID:1064
-
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe88⤵PID:2768
-
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe89⤵
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Inkcem32.exeC:\Windows\system32\Inkcem32.exe90⤵PID:2076
-
C:\Windows\SysWOW64\Ifbkgj32.exeC:\Windows\system32\Ifbkgj32.exe91⤵PID:2948
-
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe92⤵PID:1160
-
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Inmpklpj.exeC:\Windows\system32\Inmpklpj.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1712 -
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe96⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe97⤵
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe98⤵PID:1824
-
C:\Windows\SysWOW64\Inplqlng.exeC:\Windows\system32\Inplqlng.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2024 -
C:\Windows\SysWOW64\Ibkhak32.exeC:\Windows\system32\Ibkhak32.exe100⤵PID:3064
-
C:\Windows\SysWOW64\Jqnhmgmk.exeC:\Windows\system32\Jqnhmgmk.exe101⤵PID:2676
-
C:\Windows\SysWOW64\Jcleiclo.exeC:\Windows\system32\Jcleiclo.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Jjfmem32.exeC:\Windows\system32\Jjfmem32.exe103⤵PID:2684
-
C:\Windows\SysWOW64\Jmdiahco.exeC:\Windows\system32\Jmdiahco.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:552 -
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe105⤵PID:2968
-
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe106⤵PID:2136
-
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe107⤵PID:2804
-
C:\Windows\SysWOW64\Jmgfgham.exeC:\Windows\system32\Jmgfgham.exe108⤵PID:2896
-
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1320 -
C:\Windows\SysWOW64\Jjkfqlpf.exeC:\Windows\system32\Jjkfqlpf.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Jmibmhoj.exeC:\Windows\system32\Jmibmhoj.exe112⤵PID:1396
-
C:\Windows\SysWOW64\Jjmcfl32.exeC:\Windows\system32\Jjmcfl32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1464 -
C:\Windows\SysWOW64\Jkopndcb.exeC:\Windows\system32\Jkopndcb.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1968 -
C:\Windows\SysWOW64\Jkopndcb.exeC:\Windows\system32\Jkopndcb.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe116⤵PID:2708
-
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe117⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Jibpghbk.exeC:\Windows\system32\Jibpghbk.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:672 -
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe119⤵PID:2380
-
C:\Windows\SysWOW64\Kbkdpnil.exeC:\Windows\system32\Kbkdpnil.exe120⤵
- System Location Discovery: System Language Discovery
PID:796 -
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:548
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-