Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 11:38
Behavioral task
behavioral1
Sample
5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71N.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71N.exe
-
Size
465KB
-
MD5
de9b00a151f3147a3657bc8211542d30
-
SHA1
2d551b3143952090468766fb4bd894f1c1e62fca
-
SHA256
5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71
-
SHA512
e41a46ad9d6013fad8aa166182f09e1ddd12e00ab3ad1eb38bac48d9077825cdbbe9ab73ad4a2f5e0bf84536d645ef6216d2b5a773187e690988d2d13979efbd
-
SSDEEP
6144:+lwLuTjIqOOVF5V4lKjIbvBhRJfzSf9x7N/I7b9M:+aLiO8LKlUmpRe94a
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oldooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jilmkffb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpogjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpoih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfdfdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcbofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmofbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pknakhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijhkembk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlnmjkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgnil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkhjabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bneancnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbfobllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmbagf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnaihhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpegka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcdpacgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nloedjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfdim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfbmgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahjgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oenmkngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdlialfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahoodqi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjnlikic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmhdph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebofcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcnhcdkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Moqgiopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iplnpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaheqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgdaqmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdbhcfjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfamko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccmng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elndpnnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcingdbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefchacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdbhcfjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnaihhgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnimpcke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehaolpke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gapoob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbfcbdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afdjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gllnnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkaane32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogekbchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpinagbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmpdoffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqkpmaif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijcgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimedaoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpmgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmncl32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2824 Lmcilp32.exe 2628 Lglmefcg.exe 1824 Mpkhoj32.exe 2652 Mneaacno.exe 2344 Ndfpnl32.exe 1648 Nggipg32.exe 2200 Oqkpmaif.exe 1416 Ockinl32.exe 2956 Ppipdl32.exe 1816 Qhincn32.exe 1308 Addhcn32.exe 684 Bfjkphjd.exe 2368 Bdfahaaa.exe 2112 Cncolfcl.exe 1396 Dhdfmbjc.exe 1384 Dnckki32.exe 972 Enmnahnm.exe 1056 Embkbdce.exe 1972 Eikimeff.exe 1684 Ebcmfj32.exe 2212 Fipbhd32.exe 1496 Fbhfajia.exe 1976 Fmddgg32.exe 304 Ffmipmjn.exe 880 Gllnnc32.exe 2748 Gedbfimc.exe 2896 Goocenaa.exe 1548 Gidhbgag.exe 2900 Hhlaiccm.exe 1936 Hpgfmeag.exe 2888 Hnkffi32.exe 2236 Hlbpme32.exe 3036 Icoepohq.exe 2936 Ihlnhffh.exe 1776 Ilifndlo.exe 2716 Idekbgji.exe 1964 Idghhf32.exe 852 Jdidmf32.exe 752 Jndflk32.exe 2444 Jcandb32.exe 2260 Jcckibfg.exe 820 Jojloc32.exe 2504 Kmnlhg32.exe 2168 Keiqlihp.exe 1336 Kigibh32.exe 2016 Kcajceke.exe 2532 Kccgheib.exe 1748 Kpjhnfof.exe 1316 Lchqcd32.exe 2292 Lepclldc.exe 2844 Mhalngad.exe 2848 Mdgmbhgh.exe 688 Mkdbea32.exe 2740 Mcofid32.exe 1820 Nikkkn32.exe 3024 Ncdpdcfh.exe 2304 Ncfmjc32.exe 2796 Nkaane32.exe 1868 Nhebhipj.exe 1956 Nhhominh.exe 264 Oapcfo32.exe 2468 Ojkhjabc.exe 1616 Ojndpqpq.exe 1768 Ocfiif32.exe -
Loads dropped DLL 64 IoCs
pid Process 2472 5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71N.exe 2472 5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71N.exe 2824 Lmcilp32.exe 2824 Lmcilp32.exe 2628 Lglmefcg.exe 2628 Lglmefcg.exe 1824 Mpkhoj32.exe 1824 Mpkhoj32.exe 2652 Mneaacno.exe 2652 Mneaacno.exe 2344 Ndfpnl32.exe 2344 Ndfpnl32.exe 1648 Nggipg32.exe 1648 Nggipg32.exe 2200 Oqkpmaif.exe 2200 Oqkpmaif.exe 1416 Ockinl32.exe 1416 Ockinl32.exe 2956 Ppipdl32.exe 2956 Ppipdl32.exe 1816 Qhincn32.exe 1816 Qhincn32.exe 1308 Addhcn32.exe 1308 Addhcn32.exe 684 Bfjkphjd.exe 684 Bfjkphjd.exe 2368 Bdfahaaa.exe 2368 Bdfahaaa.exe 2112 Cncolfcl.exe 2112 Cncolfcl.exe 1396 Dhdfmbjc.exe 1396 Dhdfmbjc.exe 1384 Dnckki32.exe 1384 Dnckki32.exe 972 Enmnahnm.exe 972 Enmnahnm.exe 1056 Embkbdce.exe 1056 Embkbdce.exe 1972 Eikimeff.exe 1972 Eikimeff.exe 1684 Ebcmfj32.exe 1684 Ebcmfj32.exe 2212 Fipbhd32.exe 2212 Fipbhd32.exe 1496 Fbhfajia.exe 1496 Fbhfajia.exe 1976 Fmddgg32.exe 1976 Fmddgg32.exe 304 Ffmipmjn.exe 304 Ffmipmjn.exe 880 Gllnnc32.exe 880 Gllnnc32.exe 2748 Gedbfimc.exe 2748 Gedbfimc.exe 2896 Goocenaa.exe 2896 Goocenaa.exe 1548 Gidhbgag.exe 1548 Gidhbgag.exe 2900 Hhlaiccm.exe 2900 Hhlaiccm.exe 1936 Hpgfmeag.exe 1936 Hpgfmeag.exe 2888 Hnkffi32.exe 2888 Hnkffi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Enmnahnm.exe Dnckki32.exe File opened for modification C:\Windows\SysWOW64\Iabhdefo.exe Ioaobjin.exe File created C:\Windows\SysWOW64\Fdakeeob.dll Hfajhblm.exe File opened for modification C:\Windows\SysWOW64\Lgehpk32.exe Lfckhc32.exe File opened for modification C:\Windows\SysWOW64\Kokppd32.exe Jgpklb32.exe File created C:\Windows\SysWOW64\Cncolfcl.exe Bdfahaaa.exe File created C:\Windows\SysWOW64\Fofekp32.exe Epqhjdhc.exe File opened for modification C:\Windows\SysWOW64\Mcknjidn.exe Mchadifq.exe File created C:\Windows\SysWOW64\Bdmhcp32.exe Akbgdkgm.exe File created C:\Windows\SysWOW64\Cmbiap32.exe Ckamihfm.exe File created C:\Windows\SysWOW64\Mpmfdi32.dll Mkkbcpbl.exe File opened for modification C:\Windows\SysWOW64\Pkojoghl.exe Pnkiebib.exe File created C:\Windows\SysWOW64\Lfceqc32.dll Ckajqo32.exe File opened for modification C:\Windows\SysWOW64\Gmjbchnq.exe Gofajcog.exe File opened for modification C:\Windows\SysWOW64\Llainlje.exe Lnlmmo32.exe File created C:\Windows\SysWOW64\Hnahndjj.dll Dnbbjf32.exe File created C:\Windows\SysWOW64\Hnkffi32.exe Hpgfmeag.exe File created C:\Windows\SysWOW64\Hfgjcq32.dll Aiqjao32.exe File created C:\Windows\SysWOW64\Phgjeonp.dll Dpmgao32.exe File created C:\Windows\SysWOW64\Lncgollm.exe Lnqkjl32.exe File created C:\Windows\SysWOW64\Bbfgiabg.exe Bbcjca32.exe File opened for modification C:\Windows\SysWOW64\Dooqceid.exe Dchpnd32.exe File created C:\Windows\SysWOW64\Cbdejenb.dll Lndqbk32.exe File created C:\Windows\SysWOW64\Aijfihip.exe Qgiibp32.exe File created C:\Windows\SysWOW64\Dggbgadf.exe Dmomnlne.exe File created C:\Windows\SysWOW64\Chofhm32.exe Ckkenikc.exe File created C:\Windows\SysWOW64\Goplnb32.dll Ghbhhnhk.exe File created C:\Windows\SysWOW64\Plhfoe32.dll Kppohf32.exe File opened for modification C:\Windows\SysWOW64\Cmbiap32.exe Ckamihfm.exe File created C:\Windows\SysWOW64\Jcjgfp32.dll Dogpfc32.exe File opened for modification C:\Windows\SysWOW64\Hfajhblm.exe Hfnmbbnp.exe File created C:\Windows\SysWOW64\Lncjhd32.exe Lqpiopdh.exe File opened for modification C:\Windows\SysWOW64\Gbfklolh.exe Gmjbchnq.exe File created C:\Windows\SysWOW64\Jfkloj32.dll Kccgheib.exe File opened for modification C:\Windows\SysWOW64\Gjbqjiem.exe Gdihmo32.exe File opened for modification C:\Windows\SysWOW64\Nggkipci.exe Nkqjdo32.exe File created C:\Windows\SysWOW64\Eamqahed.dll Jkeialfp.exe File created C:\Windows\SysWOW64\Nnidchqp.exe Nabcog32.exe File created C:\Windows\SysWOW64\Oaeken32.dll Ngahmngp.exe File created C:\Windows\SysWOW64\Hgfqkokb.dll Pccelqeb.exe File created C:\Windows\SysWOW64\Ncdpdcfh.exe Nikkkn32.exe File created C:\Windows\SysWOW64\Nkaane32.exe Ncfmjc32.exe File created C:\Windows\SysWOW64\Lbjqik32.dll Jndhddaf.exe File created C:\Windows\SysWOW64\Ijmdql32.exe Imidgh32.exe File opened for modification C:\Windows\SysWOW64\Miphjf32.exe Mpgdaqmh.exe File opened for modification C:\Windows\SysWOW64\Gedbfimc.exe Gllnnc32.exe File created C:\Windows\SysWOW64\Fgfien32.dll Chofhm32.exe File created C:\Windows\SysWOW64\Lmpdoffo.exe Ldgpea32.exe File created C:\Windows\SysWOW64\Fnjfjc32.dll Mpkhoj32.exe File created C:\Windows\SysWOW64\Aegkfpah.exe Aiqjao32.exe File opened for modification C:\Windows\SysWOW64\Lmcdkbao.exe Lbkchj32.exe File created C:\Windows\SysWOW64\Djbfepid.dll Dmcgik32.exe File opened for modification C:\Windows\SysWOW64\Nccmng32.exe Njjieace.exe File created C:\Windows\SysWOW64\Apglgfde.exe Amfcfk32.exe File created C:\Windows\SysWOW64\Bdpgai32.exe Bhiglh32.exe File opened for modification C:\Windows\SysWOW64\Cldolj32.exe Cbokoa32.exe File created C:\Windows\SysWOW64\Dkmncl32.exe Dofnnkfg.exe File created C:\Windows\SysWOW64\Fichqckn.exe Fpkchm32.exe File created C:\Windows\SysWOW64\Ccadla32.dll Lmhdph32.exe File created C:\Windows\SysWOW64\Fnelmb32.exe Fopole32.exe File created C:\Windows\SysWOW64\Occcgm32.dll Qhdfdb32.exe File created C:\Windows\SysWOW64\Lbkdpgdb.dll Opfdim32.exe File opened for modification C:\Windows\SysWOW64\Aflkiapg.exe Aamekk32.exe File created C:\Windows\SysWOW64\Kgjelg32.exe Kldaon32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqljdclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplbpaim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjpcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgnil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpaeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdnne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qoonqmqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabcog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhdfmbjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpohhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qakppa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocpcfeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgdlnop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojbnkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lefikg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohkdfhge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihgpkinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkpnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figoefkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inffdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhominh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amglgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlmaad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcdkbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmgnan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfceom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkqjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakhhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbhmlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpoeoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilfka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabkla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apglgfde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpkbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmanjch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijegeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcooo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggbgadf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpinagbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npneeocq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdidmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkaane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiqjao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfdfdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cllmdcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dooqceid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmneebeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicipgqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkilfjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljpjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbgkhoml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mneaacno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdmjfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmfca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilocklc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmdbkbpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmpdoffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdcom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acggbffj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egeecf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbhfajia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hogcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpimnjhm.dll" Dhibakmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nobjghoh.dll" Kiqdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbepplkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obffpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahlnmjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdodbj32.dll" Ooaflp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fokofpif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hadged32.dll" Hgjdcghp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffmipmjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhbqqlfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkngbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlkqopoi.dll" Lkcehkeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkdnmc32.dll" Nnidchqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fipdqmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnfnahkp.dll" Ceickb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Habkeacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fagqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nikkkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clpeajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kidjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jalolemm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjlqcppm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfphmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfnfjmgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keiqlihp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqplqile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjqik32.dll" Jndhddaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bghfacem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adijdihh.dll" Ekpmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdnipekj.dll" Ojdjqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgdiff32.dll" Dhlogjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npneeocq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hancef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fianpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cldolj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Momqbm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdihmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fafeln32.dll" Opebpdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfifnoj.dll" Iefchacp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anngkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anngkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lncgollm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcjgfp32.dll" Dogpfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgeikbfd.dll" Likbpceb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpkhoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdeehe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlecmkel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Likbpceb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bobleeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjdnne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qckalamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdfop32.dll" Iiekkdjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckkenikc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hogcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkfomk32.dll" Bfphmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnoaan32.dll" Klgpmgod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppipdl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkmcni32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmeffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnllf32.dll" Dmfhqmge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amljgema.dll" Cpohhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgkiih32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2824 2472 5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71N.exe 30 PID 2472 wrote to memory of 2824 2472 5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71N.exe 30 PID 2472 wrote to memory of 2824 2472 5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71N.exe 30 PID 2472 wrote to memory of 2824 2472 5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71N.exe 30 PID 2824 wrote to memory of 2628 2824 Lmcilp32.exe 31 PID 2824 wrote to memory of 2628 2824 Lmcilp32.exe 31 PID 2824 wrote to memory of 2628 2824 Lmcilp32.exe 31 PID 2824 wrote to memory of 2628 2824 Lmcilp32.exe 31 PID 2628 wrote to memory of 1824 2628 Lglmefcg.exe 32 PID 2628 wrote to memory of 1824 2628 Lglmefcg.exe 32 PID 2628 wrote to memory of 1824 2628 Lglmefcg.exe 32 PID 2628 wrote to memory of 1824 2628 Lglmefcg.exe 32 PID 1824 wrote to memory of 2652 1824 Mpkhoj32.exe 33 PID 1824 wrote to memory of 2652 1824 Mpkhoj32.exe 33 PID 1824 wrote to memory of 2652 1824 Mpkhoj32.exe 33 PID 1824 wrote to memory of 2652 1824 Mpkhoj32.exe 33 PID 2652 wrote to memory of 2344 2652 Mneaacno.exe 34 PID 2652 wrote to memory of 2344 2652 Mneaacno.exe 34 PID 2652 wrote to memory of 2344 2652 Mneaacno.exe 34 PID 2652 wrote to memory of 2344 2652 Mneaacno.exe 34 PID 2344 wrote to memory of 1648 2344 Ndfpnl32.exe 35 PID 2344 wrote to memory of 1648 2344 Ndfpnl32.exe 35 PID 2344 wrote to memory of 1648 2344 Ndfpnl32.exe 35 PID 2344 wrote to memory of 1648 2344 Ndfpnl32.exe 35 PID 1648 wrote to memory of 2200 1648 Nggipg32.exe 36 PID 1648 wrote to memory of 2200 1648 Nggipg32.exe 36 PID 1648 wrote to memory of 2200 1648 Nggipg32.exe 36 PID 1648 wrote to memory of 2200 1648 Nggipg32.exe 36 PID 2200 wrote to memory of 1416 2200 Oqkpmaif.exe 37 PID 2200 wrote to memory of 1416 2200 Oqkpmaif.exe 37 PID 2200 wrote to memory of 1416 2200 Oqkpmaif.exe 37 PID 2200 wrote to memory of 1416 2200 Oqkpmaif.exe 37 PID 1416 wrote to memory of 2956 1416 Ockinl32.exe 38 PID 1416 wrote to memory of 2956 1416 Ockinl32.exe 38 PID 1416 wrote to memory of 2956 1416 Ockinl32.exe 38 PID 1416 wrote to memory of 2956 1416 Ockinl32.exe 38 PID 2956 wrote to memory of 1816 2956 Ppipdl32.exe 39 PID 2956 wrote to memory of 1816 2956 Ppipdl32.exe 39 PID 2956 wrote to memory of 1816 2956 Ppipdl32.exe 39 PID 2956 wrote to memory of 1816 2956 Ppipdl32.exe 39 PID 1816 wrote to memory of 1308 1816 Qhincn32.exe 40 PID 1816 wrote to memory of 1308 1816 Qhincn32.exe 40 PID 1816 wrote to memory of 1308 1816 Qhincn32.exe 40 PID 1816 wrote to memory of 1308 1816 Qhincn32.exe 40 PID 1308 wrote to memory of 684 1308 Addhcn32.exe 41 PID 1308 wrote to memory of 684 1308 Addhcn32.exe 41 PID 1308 wrote to memory of 684 1308 Addhcn32.exe 41 PID 1308 wrote to memory of 684 1308 Addhcn32.exe 41 PID 684 wrote to memory of 2368 684 Bfjkphjd.exe 42 PID 684 wrote to memory of 2368 684 Bfjkphjd.exe 42 PID 684 wrote to memory of 2368 684 Bfjkphjd.exe 42 PID 684 wrote to memory of 2368 684 Bfjkphjd.exe 42 PID 2368 wrote to memory of 2112 2368 Bdfahaaa.exe 43 PID 2368 wrote to memory of 2112 2368 Bdfahaaa.exe 43 PID 2368 wrote to memory of 2112 2368 Bdfahaaa.exe 43 PID 2368 wrote to memory of 2112 2368 Bdfahaaa.exe 43 PID 2112 wrote to memory of 1396 2112 Cncolfcl.exe 44 PID 2112 wrote to memory of 1396 2112 Cncolfcl.exe 44 PID 2112 wrote to memory of 1396 2112 Cncolfcl.exe 44 PID 2112 wrote to memory of 1396 2112 Cncolfcl.exe 44 PID 1396 wrote to memory of 1384 1396 Dhdfmbjc.exe 45 PID 1396 wrote to memory of 1384 1396 Dhdfmbjc.exe 45 PID 1396 wrote to memory of 1384 1396 Dhdfmbjc.exe 45 PID 1396 wrote to memory of 1384 1396 Dhdfmbjc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71N.exe"C:\Users\Admin\AppData\Local\Temp\5b2722763e0aaaf33e0b56031d071a9a59aca3716daa79adc24fe7fef8439e71N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Ndfpnl32.exeC:\Windows\system32\Ndfpnl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Nggipg32.exeC:\Windows\system32\Nggipg32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Oqkpmaif.exeC:\Windows\system32\Oqkpmaif.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Ockinl32.exeC:\Windows\system32\Ockinl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Qhincn32.exeC:\Windows\system32\Qhincn32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Addhcn32.exeC:\Windows\system32\Addhcn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1308 -
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\SysWOW64\Cncolfcl.exeC:\Windows\system32\Cncolfcl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Dhdfmbjc.exeC:\Windows\system32\Dhdfmbjc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1384 -
C:\Windows\SysWOW64\Enmnahnm.exeC:\Windows\system32\Enmnahnm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Eikimeff.exeC:\Windows\system32\Eikimeff.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Ebcmfj32.exeC:\Windows\system32\Ebcmfj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Fbhfajia.exeC:\Windows\system32\Fbhfajia.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Ffmipmjn.exeC:\Windows\system32\Ffmipmjn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:880 -
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1936 -
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe33⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe34⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe35⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Ilifndlo.exeC:\Windows\system32\Ilifndlo.exe36⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe37⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe38⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:852 -
C:\Windows\SysWOW64\Jndflk32.exeC:\Windows\system32\Jndflk32.exe40⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe41⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe42⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Jojloc32.exeC:\Windows\system32\Jojloc32.exe43⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe44⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Kigibh32.exeC:\Windows\system32\Kigibh32.exe46⤵
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Kcajceke.exeC:\Windows\system32\Kcajceke.exe47⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Kccgheib.exeC:\Windows\system32\Kccgheib.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2532 -
C:\Windows\SysWOW64\Kpjhnfof.exeC:\Windows\system32\Kpjhnfof.exe49⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Lchqcd32.exeC:\Windows\system32\Lchqcd32.exe50⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe51⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Mhalngad.exeC:\Windows\system32\Mhalngad.exe52⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Mdgmbhgh.exeC:\Windows\system32\Mdgmbhgh.exe53⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Mkdbea32.exeC:\Windows\system32\Mkdbea32.exe54⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe55⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Nikkkn32.exeC:\Windows\system32\Nikkkn32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1820 -
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe57⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Ncfmjc32.exeC:\Windows\system32\Ncfmjc32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Nhebhipj.exeC:\Windows\system32\Nhebhipj.exe60⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Nhhominh.exeC:\Windows\system32\Nhhominh.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956 -
C:\Windows\SysWOW64\Oapcfo32.exeC:\Windows\system32\Oapcfo32.exe62⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Ojkhjabc.exeC:\Windows\system32\Ojkhjabc.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Ojndpqpq.exeC:\Windows\system32\Ojndpqpq.exe64⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Ocfiif32.exeC:\Windows\system32\Ocfiif32.exe65⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Ojpaeq32.exeC:\Windows\system32\Ojpaeq32.exe66⤵
- System Location Discovery: System Language Discovery
PID:552 -
C:\Windows\SysWOW64\Ojbnkp32.exeC:\Windows\system32\Ojbnkp32.exe67⤵
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Ooofcg32.exeC:\Windows\system32\Ooofcg32.exe68⤵PID:1656
-
C:\Windows\SysWOW64\Ojdjqp32.exeC:\Windows\system32\Ojdjqp32.exe69⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Pbpoebgc.exeC:\Windows\system32\Pbpoebgc.exe70⤵PID:2400
-
C:\Windows\SysWOW64\Pnfpjc32.exeC:\Windows\system32\Pnfpjc32.exe71⤵PID:3020
-
C:\Windows\SysWOW64\Pnimpcke.exeC:\Windows\system32\Pnimpcke.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2868 -
C:\Windows\SysWOW64\Pnkiebib.exeC:\Windows\system32\Pnkiebib.exe73⤵
- Drops file in System32 directory
PID:2932 -
C:\Windows\SysWOW64\Pkojoghl.exeC:\Windows\system32\Pkojoghl.exe74⤵PID:2732
-
C:\Windows\SysWOW64\Pegnglnm.exeC:\Windows\system32\Pegnglnm.exe75⤵PID:756
-
C:\Windows\SysWOW64\Qfkgdd32.exeC:\Windows\system32\Qfkgdd32.exe76⤵PID:1240
-
C:\Windows\SysWOW64\Apclnj32.exeC:\Windows\system32\Apclnj32.exe77⤵PID:2148
-
C:\Windows\SysWOW64\Amglgn32.exeC:\Windows\system32\Amglgn32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Amjiln32.exeC:\Windows\system32\Amjiln32.exe79⤵PID:1452
-
C:\Windows\SysWOW64\Aiqjao32.exeC:\Windows\system32\Aiqjao32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Aegkfpah.exeC:\Windows\system32\Aegkfpah.exe81⤵PID:1912
-
C:\Windows\SysWOW64\Admgglep.exeC:\Windows\system32\Admgglep.exe82⤵PID:768
-
C:\Windows\SysWOW64\Bobleeef.exeC:\Windows\system32\Bobleeef.exe83⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Bodhjdcc.exeC:\Windows\system32\Bodhjdcc.exe84⤵PID:1952
-
C:\Windows\SysWOW64\Bhmmcjjd.exeC:\Windows\system32\Bhmmcjjd.exe85⤵PID:1464
-
C:\Windows\SysWOW64\Biqfpb32.exeC:\Windows\system32\Biqfpb32.exe86⤵PID:1588
-
C:\Windows\SysWOW64\Bbikig32.exeC:\Windows\system32\Bbikig32.exe87⤵PID:3048
-
C:\Windows\SysWOW64\Ceickb32.exeC:\Windows\system32\Ceickb32.exe88⤵
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Cpohhk32.exeC:\Windows\system32\Cpohhk32.exe89⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Codeih32.exeC:\Windows\system32\Codeih32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2780 -
C:\Windows\SysWOW64\Ckkenikc.exeC:\Windows\system32\Ckkenikc.exe91⤵
- Drops file in System32 directory
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Chofhm32.exeC:\Windows\system32\Chofhm32.exe92⤵
- Drops file in System32 directory
PID:2600 -
C:\Windows\SysWOW64\Cdfgmnpa.exeC:\Windows\system32\Cdfgmnpa.exe93⤵PID:2328
-
C:\Windows\SysWOW64\Ckpoih32.exeC:\Windows\system32\Ckpoih32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Dpmgao32.exeC:\Windows\system32\Dpmgao32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1048 -
C:\Windows\SysWOW64\Dlchfp32.exeC:\Windows\system32\Dlchfp32.exe96⤵PID:2108
-
C:\Windows\SysWOW64\Dflmpebj.exeC:\Windows\system32\Dflmpebj.exe97⤵PID:2356
-
C:\Windows\SysWOW64\Dgkiih32.exeC:\Windows\system32\Dgkiih32.exe98⤵
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Dofnnkfg.exeC:\Windows\system32\Dofnnkfg.exe99⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Dkmncl32.exeC:\Windows\system32\Dkmncl32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Ehaolpke.exeC:\Windows\system32\Ehaolpke.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2540 -
C:\Windows\SysWOW64\Enenef32.exeC:\Windows\system32\Enenef32.exe102⤵PID:1724
-
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe103⤵PID:2880
-
C:\Windows\SysWOW64\Ffboohnm.exeC:\Windows\system32\Ffboohnm.exe104⤵PID:1544
-
C:\Windows\SysWOW64\Fpkchm32.exeC:\Windows\system32\Fpkchm32.exe105⤵
- Drops file in System32 directory
PID:3060 -
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe106⤵PID:1040
-
C:\Windows\SysWOW64\Fejifdab.exeC:\Windows\system32\Fejifdab.exe107⤵PID:1104
-
C:\Windows\SysWOW64\Fnbmoi32.exeC:\Windows\system32\Fnbmoi32.exe108⤵PID:948
-
C:\Windows\SysWOW64\Fnejdiep.exeC:\Windows\system32\Fnejdiep.exe109⤵PID:572
-
C:\Windows\SysWOW64\Ghmnmo32.exeC:\Windows\system32\Ghmnmo32.exe110⤵PID:2192
-
C:\Windows\SysWOW64\Ghpkbn32.exeC:\Windows\system32\Ghpkbn32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Ghbhhnhk.exeC:\Windows\system32\Ghbhhnhk.exe112⤵
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Gdihmo32.exeC:\Windows\system32\Gdihmo32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:516 -
C:\Windows\SysWOW64\Gjbqjiem.exeC:\Windows\system32\Gjbqjiem.exe114⤵PID:2528
-
C:\Windows\SysWOW64\Gbnenk32.exeC:\Windows\system32\Gbnenk32.exe115⤵PID:2384
-
C:\Windows\SysWOW64\Gdmbhnjj.exeC:\Windows\system32\Gdmbhnjj.exe116⤵PID:2908
-
C:\Windows\SysWOW64\Hogcil32.exeC:\Windows\system32\Hogcil32.exe117⤵
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Hpfoboml.exeC:\Windows\system32\Hpfoboml.exe118⤵PID:2688
-
C:\Windows\SysWOW64\Hiockd32.exeC:\Windows\system32\Hiockd32.exe119⤵PID:2104
-
C:\Windows\SysWOW64\Hkbmil32.exeC:\Windows\system32\Hkbmil32.exe120⤵PID:2928
-
C:\Windows\SysWOW64\Hginnmml.exeC:\Windows\system32\Hginnmml.exe121⤵PID:1840
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-