Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 21:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe
-
Size
344KB
-
MD5
33daac3e2c5183e39460d5fd2482c6a2
-
SHA1
8db66af9c7e4520a3dd5194755252ce91811d398
-
SHA256
4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9
-
SHA512
37ed1638e3521665ee346e9372daef635af9b0baeb6b6e1b4080e1e6a8a80f5bc3c33eec180a135e4930f634aed31fbfd49e36ba241c150c9fc3d417809521ea
-
SSDEEP
6144:tjXVl/+CpX2/mnbzvdLaD6OkPgl6bmIjlQFn:tjXVlWCpXImbzQD6OkPgl6bmIjKn
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkmdodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgckoofa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onipqp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bodhjdcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibibfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnbpqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjahakgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfqlkfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jibpghbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkfkopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmelpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acohnhab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klmbjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hememgdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnpcpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckomqopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjnplq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcjldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aebakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blniinac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnmal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epqgopbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Beldao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmnngl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lffmpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkfghh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkfkopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkohjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphcppmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figocipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkbnap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdcdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obecld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anecfgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igcgnbim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dphhka32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmqkml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdjcjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflfad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdnkanfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiknnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghaeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Appbcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdnkanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhmmcjjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgcmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbkjap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apkihofl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gedbfimc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidhbgag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbagpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlecinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lehdhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blipno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjoilfek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgjmoace.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2788 Peeoidik.exe 2116 Pdhpdq32.exe 2592 Pjahakgb.exe 2564 Pmpdmfff.exe 3012 Phehko32.exe 444 Qigebglj.exe 2948 Qanmcdlm.exe 1964 Qdlipplq.exe 1584 Qfkelkkd.exe 1932 Qmenhe32.exe 1972 Qpcjeaad.exe 1500 Afmbak32.exe 1036 Aiknnf32.exe 1256 Apefjqob.exe 1412 Afpogk32.exe 1912 Ahqkocmm.exe 912 Aphcppmo.exe 1236 Aaipghcn.exe 1564 Alodeacc.exe 2744 Abhlak32.exe 2984 Ckfjjqhd.exe 704 Cdnncfoe.exe 1916 Clefdcog.exe 2676 Ckhfpp32.exe 2812 Cfnkmi32.exe 2716 Cgogealf.exe 2768 Cnipak32.exe 2672 Cgadja32.exe 1344 Ckmpkpbl.exe 2568 Cchdpbog.exe 592 Ckomqopi.exe 2032 Dcjaeamd.exe 2148 Dgfmep32.exe 2044 Doabjbci.exe 2956 Dghjkpck.exe 1060 Dqaode32.exe 1508 Docopbaf.exe 848 Dfngll32.exe 1052 Dmgoif32.exe 2184 Dcageqgm.exe 1684 Dfpcblfp.exe 572 Dmjlof32.exe 2436 Dphhka32.exe 2028 Dfbqgldn.exe 1108 Deeqch32.exe 1012 Dgcmod32.exe 900 Epkepakn.exe 2784 Ealahi32.exe 2596 Eiciig32.exe 2892 Ejdfqogm.exe 2492 Ebknblho.exe 2240 Eannmi32.exe 2464 Ehhfjcff.exe 2280 Ejfbfo32.exe 1160 Emeobj32.exe 1976 Eelgcg32.exe 1720 Ecogodlk.exe 1800 Efmckpko.exe 1560 Endklmlq.exe 2608 Ecadddjh.exe 1956 Ejklan32.exe 2400 Ephdjeol.exe 1620 Ebfqfpop.exe 1628 Fjnignob.exe -
Loads dropped DLL 64 IoCs
pid Process 2336 4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe 2336 4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe 2788 Peeoidik.exe 2788 Peeoidik.exe 2116 Pdhpdq32.exe 2116 Pdhpdq32.exe 2592 Pjahakgb.exe 2592 Pjahakgb.exe 2564 Pmpdmfff.exe 2564 Pmpdmfff.exe 3012 Phehko32.exe 3012 Phehko32.exe 444 Qigebglj.exe 444 Qigebglj.exe 2948 Qanmcdlm.exe 2948 Qanmcdlm.exe 1964 Qdlipplq.exe 1964 Qdlipplq.exe 1584 Qfkelkkd.exe 1584 Qfkelkkd.exe 1932 Qmenhe32.exe 1932 Qmenhe32.exe 1972 Qpcjeaad.exe 1972 Qpcjeaad.exe 1500 Afmbak32.exe 1500 Afmbak32.exe 1036 Aiknnf32.exe 1036 Aiknnf32.exe 1256 Apefjqob.exe 1256 Apefjqob.exe 1412 Afpogk32.exe 1412 Afpogk32.exe 1912 Ahqkocmm.exe 1912 Ahqkocmm.exe 912 Aphcppmo.exe 912 Aphcppmo.exe 1236 Aaipghcn.exe 1236 Aaipghcn.exe 1564 Alodeacc.exe 1564 Alodeacc.exe 2744 Abhlak32.exe 2744 Abhlak32.exe 2984 Ckfjjqhd.exe 2984 Ckfjjqhd.exe 704 Cdnncfoe.exe 704 Cdnncfoe.exe 1916 Clefdcog.exe 1916 Clefdcog.exe 2676 Ckhfpp32.exe 2676 Ckhfpp32.exe 2812 Cfnkmi32.exe 2812 Cfnkmi32.exe 2716 Cgogealf.exe 2716 Cgogealf.exe 2768 Cnipak32.exe 2768 Cnipak32.exe 2672 Cgadja32.exe 2672 Cgadja32.exe 1344 Ckmpkpbl.exe 1344 Ckmpkpbl.exe 2568 Cchdpbog.exe 2568 Cchdpbog.exe 592 Ckomqopi.exe 592 Ckomqopi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ailqfooi.exe Acohnhab.exe File created C:\Windows\SysWOW64\Eonkgg32.dll Bmelpa32.exe File created C:\Windows\SysWOW64\Onldqejb.exe Oknhdjko.exe File opened for modification C:\Windows\SysWOW64\Jqpebg32.exe Jnbifl32.exe File created C:\Windows\SysWOW64\Knfopnkk.exe Klhbdclg.exe File opened for modification C:\Windows\SysWOW64\Ghaeoe32.exe Gpjmnh32.exe File opened for modification C:\Windows\SysWOW64\Jjmcfl32.exe Jfagemej.exe File created C:\Windows\SysWOW64\Beegbq32.dll Peqhgmdd.exe File opened for modification C:\Windows\SysWOW64\Ecadddjh.exe Endklmlq.exe File created C:\Windows\SysWOW64\Jjejnabb.dll Hpgfmeag.exe File created C:\Windows\SysWOW64\Gnnfllod.dll Kjhfjpdd.exe File created C:\Windows\SysWOW64\Inkcem32.exe Iklfia32.exe File created C:\Windows\SysWOW64\Omnmal32.exe Ofdeeb32.exe File created C:\Windows\SysWOW64\Ejgicl32.dll Cnipak32.exe File created C:\Windows\SysWOW64\Enkcccnb.dll Apilcoho.exe File opened for modification C:\Windows\SysWOW64\Clnehado.exe Cjoilfek.exe File created C:\Windows\SysWOW64\Idcoaaei.dll Bafhff32.exe File created C:\Windows\SysWOW64\Hclhjpjc.exe Hlbpme32.exe File opened for modification C:\Windows\SysWOW64\Hkmjjn32.exe Hpgfmeag.exe File opened for modification C:\Windows\SysWOW64\Jfagemej.exe Johoic32.exe File opened for modification C:\Windows\SysWOW64\Aicmadmm.exe Afeaei32.exe File created C:\Windows\SysWOW64\Jmdaehpn.dll Afgnkilf.exe File created C:\Windows\SysWOW64\Ifhfbgmj.dll Cceapl32.exe File opened for modification C:\Windows\SysWOW64\Nfglfdeb.exe Ncipjieo.exe File created C:\Windows\SysWOW64\Omhkcnfg.exe Obcffefa.exe File opened for modification C:\Windows\SysWOW64\Gibkmgcj.exe Gfcopl32.exe File created C:\Windows\SysWOW64\Dmddik32.dll Mmpakm32.exe File created C:\Windows\SysWOW64\Mfhdke32.dll Palbgn32.exe File created C:\Windows\SysWOW64\Aphcppmo.exe Ahqkocmm.exe File opened for modification C:\Windows\SysWOW64\Johoic32.exe Jqeomfgc.exe File opened for modification C:\Windows\SysWOW64\Ljbipolj.exe Lffmpp32.exe File created C:\Windows\SysWOW64\Lcdjpfgh.exe Lpfnckhe.exe File created C:\Windows\SysWOW64\Abnopj32.exe Appbcn32.exe File opened for modification C:\Windows\SysWOW64\Ijimli32.exe Iaaekl32.exe File created C:\Windows\SysWOW64\Efmckpko.exe Ecogodlk.exe File created C:\Windows\SysWOW64\Fdibkoon.dll Jgbjjf32.exe File created C:\Windows\SysWOW64\Bdohpb32.dll Cgjgol32.exe File created C:\Windows\SysWOW64\Jjmcfl32.exe Jfagemej.exe File created C:\Windows\SysWOW64\Eejanc32.dll Qpaohjkk.exe File opened for modification C:\Windows\SysWOW64\Albjnplq.exe Aicmadmm.exe File created C:\Windows\SysWOW64\Pjibmbqj.dll Pkhdnh32.exe File created C:\Windows\SysWOW64\Gmqkml32.exe Gkbnap32.exe File created C:\Windows\SysWOW64\Obckefai.dll Nopaoj32.exe File opened for modification C:\Windows\SysWOW64\Piadma32.exe Pbglpg32.exe File opened for modification C:\Windows\SysWOW64\Afmbak32.exe Qpcjeaad.exe File created C:\Windows\SysWOW64\Ifijkq32.dll Obcffefa.exe File created C:\Windows\SysWOW64\Ogdaod32.exe Oqjibkek.exe File created C:\Windows\SysWOW64\Fkjjjgij.dll Ckhfpp32.exe File created C:\Windows\SysWOW64\Fjnignob.exe Ebfqfpop.exe File created C:\Windows\SysWOW64\Noagjc32.exe Nhhominh.exe File created C:\Windows\SysWOW64\Igcgnbim.exe Iafofkkf.exe File opened for modification C:\Windows\SysWOW64\Coindgbi.exe Chofhm32.exe File opened for modification C:\Windows\SysWOW64\Fkkhpadq.exe Fhmldfdm.exe File created C:\Windows\SysWOW64\Igmepdbc.exe Idohdhbo.exe File created C:\Windows\SysWOW64\Dochelmj.exe Dglpdomh.exe File created C:\Windows\SysWOW64\Mcidkf32.exe Mpkhoj32.exe File opened for modification C:\Windows\SysWOW64\Nopaoj32.exe Nnodgbed.exe File created C:\Windows\SysWOW64\Cceapl32.exe Cojeomee.exe File opened for modification C:\Windows\SysWOW64\Einebddd.exe Eebibf32.exe File created C:\Windows\SysWOW64\Hememgdi.exe Hmfmkjdf.exe File created C:\Windows\SysWOW64\Lceeqk32.dll Fapgblob.exe File opened for modification C:\Windows\SysWOW64\Hnnjfo32.exe Hokjkbkp.exe File opened for modification C:\Windows\SysWOW64\Hdjoii32.exe Hqochjnk.exe File created C:\Windows\SysWOW64\Djcnme32.dll Ankedf32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lajkbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padccpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemomb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnjmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alodeacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfnkmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijhhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhcndhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbglpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaekljjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacefpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdcjgnbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befnbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhgccbhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fheoiqgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmbak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgnminke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgckoofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjmoace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Johoic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npechhgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhqhmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdjqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfkelkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdfqogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnahilc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmaed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadfah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onldqejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclhjpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhapocoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gibkmgcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keango32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpddmia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blniinac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqkpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epnkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlbaqfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apefjqob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmoob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjiljf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fegjgkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfqlkfoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkmjlca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekghcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibpghbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimpfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfkkeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpdankjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objmgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llebnfpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikagogco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcichb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmdkfmjc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gckfpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Meljbqna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Migbpocm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjnignob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjhiaadn.dll" Ggiofa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epeajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndjfgkha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiecgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Miocmq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afpfqffb.dll" Anecfgdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Deeqch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkbhkj32.dll" Bceeqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qpaohjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lficmm32.dll" Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eonkgg32.dll" Bmelpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjoolbcg.dll" Qpcjeaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Figocipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flmogqde.dll" Pidaba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjpmdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnfdm32.dll" Ipqicdim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqaode32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fenphjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgfhapbi.dll" Dcjjkkji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcplf32.dll" Bhkghqpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikggmnae.dll" Dfhgggim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgkbjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmlbaqfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqochjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Moenkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfglfdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgnminke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfcopl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akjfgh32.dll" Nhqhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehokjjf.dll" Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbmccel.dll" Mkdioh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eenfifcn.dll" Apkihofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmfjeap.dll" Efffpjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjfpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noingpnc.dll" Dfbqgldn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppkmjlca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idghhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiihig32.dll" Kgjjndeq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjfpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogaceogh.dll" Ajldkhjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cccdjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cedhlopf.dll" Kihpmnbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkimpfmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eiilge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmqkml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chhpgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnlcakk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfnhec32.dll" Hghdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neibanod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdkcbpni.dll" Qcmkhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkkioeig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmkedj32.dll" Dfpcblfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkdcdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmkdhq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cniajdkg.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2336 wrote to memory of 2788 2336 4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe 30 PID 2336 wrote to memory of 2788 2336 4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe 30 PID 2336 wrote to memory of 2788 2336 4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe 30 PID 2336 wrote to memory of 2788 2336 4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe 30 PID 2788 wrote to memory of 2116 2788 Peeoidik.exe 31 PID 2788 wrote to memory of 2116 2788 Peeoidik.exe 31 PID 2788 wrote to memory of 2116 2788 Peeoidik.exe 31 PID 2788 wrote to memory of 2116 2788 Peeoidik.exe 31 PID 2116 wrote to memory of 2592 2116 Pdhpdq32.exe 32 PID 2116 wrote to memory of 2592 2116 Pdhpdq32.exe 32 PID 2116 wrote to memory of 2592 2116 Pdhpdq32.exe 32 PID 2116 wrote to memory of 2592 2116 Pdhpdq32.exe 32 PID 2592 wrote to memory of 2564 2592 Pjahakgb.exe 33 PID 2592 wrote to memory of 2564 2592 Pjahakgb.exe 33 PID 2592 wrote to memory of 2564 2592 Pjahakgb.exe 33 PID 2592 wrote to memory of 2564 2592 Pjahakgb.exe 33 PID 2564 wrote to memory of 3012 2564 Pmpdmfff.exe 34 PID 2564 wrote to memory of 3012 2564 Pmpdmfff.exe 34 PID 2564 wrote to memory of 3012 2564 Pmpdmfff.exe 34 PID 2564 wrote to memory of 3012 2564 Pmpdmfff.exe 34 PID 3012 wrote to memory of 444 3012 Phehko32.exe 35 PID 3012 wrote to memory of 444 3012 Phehko32.exe 35 PID 3012 wrote to memory of 444 3012 Phehko32.exe 35 PID 3012 wrote to memory of 444 3012 Phehko32.exe 35 PID 444 wrote to memory of 2948 444 Qigebglj.exe 36 PID 444 wrote to memory of 2948 444 Qigebglj.exe 36 PID 444 wrote to memory of 2948 444 Qigebglj.exe 36 PID 444 wrote to memory of 2948 444 Qigebglj.exe 36 PID 2948 wrote to memory of 1964 2948 Qanmcdlm.exe 37 PID 2948 wrote to memory of 1964 2948 Qanmcdlm.exe 37 PID 2948 wrote to memory of 1964 2948 Qanmcdlm.exe 37 PID 2948 wrote to memory of 1964 2948 Qanmcdlm.exe 37 PID 1964 wrote to memory of 1584 1964 Qdlipplq.exe 38 PID 1964 wrote to memory of 1584 1964 Qdlipplq.exe 38 PID 1964 wrote to memory of 1584 1964 Qdlipplq.exe 38 PID 1964 wrote to memory of 1584 1964 Qdlipplq.exe 38 PID 1584 wrote to memory of 1932 1584 Qfkelkkd.exe 39 PID 1584 wrote to memory of 1932 1584 Qfkelkkd.exe 39 PID 1584 wrote to memory of 1932 1584 Qfkelkkd.exe 39 PID 1584 wrote to memory of 1932 1584 Qfkelkkd.exe 39 PID 1932 wrote to memory of 1972 1932 Qmenhe32.exe 40 PID 1932 wrote to memory of 1972 1932 Qmenhe32.exe 40 PID 1932 wrote to memory of 1972 1932 Qmenhe32.exe 40 PID 1932 wrote to memory of 1972 1932 Qmenhe32.exe 40 PID 1972 wrote to memory of 1500 1972 Qpcjeaad.exe 41 PID 1972 wrote to memory of 1500 1972 Qpcjeaad.exe 41 PID 1972 wrote to memory of 1500 1972 Qpcjeaad.exe 41 PID 1972 wrote to memory of 1500 1972 Qpcjeaad.exe 41 PID 1500 wrote to memory of 1036 1500 Afmbak32.exe 42 PID 1500 wrote to memory of 1036 1500 Afmbak32.exe 42 PID 1500 wrote to memory of 1036 1500 Afmbak32.exe 42 PID 1500 wrote to memory of 1036 1500 Afmbak32.exe 42 PID 1036 wrote to memory of 1256 1036 Aiknnf32.exe 43 PID 1036 wrote to memory of 1256 1036 Aiknnf32.exe 43 PID 1036 wrote to memory of 1256 1036 Aiknnf32.exe 43 PID 1036 wrote to memory of 1256 1036 Aiknnf32.exe 43 PID 1256 wrote to memory of 1412 1256 Apefjqob.exe 44 PID 1256 wrote to memory of 1412 1256 Apefjqob.exe 44 PID 1256 wrote to memory of 1412 1256 Apefjqob.exe 44 PID 1256 wrote to memory of 1412 1256 Apefjqob.exe 44 PID 1412 wrote to memory of 1912 1412 Afpogk32.exe 45 PID 1412 wrote to memory of 1912 1412 Afpogk32.exe 45 PID 1412 wrote to memory of 1912 1412 Afpogk32.exe 45 PID 1412 wrote to memory of 1912 1412 Afpogk32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe"C:\Users\Admin\AppData\Local\Temp\4d87cfe16eb1b8b224c7f4821a400bb7ab7ef920456a0105322dfe806cdbd4a9.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Pdhpdq32.exeC:\Windows\system32\Pdhpdq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Phehko32.exeC:\Windows\system32\Phehko32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Qfkelkkd.exeC:\Windows\system32\Qfkelkkd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1932 -
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Afpogk32.exeC:\Windows\system32\Afpogk32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:912 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1564 -
C:\Windows\SysWOW64\Abhlak32.exeC:\Windows\system32\Abhlak32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2984 -
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:704 -
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Cfnkmi32.exeC:\Windows\system32\Cfnkmi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2812 -
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Cgadja32.exeC:\Windows\system32\Cgadja32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1344 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Ckomqopi.exeC:\Windows\system32\Ckomqopi.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:592 -
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe33⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe34⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe35⤵
- Executes dropped EXE
PID:2044 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe36⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe38⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe39⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Dmgoif32.exeC:\Windows\system32\Dmgoif32.exe40⤵
- Executes dropped EXE
PID:1052 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe41⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe43⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2028 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1108 -
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1012 -
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe48⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe49⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe50⤵
- Executes dropped EXE
PID:2596 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892 -
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe52⤵
- Executes dropped EXE
PID:2492 -
C:\Windows\SysWOW64\Eannmi32.exeC:\Windows\system32\Eannmi32.exe53⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Ehhfjcff.exeC:\Windows\system32\Ehhfjcff.exe54⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe55⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Emeobj32.exeC:\Windows\system32\Emeobj32.exe56⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe57⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe59⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe61⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Ejklan32.exeC:\Windows\system32\Ejklan32.exe62⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe63⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1968 -
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe67⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe68⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe69⤵PID:2688
-
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:524 -
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe71⤵PID:1240
-
C:\Windows\SysWOW64\Fiebnjbg.exeC:\Windows\system32\Fiebnjbg.exe72⤵PID:2824
-
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe73⤵PID:1768
-
C:\Windows\SysWOW64\Fobkfqpo.exeC:\Windows\system32\Fobkfqpo.exe74⤵PID:1020
-
C:\Windows\SysWOW64\Fapgblob.exeC:\Windows\system32\Fapgblob.exe75⤵
- Drops file in System32 directory
PID:1520 -
C:\Windows\SysWOW64\Figocipe.exeC:\Windows\system32\Figocipe.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1888 -
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe77⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe78⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Fkkhpadq.exeC:\Windows\system32\Fkkhpadq.exe79⤵PID:1908
-
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe80⤵PID:2348
-
C:\Windows\SysWOW64\Gdcmig32.exeC:\Windows\system32\Gdcmig32.exe81⤵PID:1896
-
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe82⤵PID:2488
-
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe83⤵PID:1920
-
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe84⤵PID:2712
-
C:\Windows\SysWOW64\Gpjmnh32.exeC:\Windows\system32\Gpjmnh32.exe85⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Ghaeoe32.exeC:\Windows\system32\Ghaeoe32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe87⤵PID:2188
-
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Gpmjcg32.exeC:\Windows\system32\Gpmjcg32.exe89⤵PID:2616
-
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe90⤵
- Modifies registry class
PID:316 -
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:764 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1884 -
C:\Windows\SysWOW64\Ggiofa32.exeC:\Windows\system32\Ggiofa32.exe94⤵
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe95⤵PID:856
-
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe96⤵PID:1260
-
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Hlhddh32.exeC:\Windows\system32\Hlhddh32.exe98⤵PID:2836
-
C:\Windows\SysWOW64\Hpcpdfhj.exeC:\Windows\system32\Hpcpdfhj.exe99⤵PID:2684
-
C:\Windows\SysWOW64\Hcblqb32.exeC:\Windows\system32\Hcblqb32.exe100⤵PID:1164
-
C:\Windows\SysWOW64\Hhoeii32.exeC:\Windows\system32\Hhoeii32.exe101⤵
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2528 -
C:\Windows\SysWOW64\Hagianlf.exeC:\Windows\system32\Hagianlf.exe103⤵PID:1980
-
C:\Windows\SysWOW64\Hdefnjkj.exeC:\Windows\system32\Hdefnjkj.exe104⤵PID:956
-
C:\Windows\SysWOW64\Hkpnjd32.exeC:\Windows\system32\Hkpnjd32.exe105⤵PID:2012
-
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe106⤵
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Hnnjfo32.exeC:\Windows\system32\Hnnjfo32.exe107⤵PID:1752
-
C:\Windows\SysWOW64\Hfebhmbm.exeC:\Windows\system32\Hfebhmbm.exe108⤵PID:3004
-
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe109⤵
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe110⤵PID:2360
-
C:\Windows\SysWOW64\Halcmn32.exeC:\Windows\system32\Halcmn32.exe111⤵PID:1608
-
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe112⤵
- Drops file in System32 directory
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe113⤵PID:2964
-
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe114⤵PID:2384
-
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe115⤵PID:1636
-
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe116⤵PID:1680
-
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Icplje32.exeC:\Windows\system32\Icplje32.exe118⤵PID:600
-
C:\Windows\SysWOW64\Igkhjdde.exeC:\Windows\system32\Igkhjdde.exe119⤵PID:2364
-
C:\Windows\SysWOW64\Inepgn32.exeC:\Windows\system32\Inepgn32.exe120⤵PID:2944
-
C:\Windows\SysWOW64\Idohdhbo.exeC:\Windows\system32\Idohdhbo.exe121⤵
- Drops file in System32 directory
PID:2764
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-