Analysis
-
max time kernel
149s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05/03/2025, 21:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe
-
Size
219KB
-
MD5
a32a928a42dee135f9cc10235b63537f
-
SHA1
f391e81fcaec75a4e93364967a8fe64c91319827
-
SHA256
1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006
-
SHA512
b8174e9f62c3dd45dae8073df7d9c0b1c7139c1e23ab533fa7a905c6801af24991a17682eaff44eed7230a258bffc77cf0ef8d6cf77210eb10a2e9a56210ec73
-
SSDEEP
3072:qc9Z1oMNSlXWmcPzwuZkO0aDb/IBPCOQvU6z314EXrjvwSfYrwBt:qc9bIlXW1zDOO0aDD4PCxdXXwSfYrwB
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbfnchfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdqiiaih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lljkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Naimepkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahfgbkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ceqjla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goocenaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmlobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nommodjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gedbfimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmnhgjmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpanne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oapcfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckkenikc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcmjpma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llhocfnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnjnkkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icoepohq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhlbbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgefa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fappgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibkmgcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjnenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbblkaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacefpbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beggec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckkenikc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gminbfoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkfojakp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqepgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oomjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbhhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfkfkopk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opccallb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oabplobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgfkchmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfgoadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnogfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcgnbim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gedbfimc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ankedf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biqfpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codeih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iemalkgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglfcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nljhhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pigklmqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Almihjlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjiljf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmmcjjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joebccpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogohdeam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pildgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmqffonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bopknhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkjnenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqpebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncdpdcfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmlbaqfh.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2452 Fllaopcg.exe 2700 Fnjnkkbk.exe 3020 Fefcmehe.exe 2784 Fnogfk32.exe 2960 Fdlpnamm.exe 2716 Fappgflg.exe 2552 Fjhdpk32.exe 316 Fdqiiaih.exe 1976 Gminbfoh.exe 2516 Gedbfimc.exe 2428 Gpjfcali.exe 2468 Gibkmgcj.exe 264 Goocenaa.exe 2964 Gampaipe.exe 2192 Goapjnoo.exe 2404 Ghidcceo.exe 2448 Hememgdi.exe 1696 Hkjnenbp.exe 2000 Hmijajbd.exe 624 Hdbbnd32.exe 2316 Hnkffi32.exe 2920 Hpicbe32.exe 1996 Hkogpn32.exe 1072 Hlpchfdi.exe 2504 Hdgkicek.exe 2368 Hgfheodo.exe 1608 Hnppaill.exe 2720 Hpnlndkp.exe 2128 Hekefkig.exe 2832 Ipqicdim.exe 2648 Icoepohq.exe 1120 Iemalkgd.exe 1044 Ikjjda32.exe 2160 Ihnjmf32.exe 2464 Iklfia32.exe 2484 Idekbgji.exe 2116 Igcgnbim.exe 684 Iqllghon.exe 2436 Ihbdhepp.exe 2364 Jdidmf32.exe 2204 Jkcmjpma.exe 2176 Jqpebg32.exe 1432 Jdlacfca.exe 2348 Jgjmoace.exe 1440 Jjijkmbi.exe 780 Joebccpp.exe 1988 Jgmjdaqb.exe 464 Jfojpn32.exe 2804 Jinfli32.exe 2704 Jcckibfg.exe 2860 Jbfkeo32.exe 2732 Jipcbidn.exe 2096 Jmlobg32.exe 1944 Jcfgoadd.exe 1360 Jbhhkn32.exe 2080 Jibpghbk.exe 2692 Kkalcdao.exe 472 Kolhdbjh.exe 3036 Kffqqm32.exe 2216 Kghmhegc.exe 632 Kkciic32.exe 1452 Kbmafngi.exe 2916 Kapaaj32.exe 2064 Kelmbifm.exe -
Loads dropped DLL 64 IoCs
pid Process 1940 1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe 1940 1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe 2452 Fllaopcg.exe 2452 Fllaopcg.exe 2700 Fnjnkkbk.exe 2700 Fnjnkkbk.exe 3020 Fefcmehe.exe 3020 Fefcmehe.exe 2784 Fnogfk32.exe 2784 Fnogfk32.exe 2960 Fdlpnamm.exe 2960 Fdlpnamm.exe 2716 Fappgflg.exe 2716 Fappgflg.exe 2552 Fjhdpk32.exe 2552 Fjhdpk32.exe 316 Fdqiiaih.exe 316 Fdqiiaih.exe 1976 Gminbfoh.exe 1976 Gminbfoh.exe 2516 Gedbfimc.exe 2516 Gedbfimc.exe 2428 Gpjfcali.exe 2428 Gpjfcali.exe 2468 Gibkmgcj.exe 2468 Gibkmgcj.exe 264 Goocenaa.exe 264 Goocenaa.exe 2964 Gampaipe.exe 2964 Gampaipe.exe 2192 Goapjnoo.exe 2192 Goapjnoo.exe 2404 Ghidcceo.exe 2404 Ghidcceo.exe 2448 Hememgdi.exe 2448 Hememgdi.exe 1696 Hkjnenbp.exe 1696 Hkjnenbp.exe 2000 Hmijajbd.exe 2000 Hmijajbd.exe 624 Hdbbnd32.exe 624 Hdbbnd32.exe 2316 Hnkffi32.exe 2316 Hnkffi32.exe 2920 Hpicbe32.exe 2920 Hpicbe32.exe 1996 Hkogpn32.exe 1996 Hkogpn32.exe 1072 Hlpchfdi.exe 1072 Hlpchfdi.exe 2504 Hdgkicek.exe 2504 Hdgkicek.exe 2368 Hgfheodo.exe 2368 Hgfheodo.exe 1608 Hnppaill.exe 1608 Hnppaill.exe 2720 Hpnlndkp.exe 2720 Hpnlndkp.exe 2128 Hekefkig.exe 2128 Hekefkig.exe 2832 Ipqicdim.exe 2832 Ipqicdim.exe 2648 Icoepohq.exe 2648 Icoepohq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fdlpnamm.exe Fnogfk32.exe File created C:\Windows\SysWOW64\Hnfncjmm.dll Lfkfkopk.exe File created C:\Windows\SysWOW64\Lofkoamf.exe Llhocfnb.exe File created C:\Windows\SysWOW64\Bmlbaqfh.exe Biqfpb32.exe File opened for modification C:\Windows\SysWOW64\Biccfalm.exe Beggec32.exe File created C:\Windows\SysWOW64\Hnppaill.exe Hgfheodo.exe File opened for modification C:\Windows\SysWOW64\Kpjhnfof.exe Kmklak32.exe File created C:\Windows\SysWOW64\Mdfolo32.dll Ljplkonl.exe File created C:\Windows\SysWOW64\Ohjkcile.exe Opccallb.exe File created C:\Windows\SysWOW64\Nckopjfk.dll Pbgefa32.exe File created C:\Windows\SysWOW64\Clclhmin.exe Chhpgn32.exe File created C:\Windows\SysWOW64\Oemmkpog.dll Goocenaa.exe File created C:\Windows\SysWOW64\Goapjnoo.exe Gampaipe.exe File opened for modification C:\Windows\SysWOW64\Iqllghon.exe Igcgnbim.exe File created C:\Windows\SysWOW64\Hennhl32.dll Ngoleb32.exe File created C:\Windows\SysWOW64\Oqlfhjch.exe Ojbnkp32.exe File created C:\Windows\SysWOW64\Lfehem32.dll Cdamao32.exe File opened for modification C:\Windows\SysWOW64\Idekbgji.exe Iklfia32.exe File created C:\Windows\SysWOW64\Odjgna32.dll Jibpghbk.exe File opened for modification C:\Windows\SysWOW64\Ckmbdh32.exe Ceqjla32.exe File created C:\Windows\SysWOW64\Imlkdf32.dll Lffmpp32.exe File created C:\Windows\SysWOW64\Odcimipf.exe Oqgmmk32.exe File created C:\Windows\SysWOW64\Aegibbeb.dll Ofdeeb32.exe File created C:\Windows\SysWOW64\Ahfgbkpl.exe Aegkfpah.exe File created C:\Windows\SysWOW64\Gbmdoe32.dll Lepclldc.exe File opened for modification C:\Windows\SysWOW64\Qghgigkn.exe Qanolm32.exe File created C:\Windows\SysWOW64\Ahhchk32.exe Aejglo32.exe File created C:\Windows\SysWOW64\Jqlidcln.dll Codeih32.exe File opened for modification C:\Windows\SysWOW64\Lofkoamf.exe Llhocfnb.exe File created C:\Windows\SysWOW64\Monmegdp.dll Mkohjbah.exe File created C:\Windows\SysWOW64\Ngjoif32.exe Ndlbmk32.exe File created C:\Windows\SysWOW64\Hoelacdp.dll Onipqp32.exe File created C:\Windows\SysWOW64\Pmcgmkil.exe Pigklmqc.exe File created C:\Windows\SysWOW64\Facqnfnm.dll Pbpoebgc.exe File created C:\Windows\SysWOW64\Pildgl32.exe Pfnhkq32.exe File created C:\Windows\SysWOW64\Gampaipe.exe Goocenaa.exe File created C:\Windows\SysWOW64\Mmdkfmjc.exe Mkfojakp.exe File created C:\Windows\SysWOW64\Ohodgb32.dll Ckmbdh32.exe File created C:\Windows\SysWOW64\Lmmlbi32.dll Jdidmf32.exe File opened for modification C:\Windows\SysWOW64\Ncdpdcfh.exe Nljhhi32.exe File opened for modification C:\Windows\SysWOW64\Pmqffonj.exe Pjbjjc32.exe File opened for modification C:\Windows\SysWOW64\Blaobmkq.exe Biccfalm.exe File opened for modification C:\Windows\SysWOW64\Clclhmin.exe Chhpgn32.exe File opened for modification C:\Windows\SysWOW64\Ochenfdn.exe Oomjng32.exe File created C:\Windows\SysWOW64\Mlaecdec.dll Pildgl32.exe File opened for modification C:\Windows\SysWOW64\Biqfpb32.exe Bbfnchfb.exe File created C:\Windows\SysWOW64\Kbfefenn.dll Gpjfcali.exe File opened for modification C:\Windows\SysWOW64\Kepgmh32.exe Knfopnkk.exe File created C:\Windows\SysWOW64\Jmnpoagb.dll Mohhea32.exe File opened for modification C:\Windows\SysWOW64\Nljhhi32.exe Nepokogo.exe File created C:\Windows\SysWOW64\Ndlbmk32.exe Nanfqo32.exe File created C:\Windows\SysWOW64\Mokegi32.dll Capdpcge.exe File opened for modification C:\Windows\SysWOW64\Clhecl32.exe Cdamao32.exe File created C:\Windows\SysWOW64\Kglfcd32.exe Kbpnkm32.exe File created C:\Windows\SysWOW64\Hmmobd32.dll Llhocfnb.exe File created C:\Windows\SysWOW64\Fmncgk32.dll Gminbfoh.exe File created C:\Windows\SysWOW64\Kpijio32.dll Bmlbaqfh.exe File opened for modification C:\Windows\SysWOW64\Iemalkgd.exe Icoepohq.exe File opened for modification C:\Windows\SysWOW64\Lmnhgjmp.exe Ljplkonl.exe File created C:\Windows\SysWOW64\Ikeaokpb.dll Mdepmh32.exe File created C:\Windows\SysWOW64\Ibkhgp32.dll Manjaldo.exe File created C:\Windows\SysWOW64\Cdamao32.exe Cabaec32.exe File opened for modification C:\Windows\SysWOW64\Goapjnoo.exe Gampaipe.exe File opened for modification C:\Windows\SysWOW64\Ihbdhepp.exe Iqllghon.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakikpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhebhipj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceickb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfgoadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpcpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gampaipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iemalkgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jinfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opccallb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofiopaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfkchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljkif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clclhmin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naimepkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nanfqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bopknhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefcmehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhhkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Malmllfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codeih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjnenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkfkopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljhhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabplobe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aljmbknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caenkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hememgdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfkeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmafngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfopnkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmelpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joebccpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpoaheja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llhocfnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkfkidmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpicbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcckibfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfmjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmqffonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfjnkne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cobhdhha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mllhne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mghfdcdi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onipqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnjmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcgnbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcofid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okhgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooofcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbblkaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnkffi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffqqm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjkcile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqepgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pildgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpmdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhchk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnjnkkbk.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enjoliob.dll" Fnjnkkbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcckibfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aebakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfpmog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mghfdcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odcimipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnoipg32.dll" Qanolm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkgmej32.dll" Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhnmei32.dll" Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjibmbqj.dll" Pijgbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnppaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgkgm32.dll" Noagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcigjjli.dll" Alofnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpnlndkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlpei32.dll" Hekefkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mebpakbq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gllnei32.dll" Oqlfhjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbmamh32.dll" Bdfjnkne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncaean32.dll" Fjhdpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkjnenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Joildhiq.dll" Ipqicdim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqnocncd.dll" Kglfcd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhonm32.dll" Okhgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooofcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgcnnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmdkfmjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nljhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdkki32.dll" Ajipkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Codeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqpebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jalolq32.dll" Jgmjdaqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmnhgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogmkne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpjnmlel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clclhmin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poajppaa.dll" Jgjmoace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfldmeci.dll" Jcckibfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnoopd32.dll" Kkalcdao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfncjmm.dll" Lfkfkopk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nepokogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pokkfdac.dll" Nhebhipj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odqlhjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcfgoadd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kffqqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmlepi32.dll" Knfopnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjec32.dll" Knikfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opccallb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aljmbknm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afbnec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihbdhepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbejp32.dll" Ahfgbkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjiljf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfpmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciglaa32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1940 wrote to memory of 2452 1940 1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe 30 PID 1940 wrote to memory of 2452 1940 1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe 30 PID 1940 wrote to memory of 2452 1940 1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe 30 PID 1940 wrote to memory of 2452 1940 1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe 30 PID 2452 wrote to memory of 2700 2452 Fllaopcg.exe 31 PID 2452 wrote to memory of 2700 2452 Fllaopcg.exe 31 PID 2452 wrote to memory of 2700 2452 Fllaopcg.exe 31 PID 2452 wrote to memory of 2700 2452 Fllaopcg.exe 31 PID 2700 wrote to memory of 3020 2700 Fnjnkkbk.exe 32 PID 2700 wrote to memory of 3020 2700 Fnjnkkbk.exe 32 PID 2700 wrote to memory of 3020 2700 Fnjnkkbk.exe 32 PID 2700 wrote to memory of 3020 2700 Fnjnkkbk.exe 32 PID 3020 wrote to memory of 2784 3020 Fefcmehe.exe 33 PID 3020 wrote to memory of 2784 3020 Fefcmehe.exe 33 PID 3020 wrote to memory of 2784 3020 Fefcmehe.exe 33 PID 3020 wrote to memory of 2784 3020 Fefcmehe.exe 33 PID 2784 wrote to memory of 2960 2784 Fnogfk32.exe 34 PID 2784 wrote to memory of 2960 2784 Fnogfk32.exe 34 PID 2784 wrote to memory of 2960 2784 Fnogfk32.exe 34 PID 2784 wrote to memory of 2960 2784 Fnogfk32.exe 34 PID 2960 wrote to memory of 2716 2960 Fdlpnamm.exe 35 PID 2960 wrote to memory of 2716 2960 Fdlpnamm.exe 35 PID 2960 wrote to memory of 2716 2960 Fdlpnamm.exe 35 PID 2960 wrote to memory of 2716 2960 Fdlpnamm.exe 35 PID 2716 wrote to memory of 2552 2716 Fappgflg.exe 36 PID 2716 wrote to memory of 2552 2716 Fappgflg.exe 36 PID 2716 wrote to memory of 2552 2716 Fappgflg.exe 36 PID 2716 wrote to memory of 2552 2716 Fappgflg.exe 36 PID 2552 wrote to memory of 316 2552 Fjhdpk32.exe 37 PID 2552 wrote to memory of 316 2552 Fjhdpk32.exe 37 PID 2552 wrote to memory of 316 2552 Fjhdpk32.exe 37 PID 2552 wrote to memory of 316 2552 Fjhdpk32.exe 37 PID 316 wrote to memory of 1976 316 Fdqiiaih.exe 38 PID 316 wrote to memory of 1976 316 Fdqiiaih.exe 38 PID 316 wrote to memory of 1976 316 Fdqiiaih.exe 38 PID 316 wrote to memory of 1976 316 Fdqiiaih.exe 38 PID 1976 wrote to memory of 2516 1976 Gminbfoh.exe 39 PID 1976 wrote to memory of 2516 1976 Gminbfoh.exe 39 PID 1976 wrote to memory of 2516 1976 Gminbfoh.exe 39 PID 1976 wrote to memory of 2516 1976 Gminbfoh.exe 39 PID 2516 wrote to memory of 2428 2516 Gedbfimc.exe 40 PID 2516 wrote to memory of 2428 2516 Gedbfimc.exe 40 PID 2516 wrote to memory of 2428 2516 Gedbfimc.exe 40 PID 2516 wrote to memory of 2428 2516 Gedbfimc.exe 40 PID 2428 wrote to memory of 2468 2428 Gpjfcali.exe 41 PID 2428 wrote to memory of 2468 2428 Gpjfcali.exe 41 PID 2428 wrote to memory of 2468 2428 Gpjfcali.exe 41 PID 2428 wrote to memory of 2468 2428 Gpjfcali.exe 41 PID 2468 wrote to memory of 264 2468 Gibkmgcj.exe 42 PID 2468 wrote to memory of 264 2468 Gibkmgcj.exe 42 PID 2468 wrote to memory of 264 2468 Gibkmgcj.exe 42 PID 2468 wrote to memory of 264 2468 Gibkmgcj.exe 42 PID 264 wrote to memory of 2964 264 Goocenaa.exe 43 PID 264 wrote to memory of 2964 264 Goocenaa.exe 43 PID 264 wrote to memory of 2964 264 Goocenaa.exe 43 PID 264 wrote to memory of 2964 264 Goocenaa.exe 43 PID 2964 wrote to memory of 2192 2964 Gampaipe.exe 44 PID 2964 wrote to memory of 2192 2964 Gampaipe.exe 44 PID 2964 wrote to memory of 2192 2964 Gampaipe.exe 44 PID 2964 wrote to memory of 2192 2964 Gampaipe.exe 44 PID 2192 wrote to memory of 2404 2192 Goapjnoo.exe 45 PID 2192 wrote to memory of 2404 2192 Goapjnoo.exe 45 PID 2192 wrote to memory of 2404 2192 Goapjnoo.exe 45 PID 2192 wrote to memory of 2404 2192 Goapjnoo.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe"C:\Users\Admin\AppData\Local\Temp\1e766f4fe180d63dfeaeb091475b2ab09faae8b1abc9b40e894699874490e006.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Fllaopcg.exeC:\Windows\system32\Fllaopcg.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Fdlpnamm.exeC:\Windows\system32\Fdlpnamm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Gedbfimc.exeC:\Windows\system32\Gedbfimc.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Goapjnoo.exeC:\Windows\system32\Goapjnoo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Ghidcceo.exeC:\Windows\system32\Ghidcceo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2448 -
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:624 -
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Hkogpn32.exeC:\Windows\system32\Hkogpn32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1072 -
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2504 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Hnppaill.exeC:\Windows\system32\Hnppaill.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Ipqicdim.exeC:\Windows\system32\Ipqicdim.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\Ihnjmf32.exeC:\Windows\system32\Ihnjmf32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2160 -
C:\Windows\SysWOW64\Iklfia32.exeC:\Windows\system32\Iklfia32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe37⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Igcgnbim.exeC:\Windows\system32\Igcgnbim.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Ihbdhepp.exeC:\Windows\system32\Ihbdhepp.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2364 -
C:\Windows\SysWOW64\Jkcmjpma.exeC:\Windows\system32\Jkcmjpma.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2176 -
C:\Windows\SysWOW64\Jdlacfca.exeC:\Windows\system32\Jdlacfca.exe44⤵
- Executes dropped EXE
PID:1432 -
C:\Windows\SysWOW64\Jgjmoace.exeC:\Windows\system32\Jgjmoace.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2348 -
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe46⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Joebccpp.exeC:\Windows\system32\Joebccpp.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:780 -
C:\Windows\SysWOW64\Jgmjdaqb.exeC:\Windows\system32\Jgmjdaqb.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Jfojpn32.exeC:\Windows\system32\Jfojpn32.exe49⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2804 -
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Jbfkeo32.exeC:\Windows\system32\Jbfkeo32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Jipcbidn.exeC:\Windows\system32\Jipcbidn.exe53⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1944 -
C:\Windows\SysWOW64\Jbhhkn32.exeC:\Windows\system32\Jbhhkn32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1360 -
C:\Windows\SysWOW64\Jibpghbk.exeC:\Windows\system32\Jibpghbk.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2080 -
C:\Windows\SysWOW64\Kkalcdao.exeC:\Windows\system32\Kkalcdao.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Kolhdbjh.exeC:\Windows\system32\Kolhdbjh.exe59⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3036 -
C:\Windows\SysWOW64\Kghmhegc.exeC:\Windows\system32\Kghmhegc.exe61⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Kkciic32.exeC:\Windows\system32\Kkciic32.exe62⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Kbmafngi.exeC:\Windows\system32\Kbmafngi.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1452 -
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe64⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Kelmbifm.exeC:\Windows\system32\Kelmbifm.exe65⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Kgjjndeq.exeC:\Windows\system32\Kgjjndeq.exe66⤵PID:2944
-
C:\Windows\SysWOW64\Kjhfjpdd.exeC:\Windows\system32\Kjhfjpdd.exe67⤵PID:2952
-
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Klhbdclg.exeC:\Windows\system32\Klhbdclg.exe70⤵PID:2840
-
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe71⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Kepgmh32.exeC:\Windows\system32\Kepgmh32.exe72⤵PID:2612
-
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe73⤵
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Kmklak32.exeC:\Windows\system32\Kmklak32.exe74⤵
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Kpjhnfof.exeC:\Windows\system32\Kpjhnfof.exe75⤵PID:2292
-
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe76⤵PID:1860
-
C:\Windows\SysWOW64\Ljplkonl.exeC:\Windows\system32\Ljplkonl.exe77⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Lmnhgjmp.exeC:\Windows\system32\Lmnhgjmp.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe79⤵PID:952
-
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe80⤵
- Drops file in System32 directory
PID:948 -
C:\Windows\SysWOW64\Ljbipolj.exeC:\Windows\system32\Ljbipolj.exe81⤵PID:2812
-
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe82⤵
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Lpoaheja.exeC:\Windows\system32\Lpoaheja.exe83⤵
- System Location Discovery: System Language Discovery
PID:868 -
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe84⤵PID:2884
-
C:\Windows\SysWOW64\Ligfakaa.exeC:\Windows\system32\Ligfakaa.exe85⤵PID:1428
-
C:\Windows\SysWOW64\Llebnfpe.exeC:\Windows\system32\Llebnfpe.exe86⤵PID:2748
-
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2628 -
C:\Windows\SysWOW64\Lodnjboi.exeC:\Windows\system32\Lodnjboi.exe88⤵PID:452
-
C:\Windows\SysWOW64\Lfkfkopk.exeC:\Windows\system32\Lfkfkopk.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Lhlbbg32.exeC:\Windows\system32\Lhlbbg32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1632 -
C:\Windows\SysWOW64\Lofkoamf.exeC:\Windows\system32\Lofkoamf.exe92⤵PID:1912
-
C:\Windows\SysWOW64\Lbagpp32.exeC:\Windows\system32\Lbagpp32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2396 -
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe94⤵
- Drops file in System32 directory
PID:1460 -
C:\Windows\SysWOW64\Lljkif32.exeC:\Windows\system32\Lljkif32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Mohhea32.exeC:\Windows\system32\Mohhea32.exe96⤵
- Drops file in System32 directory
PID:2904 -
C:\Windows\SysWOW64\Mebpakbq.exeC:\Windows\system32\Mebpakbq.exe97⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Mdepmh32.exeC:\Windows\system32\Mdepmh32.exe98⤵
- Drops file in System32 directory
PID:1604 -
C:\Windows\SysWOW64\Mllhne32.exeC:\Windows\system32\Mllhne32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe100⤵
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Mmndfnpl.exeC:\Windows\system32\Mmndfnpl.exe101⤵PID:2620
-
C:\Windows\SysWOW64\Mdgmbhgh.exeC:\Windows\system32\Mdgmbhgh.exe102⤵PID:2988
-
C:\Windows\SysWOW64\Momapqgn.exeC:\Windows\system32\Momapqgn.exe103⤵PID:2492
-
C:\Windows\SysWOW64\Malmllfb.exeC:\Windows\system32\Malmllfb.exe104⤵
- System Location Discovery: System Language Discovery
PID:1916 -
C:\Windows\SysWOW64\Mdjihgef.exeC:\Windows\system32\Mdjihgef.exe105⤵PID:1892
-
C:\Windows\SysWOW64\Mghfdcdi.exeC:\Windows\system32\Mghfdcdi.exe106⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1016 -
C:\Windows\SysWOW64\Mmbnam32.exeC:\Windows\system32\Mmbnam32.exe107⤵PID:1884
-
C:\Windows\SysWOW64\Manjaldo.exeC:\Windows\system32\Manjaldo.exe108⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Mdlfngcc.exeC:\Windows\system32\Mdlfngcc.exe109⤵PID:1640
-
C:\Windows\SysWOW64\Mcofid32.exeC:\Windows\system32\Mcofid32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2740 -
C:\Windows\SysWOW64\Mkfojakp.exeC:\Windows\system32\Mkfojakp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2068 -
C:\Windows\SysWOW64\Mmdkfmjc.exeC:\Windows\system32\Mmdkfmjc.exe112⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Mlgkbi32.exeC:\Windows\system32\Mlgkbi32.exe113⤵PID:1840
-
C:\Windows\SysWOW64\Mcacochk.exeC:\Windows\system32\Mcacochk.exe114⤵PID:1952
-
C:\Windows\SysWOW64\Nepokogo.exeC:\Windows\system32\Nepokogo.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:544 -
C:\Windows\SysWOW64\Nljhhi32.exeC:\Windows\system32\Nljhhi32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Ncdpdcfh.exeC:\Windows\system32\Ncdpdcfh.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Ngoleb32.exeC:\Windows\system32\Ngoleb32.exe118⤵
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Nphpng32.exeC:\Windows\system32\Nphpng32.exe119⤵
- Modifies registry class
PID:1896 -
C:\Windows\SysWOW64\Ncfmjc32.exeC:\Windows\system32\Ncfmjc32.exe120⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2792
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-