Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11-12-2024 06:42
Behavioral task
behavioral1
Sample
6fb2dbf2bd6baf41265daa4b68e0ed4303a82b3018ff83bdb28cdf4fa98e2867N.exe
Resource
win7-20240729-en
General
-
Target
6fb2dbf2bd6baf41265daa4b68e0ed4303a82b3018ff83bdb28cdf4fa98e2867N.exe
-
Size
93KB
-
MD5
53f3de3a9676238b0f1d336e926a0800
-
SHA1
e9105f82890f0fb0b464cbb304e7891f513efab8
-
SHA256
6fb2dbf2bd6baf41265daa4b68e0ed4303a82b3018ff83bdb28cdf4fa98e2867
-
SHA512
490ccd915dec19293435c34326597bbc79d794e78121df6065f76b459622187a28666af6bd41eaf94ae391986db489df5159ea406840b38b229c4dc104c7a511
-
SSDEEP
1536:kMcMZNH4KHIPVSDUtULy1DaYfMZRWuLsV+1h:pcKNYKHI87ygYfc0DV+1h
Malware Config
Extracted
berbew
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geloanjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clnehado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fheoiqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjfmem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chlgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doabjbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhjoof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhqhmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmiolk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpaohjkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcichb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihnjmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfmem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqepgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckiiiine.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codbqonk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimjhnnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecjgio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okkkoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Habili32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pigklmqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ailqfooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaqkcimg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkpnjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbnjgik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojceef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epkepakn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbngfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmoilni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfdkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afqhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Malmllfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apfici32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgaeddg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icplje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikelhib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bihgmdih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpgjnbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgjjndeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmpakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkelpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfddkmch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laodmoep.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpboinpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omqjgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnimpcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdhfdffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkibjgli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkaane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbmkfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Empomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnjnkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbqcb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enpban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckhdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflbpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahfgbkpl.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2700 Qigebglj.exe 2828 Qpamoa32.exe 3044 Qfkelkkd.exe 2552 Qdofep32.exe 2604 Afmbak32.exe 1128 Afmbak32.exe 1980 Aepbmhpl.exe 2172 Aiknnf32.exe 2252 Aljjjb32.exe 2264 Apefjqob.exe 2100 Abdbflnf.exe 1200 Aebobgmi.exe 2132 Ainkcf32.exe 1872 Abfoll32.exe 2336 Aedlhg32.exe 2232 Ahedjb32.exe 1632 Aoomflpd.exe 780 Anbmbi32.exe 948 Aeiecfga.exe 2980 Adleoc32.exe 340 Agkako32.exe 2212 Andjgidl.exe 2308 Bpcfcddp.exe 840 Bikjmj32.exe 2492 Babbng32.exe 2784 Bpebidam.exe 2788 Bkkgfm32.exe 1064 Bdckobhd.exe 2472 Bgahkngh.exe 3064 Bgddam32.exe 2060 Booiep32.exe 2984 Bjembh32.exe 2184 Ccmblnif.exe 3000 Cfknhi32.exe 2592 Cdnncfoe.exe 832 Codbqonk.exe 2372 Chlgid32.exe 2380 Cgogealf.exe 2096 Cofofolh.exe 1776 Cqglng32.exe 592 Ckmpkpbl.exe 3028 Cnklgkap.exe 1372 Cchdpbog.exe 960 Ckomqopi.exe 2432 Cjbmll32.exe 1924 Cmqihg32.exe 1096 Dgfmep32.exe 2484 Djdjalea.exe 2400 Dnpebj32.exe 2760 Dmcfngde.exe 2692 Dqobnf32.exe 2064 Doabjbci.exe 844 Dghjkpck.exe 2616 Djgfgkbo.exe 2536 Dmebcgbb.exe 1692 Docopbaf.exe 2148 Dbbklnpj.exe 792 Djicmk32.exe 2328 Dilchhgg.exe 1352 Dmgoif32.exe 2080 Dpfkeb32.exe 2436 Dbdham32.exe 2276 Decdmi32.exe 1276 Dmjlof32.exe -
Loads dropped DLL 64 IoCs
pid Process 1884 6fb2dbf2bd6baf41265daa4b68e0ed4303a82b3018ff83bdb28cdf4fa98e2867N.exe 1884 6fb2dbf2bd6baf41265daa4b68e0ed4303a82b3018ff83bdb28cdf4fa98e2867N.exe 2700 Qigebglj.exe 2700 Qigebglj.exe 2828 Qpamoa32.exe 2828 Qpamoa32.exe 3044 Qfkelkkd.exe 3044 Qfkelkkd.exe 2552 Qdofep32.exe 2552 Qdofep32.exe 2604 Afmbak32.exe 2604 Afmbak32.exe 1128 Afmbak32.exe 1128 Afmbak32.exe 1980 Aepbmhpl.exe 1980 Aepbmhpl.exe 2172 Aiknnf32.exe 2172 Aiknnf32.exe 2252 Aljjjb32.exe 2252 Aljjjb32.exe 2264 Apefjqob.exe 2264 Apefjqob.exe 2100 Abdbflnf.exe 2100 Abdbflnf.exe 1200 Aebobgmi.exe 1200 Aebobgmi.exe 2132 Ainkcf32.exe 2132 Ainkcf32.exe 1872 Abfoll32.exe 1872 Abfoll32.exe 2336 Aedlhg32.exe 2336 Aedlhg32.exe 2232 Ahedjb32.exe 2232 Ahedjb32.exe 1632 Aoomflpd.exe 1632 Aoomflpd.exe 780 Anbmbi32.exe 780 Anbmbi32.exe 948 Aeiecfga.exe 948 Aeiecfga.exe 2980 Adleoc32.exe 2980 Adleoc32.exe 340 Agkako32.exe 340 Agkako32.exe 2212 Andjgidl.exe 2212 Andjgidl.exe 2308 Bpcfcddp.exe 2308 Bpcfcddp.exe 840 Bikjmj32.exe 840 Bikjmj32.exe 2492 Babbng32.exe 2492 Babbng32.exe 2784 Bpebidam.exe 2784 Bpebidam.exe 2788 Bkkgfm32.exe 2788 Bkkgfm32.exe 1064 Bdckobhd.exe 1064 Bdckobhd.exe 2600 Bchhqo32.exe 2600 Bchhqo32.exe 3064 Bgddam32.exe 3064 Bgddam32.exe 2060 Booiep32.exe 2060 Booiep32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ngoleb32.exe Ncdpdcfh.exe File opened for modification C:\Windows\SysWOW64\Qcjoci32.exe Palbgn32.exe File created C:\Windows\SysWOW64\Gafglb32.dll Facdgl32.exe File opened for modification C:\Windows\SysWOW64\Mopdpg32.exe Mlahdkjc.exe File opened for modification C:\Windows\SysWOW64\Dlboca32.exe Dhgccbhp.exe File created C:\Windows\SysWOW64\Hmchaflb.dll Ijdppm32.exe File opened for modification C:\Windows\SysWOW64\Mdgmbhgh.exe Maiqfl32.exe File created C:\Windows\SysWOW64\Eaqkcimg.exe Ejfbfo32.exe File opened for modification C:\Windows\SysWOW64\Empomd32.exe Ejabqi32.exe File created C:\Windows\SysWOW64\Jcoanb32.exe Jqpebg32.exe File created C:\Windows\SysWOW64\Kjmihjfj.dll Iokfjf32.exe File created C:\Windows\SysWOW64\Pkhmod32.dll Kjepaa32.exe File created C:\Windows\SysWOW64\Pjblfjdp.dll Fheoiqgi.exe File created C:\Windows\SysWOW64\Igpkgp32.dll Mcacochk.exe File created C:\Windows\SysWOW64\Aiqjao32.exe Afbnec32.exe File created C:\Windows\SysWOW64\Kolhdbjh.exe Kmnlhg32.exe File opened for modification C:\Windows\SysWOW64\Ciglaa32.exe Capdpcge.exe File created C:\Windows\SysWOW64\Dnkhfnck.exe Dkmljcdh.exe File created C:\Windows\SysWOW64\Mfeilp32.dll Kimjhnnl.exe File opened for modification C:\Windows\SysWOW64\Mnhnfckm.exe Moenkf32.exe File created C:\Windows\SysWOW64\Faohbf32.dll Ccqhdmbc.exe File opened for modification C:\Windows\SysWOW64\Cdpdnpif.exe Cpdhna32.exe File opened for modification C:\Windows\SysWOW64\Jajocl32.exe Jnlbgq32.exe File opened for modification C:\Windows\SysWOW64\Ofaolcmh.exe Onjgkf32.exe File created C:\Windows\SysWOW64\Cdeffdbl.dll Oekehomj.exe File opened for modification C:\Windows\SysWOW64\Igeddb32.exe Ihbdhepp.exe File created C:\Windows\SysWOW64\Jfddkmch.exe Jcfgoadd.exe File created C:\Windows\SysWOW64\Idjeonbj.dll Dgfmep32.exe File created C:\Windows\SysWOW64\Dilchhgg.exe Djicmk32.exe File created C:\Windows\SysWOW64\Felkabah.dll Fhhbif32.exe File opened for modification C:\Windows\SysWOW64\Ccnddg32.exe Cpohhk32.exe File created C:\Windows\SysWOW64\Qpamoa32.exe Qigebglj.exe File opened for modification C:\Windows\SysWOW64\Hecebm32.exe Hcdifa32.exe File created C:\Windows\SysWOW64\Jqnhmgmk.exe Inplqlng.exe File created C:\Windows\SysWOW64\Eobohl32.dll Aankkqfl.exe File created C:\Windows\SysWOW64\Ckmicpja.dll Fpjaodmj.exe File created C:\Windows\SysWOW64\Aiheodlg.dll Chbihc32.exe File created C:\Windows\SysWOW64\Dnhefh32.exe Djmiejji.exe File opened for modification C:\Windows\SysWOW64\Pofldf32.exe Pgodcich.exe File created C:\Windows\SysWOW64\Gdpemeck.dll Djicmk32.exe File opened for modification C:\Windows\SysWOW64\Hbnpbm32.exe Hnbcaome.exe File created C:\Windows\SysWOW64\Pomebdea.dll Kckhdg32.exe File created C:\Windows\SysWOW64\Gbfaddpc.dll Mopdpg32.exe File opened for modification C:\Windows\SysWOW64\Amoibc32.exe Aicmadmm.exe File created C:\Windows\SysWOW64\Cggcofkf.exe Cbkgog32.exe File created C:\Windows\SysWOW64\Afmbak32.exe Afmbak32.exe File created C:\Windows\SysWOW64\Ablbjj32.exe Apnfno32.exe File created C:\Windows\SysWOW64\Lidilk32.exe Lffmpp32.exe File created C:\Windows\SysWOW64\Pbcfhi32.dll Lpoaheja.exe File opened for modification C:\Windows\SysWOW64\Ladgkmlj.exe Lbagpp32.exe File created C:\Windows\SysWOW64\Icdeee32.exe Iqfiii32.exe File created C:\Windows\SysWOW64\Klfgipmk.dll Ijnnao32.exe File created C:\Windows\SysWOW64\Mqpkpl32.dll Eqngcc32.exe File opened for modification C:\Windows\SysWOW64\Hibgkjee.exe Hgckoofa.exe File opened for modification C:\Windows\SysWOW64\Kbkdpnil.exe Kolhdbjh.exe File created C:\Windows\SysWOW64\Mlgkbi32.exe Miiofn32.exe File created C:\Windows\SysWOW64\Jchbfbij.dll Chjmmnnb.exe File created C:\Windows\SysWOW64\Qfkelkkd.exe Qpamoa32.exe File created C:\Windows\SysWOW64\Cbnlbf32.dll Eannmi32.exe File created C:\Windows\SysWOW64\Fbimkpmm.exe Fpjaodmj.exe File opened for modification C:\Windows\SysWOW64\Anecfgdc.exe Qlggjlep.exe File created C:\Windows\SysWOW64\Bfjkphjd.exe Abnopj32.exe File created C:\Windows\SysWOW64\Kpdeoh32.exe Kmficl32.exe File created C:\Windows\SysWOW64\Qaemlqhb.dll Cgqmpkfg.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmibmhoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenjgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcgbhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkako32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgogealf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcfdmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baclaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhndnpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchqcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmcclolh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnignob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfiofhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghaeoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkciic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfacdqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidilk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dghjkpck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fegjgkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onldqejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehicoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjpem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqmqcmdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogdhik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojeomee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjbmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoimecmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckhdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbjdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbbnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ladgkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqjgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlboca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbjpqoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnnfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainkcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmqihg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figocipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjlep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmkhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caenkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajjhkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heqimm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdeee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakaaepk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihgmdih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dglpdomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gedbfimc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakikpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooofcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkgdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdbflnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjembh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicmadmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boeoek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjckelfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpcfcddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiecgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpkhoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhincn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmcebkc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjnignob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gpogiglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aljjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agcmideg.dll" Bknfeege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhbci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igmepdbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhmldfdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhibakgh.dll" Cnflae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngoleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnimpcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfjildbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bflpbe32.dll" Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacil32.dll" Cjhckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafmhm32.dll" Djafaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbjpem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfagemej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmlfmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klmbjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimkbbpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbflbd32.dll" Bfpmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aebobgmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagmgi32.dll" Hpcpdfhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpppjikm.dll" Qgfkchmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cenmfbml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcmdjgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlahdkjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djpjjl32.dll" Fhbbcail.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgkpck32.dll" Pdnkanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkjgclg.dll" Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhjjcdeh.dll" Ijimli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmcclolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abjeejep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdgmbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alkjpb32.dll" Ngoleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfehem32.dll" Chmibmlo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klmbjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lijiaabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocpfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnppaill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpqjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpccle32.dll" Abfoll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgdgpfnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afqhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhfljfho.dll" Fnmjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nokalbod.dll" Mpqjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbjhhm32.dll" Ooofcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhfnqbdc.dll" Pimkbbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdeoccgn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcleiclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkmbap32.dll" Kapaaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pigklmqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckiiiine.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bikjmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejapnc32.dll" Moenkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anecfgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgpcof32.dll" Jmgfgham.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moafnqhk.dll" Hkmjjn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1884 wrote to memory of 2700 1884 6fb2dbf2bd6baf41265daa4b68e0ed4303a82b3018ff83bdb28cdf4fa98e2867N.exe 30 PID 1884 wrote to memory of 2700 1884 6fb2dbf2bd6baf41265daa4b68e0ed4303a82b3018ff83bdb28cdf4fa98e2867N.exe 30 PID 1884 wrote to memory of 2700 1884 6fb2dbf2bd6baf41265daa4b68e0ed4303a82b3018ff83bdb28cdf4fa98e2867N.exe 30 PID 1884 wrote to memory of 2700 1884 6fb2dbf2bd6baf41265daa4b68e0ed4303a82b3018ff83bdb28cdf4fa98e2867N.exe 30 PID 2700 wrote to memory of 2828 2700 Qigebglj.exe 31 PID 2700 wrote to memory of 2828 2700 Qigebglj.exe 31 PID 2700 wrote to memory of 2828 2700 Qigebglj.exe 31 PID 2700 wrote to memory of 2828 2700 Qigebglj.exe 31 PID 2828 wrote to memory of 3044 2828 Qpamoa32.exe 32 PID 2828 wrote to memory of 3044 2828 Qpamoa32.exe 32 PID 2828 wrote to memory of 3044 2828 Qpamoa32.exe 32 PID 2828 wrote to memory of 3044 2828 Qpamoa32.exe 32 PID 3044 wrote to memory of 2552 3044 Qfkelkkd.exe 33 PID 3044 wrote to memory of 2552 3044 Qfkelkkd.exe 33 PID 3044 wrote to memory of 2552 3044 Qfkelkkd.exe 33 PID 3044 wrote to memory of 2552 3044 Qfkelkkd.exe 33 PID 2552 wrote to memory of 2604 2552 Qdofep32.exe 34 PID 2552 wrote to memory of 2604 2552 Qdofep32.exe 34 PID 2552 wrote to memory of 2604 2552 Qdofep32.exe 34 PID 2552 wrote to memory of 2604 2552 Qdofep32.exe 34 PID 2604 wrote to memory of 1128 2604 Afmbak32.exe 35 PID 2604 wrote to memory of 1128 2604 Afmbak32.exe 35 PID 2604 wrote to memory of 1128 2604 Afmbak32.exe 35 PID 2604 wrote to memory of 1128 2604 Afmbak32.exe 35 PID 1128 wrote to memory of 1980 1128 Afmbak32.exe 36 PID 1128 wrote to memory of 1980 1128 Afmbak32.exe 36 PID 1128 wrote to memory of 1980 1128 Afmbak32.exe 36 PID 1128 wrote to memory of 1980 1128 Afmbak32.exe 36 PID 1980 wrote to memory of 2172 1980 Aepbmhpl.exe 37 PID 1980 wrote to memory of 2172 1980 Aepbmhpl.exe 37 PID 1980 wrote to memory of 2172 1980 Aepbmhpl.exe 37 PID 1980 wrote to memory of 2172 1980 Aepbmhpl.exe 37 PID 2172 wrote to memory of 2252 2172 Aiknnf32.exe 38 PID 2172 wrote to memory of 2252 2172 Aiknnf32.exe 38 PID 2172 wrote to memory of 2252 2172 Aiknnf32.exe 38 PID 2172 wrote to memory of 2252 2172 Aiknnf32.exe 38 PID 2252 wrote to memory of 2264 2252 Aljjjb32.exe 39 PID 2252 wrote to memory of 2264 2252 Aljjjb32.exe 39 PID 2252 wrote to memory of 2264 2252 Aljjjb32.exe 39 PID 2252 wrote to memory of 2264 2252 Aljjjb32.exe 39 PID 2264 wrote to memory of 2100 2264 Apefjqob.exe 40 PID 2264 wrote to memory of 2100 2264 Apefjqob.exe 40 PID 2264 wrote to memory of 2100 2264 Apefjqob.exe 40 PID 2264 wrote to memory of 2100 2264 Apefjqob.exe 40 PID 2100 wrote to memory of 1200 2100 Abdbflnf.exe 41 PID 2100 wrote to memory of 1200 2100 Abdbflnf.exe 41 PID 2100 wrote to memory of 1200 2100 Abdbflnf.exe 41 PID 2100 wrote to memory of 1200 2100 Abdbflnf.exe 41 PID 1200 wrote to memory of 2132 1200 Aebobgmi.exe 42 PID 1200 wrote to memory of 2132 1200 Aebobgmi.exe 42 PID 1200 wrote to memory of 2132 1200 Aebobgmi.exe 42 PID 1200 wrote to memory of 2132 1200 Aebobgmi.exe 42 PID 2132 wrote to memory of 1872 2132 Ainkcf32.exe 43 PID 2132 wrote to memory of 1872 2132 Ainkcf32.exe 43 PID 2132 wrote to memory of 1872 2132 Ainkcf32.exe 43 PID 2132 wrote to memory of 1872 2132 Ainkcf32.exe 43 PID 1872 wrote to memory of 2336 1872 Abfoll32.exe 44 PID 1872 wrote to memory of 2336 1872 Abfoll32.exe 44 PID 1872 wrote to memory of 2336 1872 Abfoll32.exe 44 PID 1872 wrote to memory of 2336 1872 Abfoll32.exe 44 PID 2336 wrote to memory of 2232 2336 Aedlhg32.exe 45 PID 2336 wrote to memory of 2232 2336 Aedlhg32.exe 45 PID 2336 wrote to memory of 2232 2336 Aedlhg32.exe 45 PID 2336 wrote to memory of 2232 2336 Aedlhg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\6fb2dbf2bd6baf41265daa4b68e0ed4303a82b3018ff83bdb28cdf4fa98e2867N.exe"C:\Users\Admin\AppData\Local\Temp\6fb2dbf2bd6baf41265daa4b68e0ed4303a82b3018ff83bdb28cdf4fa98e2867N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Qpamoa32.exeC:\Windows\system32\Qpamoa32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Aljjjb32.exeC:\Windows\system32\Aljjjb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Aebobgmi.exeC:\Windows\system32\Aebobgmi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\SysWOW64\Aedlhg32.exeC:\Windows\system32\Aedlhg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:340 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2308 -
C:\Windows\SysWOW64\Bikjmj32.exeC:\Windows\system32\Bikjmj32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Bpebidam.exeC:\Windows\system32\Bpebidam.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1064 -
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe30⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe31⤵
- Loads dropped DLL
PID:2600 -
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Bjembh32.exeC:\Windows\system32\Bjembh32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe35⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe36⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe37⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2380 -
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe41⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe42⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe43⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Cnklgkap.exeC:\Windows\system32\Cnklgkap.exe44⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe45⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Ckomqopi.exeC:\Windows\system32\Ckomqopi.exe46⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Cjbmll32.exeC:\Windows\system32\Cjbmll32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Cmqihg32.exeC:\Windows\system32\Cmqihg32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe50⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe51⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Dmcfngde.exeC:\Windows\system32\Dmcfngde.exe52⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe53⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe56⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe57⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe58⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe59⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Djicmk32.exeC:\Windows\system32\Djicmk32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:792 -
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe61⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe62⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe63⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe64⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe65⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe67⤵
- Drops file in System32 directory
PID:920 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe68⤵PID:616
-
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe69⤵PID:1816
-
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe70⤵PID:1648
-
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe71⤵PID:2680
-
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe73⤵PID:2564
-
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe74⤵PID:2176
-
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe75⤵PID:3068
-
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe76⤵PID:1432
-
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Eannmi32.exeC:\Windows\system32\Eannmi32.exe78⤵
- Drops file in System32 directory
PID:1220 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe79⤵PID:2364
-
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe80⤵PID:1920
-
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe81⤵
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\Eaqkcimg.exeC:\Windows\system32\Eaqkcimg.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2912 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe83⤵PID:1916
-
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe84⤵PID:2512
-
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe85⤵PID:2144
-
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe86⤵PID:2928
-
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe87⤵PID:1620
-
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe88⤵PID:2056
-
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe89⤵PID:2352
-
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe90⤵PID:872
-
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe91⤵PID:2824
-
C:\Windows\SysWOW64\Edcqjc32.exeC:\Windows\system32\Edcqjc32.exe92⤵PID:1664
-
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe93⤵PID:1060
-
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe94⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe95⤵PID:1900
-
C:\Windows\SysWOW64\Fpjaodmj.exeC:\Windows\system32\Fpjaodmj.exe96⤵
- Drops file in System32 directory
PID:2348 -
C:\Windows\SysWOW64\Fbimkpmm.exeC:\Windows\system32\Fbimkpmm.exe97⤵PID:1560
-
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe98⤵
- System Location Discovery: System Language Discovery
PID:1984 -
C:\Windows\SysWOW64\Flabdecn.exeC:\Windows\system32\Flabdecn.exe99⤵PID:2940
-
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe100⤵PID:2744
-
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe101⤵PID:2576
-
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe102⤵PID:2664
-
C:\Windows\SysWOW64\Fiebnjbg.exeC:\Windows\system32\Fiebnjbg.exe103⤵PID:1100
-
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe104⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe105⤵PID:2220
-
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1500 -
C:\Windows\SysWOW64\Felcbk32.exeC:\Windows\system32\Felcbk32.exe107⤵PID:2024
-
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe108⤵
- System Location Discovery: System Language Discovery
PID:1876 -
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe110⤵PID:2020
-
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe111⤵
- Drops file in System32 directory
PID:2468 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe112⤵
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe113⤵PID:2720
-
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe114⤵PID:2532
-
C:\Windows\SysWOW64\Gaeqmk32.exeC:\Windows\system32\Gaeqmk32.exe115⤵PID:1752
-
C:\Windows\SysWOW64\Gdcmig32.exeC:\Windows\system32\Gdcmig32.exe116⤵PID:1888
-
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe117⤵PID:2204
-
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe118⤵PID:2448
-
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe119⤵PID:2124
-
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe120⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Ghaeoe32.exeC:\Windows\system32\Ghaeoe32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe122⤵PID:2804
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-