Analysis
-
max time kernel
133s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 03:41
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c.exe
-
Size
315KB
-
MD5
b3495c41d3e75ee6fe97425bbc1f6808
-
SHA1
829b510550caa0045da387d6689a19a8a2ddcffb
-
SHA256
fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c
-
SHA512
1ace2a5b3234fd523cea362a7e9b8e4ec0c578f32ff11078058c6fe491fd0755f1cbaebb5fd6f2bc2b6d3df567776e6a19202a3ee39b276a6cabea1a0ffe6ba4
-
SSDEEP
3072:x65wGfbS+Etq749+f4auvZ7LC4ZR4mqmnKBstqBiPXPAPePdfVQ:xdGbEtqI+stesMmG
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blodefdg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhcjilcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mccaodgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jilmkffb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkekmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcikfhed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qamjmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkfpefme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehjbaooe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgfmlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Codgbqmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ampncd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emnelbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caccnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhddjngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilneef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadnlc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jinkkgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiohob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcijmhdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjdjbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkcjlhdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ainhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mghjcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgbejj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apdobg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djhldahb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbehjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmhcgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilohnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Impdeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjieapck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniidj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onipbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gffmqq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Incfhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmljnfll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckijdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiablido.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqomai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhfgokap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjjnnbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jomnpdjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kommediq.exe -
Executes dropped EXE 64 IoCs
pid Process 1936 Idemkp32.exe 2908 Ihcfan32.exe 2816 Jkabmi32.exe 2852 Jdjgfomh.exe 2840 Jjgonf32.exe 1236 Jcocgkbp.exe 1456 Jcaqmkpn.exe 1652 Jcdmbk32.exe 1436 Jllakpdk.exe 3028 Kbkgig32.exe 2736 Kbncof32.exe 964 Kkfhglen.exe 2168 Kngaig32.exe 2388 Kfbemi32.exe 1152 Lojjfo32.exe 948 Lqjfpbmm.exe 1824 Lndqbk32.exe 2340 Laeidfdn.exe 1992 Mljnaocd.exe 1300 Mecbjd32.exe 1592 Mlmjgnaa.exe 2608 Mhckloge.exe 2584 Mmpcdfem.exe 1480 Mfihml32.exe 2752 Mpalfabn.exe 1664 Miiaogio.exe 2676 Nbbegl32.exe 2808 Npffaq32.exe 1944 Nphbfplf.exe 2404 Nlocka32.exe 2596 Nhfdqb32.exe 2656 Okfmbm32.exe 2768 Okijhmcm.exe 1684 Ocdnloph.exe 2352 Ocfkaone.exe 2620 Onlooh32.exe 1204 Oegdcj32.exe 968 Olalpdbc.exe 1064 Plcied32.exe 2204 Pelnniga.exe 2524 Pngbcldl.exe 2548 Pgogla32.exe 2640 Paekijkb.exe 2232 Pgacaaij.exe 1452 Pqjhjf32.exe 2156 Qmahog32.exe 2572 Qgfmlp32.exe 2672 Akphfbbl.exe 2212 Aehmoh32.exe 2032 Anpahn32.exe 2684 Bcmjpd32.exe 2716 Bjgbmoda.exe 2872 Bemfjgdg.exe 2272 Bfncbp32.exe 1328 Bacgohjk.exe 1084 Bfppgohb.exe 1340 Baecehhh.exe 928 Bfblmofp.exe 2280 Blodefdg.exe 2136 Bfeibo32.exe 2720 Cejfckie.exe 2312 Cihojiok.exe 2748 Codgbqmc.exe 2972 Caccnllf.exe -
Loads dropped DLL 64 IoCs
pid Process 1620 fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c.exe 1620 fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c.exe 1936 Idemkp32.exe 1936 Idemkp32.exe 2908 Ihcfan32.exe 2908 Ihcfan32.exe 2816 Jkabmi32.exe 2816 Jkabmi32.exe 2852 Jdjgfomh.exe 2852 Jdjgfomh.exe 2840 Jjgonf32.exe 2840 Jjgonf32.exe 1236 Jcocgkbp.exe 1236 Jcocgkbp.exe 1456 Jcaqmkpn.exe 1456 Jcaqmkpn.exe 1652 Jcdmbk32.exe 1652 Jcdmbk32.exe 1436 Jllakpdk.exe 1436 Jllakpdk.exe 3028 Kbkgig32.exe 3028 Kbkgig32.exe 2736 Kbncof32.exe 2736 Kbncof32.exe 964 Kkfhglen.exe 964 Kkfhglen.exe 2168 Kngaig32.exe 2168 Kngaig32.exe 2388 Kfbemi32.exe 2388 Kfbemi32.exe 1152 Lojjfo32.exe 1152 Lojjfo32.exe 948 Lqjfpbmm.exe 948 Lqjfpbmm.exe 1824 Lndqbk32.exe 1824 Lndqbk32.exe 2340 Laeidfdn.exe 2340 Laeidfdn.exe 1992 Mljnaocd.exe 1992 Mljnaocd.exe 1300 Mecbjd32.exe 1300 Mecbjd32.exe 1592 Mlmjgnaa.exe 1592 Mlmjgnaa.exe 2608 Mhckloge.exe 2608 Mhckloge.exe 2584 Mmpcdfem.exe 2584 Mmpcdfem.exe 1480 Mfihml32.exe 1480 Mfihml32.exe 2752 Mpalfabn.exe 2752 Mpalfabn.exe 1664 Miiaogio.exe 1664 Miiaogio.exe 2676 Nbbegl32.exe 2676 Nbbegl32.exe 2808 Npffaq32.exe 2808 Npffaq32.exe 1944 Nphbfplf.exe 1944 Nphbfplf.exe 2404 Nlocka32.exe 2404 Nlocka32.exe 2596 Nhfdqb32.exe 2596 Nhfdqb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gdlplb32.exe Gnahoh32.exe File created C:\Windows\SysWOW64\Imbakfcc.exe Ifhinl32.exe File opened for modification C:\Windows\SysWOW64\Aekenl32.exe Process not Found File created C:\Windows\SysWOW64\Dcjpjn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Imokbhjf.exe Iiablido.exe File created C:\Windows\SysWOW64\Clnmmlkm.exe Cfaedeme.exe File opened for modification C:\Windows\SysWOW64\Cpcaeghc.exe Cnbhcl32.exe File created C:\Windows\SysWOW64\Pobhfl32.exe Pemdic32.exe File created C:\Windows\SysWOW64\Ddgnbl32.exe Ddeammok.exe File created C:\Windows\SysWOW64\Kommediq.exe Kaillp32.exe File created C:\Windows\SysWOW64\Jmdoefnl.dll Cemebcnf.exe File created C:\Windows\SysWOW64\Goeoie32.dll Ecodfogg.exe File created C:\Windows\SysWOW64\Acoegp32.exe Process not Found File created C:\Windows\SysWOW64\Iacmakkb.exe Ikiedq32.exe File opened for modification C:\Windows\SysWOW64\Iemoebmb.exe Incfhh32.exe File opened for modification C:\Windows\SysWOW64\Mbicmfqe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jgnjof32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ogcddjpo.exe Process not Found File created C:\Windows\SysWOW64\Meidib32.exe Mkpppmko.exe File opened for modification C:\Windows\SysWOW64\Ndaaclac.exe Neldbo32.exe File opened for modification C:\Windows\SysWOW64\Oigokj32.exe Omqnfiip.exe File opened for modification C:\Windows\SysWOW64\Edgfpbcl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jjocoedg.exe Iipgeb32.exe File opened for modification C:\Windows\SysWOW64\Odkkdqmd.exe Onacgf32.exe File created C:\Windows\SysWOW64\Kbfajqai.dll Lcgnmlkk.exe File opened for modification C:\Windows\SysWOW64\Dpnogmbl.exe Dkafofde.exe File opened for modification C:\Windows\SysWOW64\Dkekmp32.exe Dbnblb32.exe File created C:\Windows\SysWOW64\Kecpipck.exe Jmhkdnfp.exe File created C:\Windows\SysWOW64\Flldei32.exe Process not Found File created C:\Windows\SysWOW64\Gmoghklh.exe Process not Found File created C:\Windows\SysWOW64\Hnocgnoc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Agonig32.exe Anfjpa32.exe File created C:\Windows\SysWOW64\Hdmdcc32.exe Hehgbg32.exe File opened for modification C:\Windows\SysWOW64\Oohlaj32.exe Ohncdp32.exe File created C:\Windows\SysWOW64\Cfocmhcq.exe Process not Found File created C:\Windows\SysWOW64\Dkollo32.dll Gfpkbbmo.exe File opened for modification C:\Windows\SysWOW64\Dhapfd32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mlfgkleh.exe Lhiodnob.exe File opened for modification C:\Windows\SysWOW64\Qddmbkoi.exe Qhnlmjie.exe File created C:\Windows\SysWOW64\Mdbmkc32.exe Mhklfbcj.exe File opened for modification C:\Windows\SysWOW64\Pngbcldl.exe Pelnniga.exe File opened for modification C:\Windows\SysWOW64\Nnfbmgcj.exe Nlgfqldf.exe File created C:\Windows\SysWOW64\Fmcbka32.dll Fdcncg32.exe File created C:\Windows\SysWOW64\Pnngpaop.dll Fcegdnna.exe File created C:\Windows\SysWOW64\Kafopn32.dll Eoanij32.exe File created C:\Windows\SysWOW64\Ipmcno32.dll Gglimm32.exe File created C:\Windows\SysWOW64\Bbilclhb.exe Process not Found File created C:\Windows\SysWOW64\Llobhcnd.dll Process not Found File created C:\Windows\SysWOW64\Jicigg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Blodefdg.exe Bfblmofp.exe File opened for modification C:\Windows\SysWOW64\Pjfdpckc.exe Pegpamoo.exe File created C:\Windows\SysWOW64\Lmomfm32.exe Process not Found File created C:\Windows\SysWOW64\Dhnafj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Llfiemfj.exe Process not Found File created C:\Windows\SysWOW64\Ojjalodg.dll Phgfko32.exe File opened for modification C:\Windows\SysWOW64\Abmkjiqg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jfpcpmef.exe Process not Found File created C:\Windows\SysWOW64\Ajcpgi32.exe Qakkncmi.exe File created C:\Windows\SysWOW64\Lbaefjef.dll Conpdm32.exe File created C:\Windows\SysWOW64\Kgibeklf.exe Knqnmeff.exe File created C:\Windows\SysWOW64\Pnhhpaio.exe Paagkq32.exe File created C:\Windows\SysWOW64\Koglbkdl.exe Jbqkmj32.exe File created C:\Windows\SysWOW64\Logdoq32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Onlooh32.exe Ocfkaone.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mghjcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moqkgmol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difcpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijeinphf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcjlhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eloimcca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggppdpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdplmflg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnnbqeib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpkkbcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdobqgpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifloeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeameodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmigdend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddfbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cecnflpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlmcaijm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjjcogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gafcahil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnanceem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plcied32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfingaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facjobce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febjmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpjqfpke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hanenoeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpllg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpliec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfbjkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmappn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhpmbeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbddfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qamleagn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlncdio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfndn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apdobg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fojnhlch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkpnbdaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaiglnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlmacfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckilmfke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffenj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiiepcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cihqdoaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmijgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meolcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfpd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcfceeff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bhiglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlgqod32.dll" Dcnchg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aamekk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjaihpcj.dll" Jlddpkgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmbenc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Higiih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjcfbigh.dll" Bbpffhnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgimkf32.dll" Oefmid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkffohon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mapjjdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnnohmog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdiidfqe.dll" Epcomc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmancc32.dll" Holqbipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eajennij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kakdpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldjmkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjcpm32.dll" Napfihmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amledj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpkgggnh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khgglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mihdjh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfblmofp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgbnbcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmckh32.dll" Ijpjik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emdikm32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iodlcnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbcooei.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caccnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedfefnk.dll" Egdjfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faljqcmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clllno32.dll" Icbldbgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdjffln.dll" Cobkhe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpnlid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfcqoe32.dll" Jnogakma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdion32.dll" Pjkpckob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilneef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofcnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epcomc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfchgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdgoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepeng32.dll" Bebjdjal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Febjmj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qajfmbna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faolhkaf.dll" Ojakdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aedghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbkffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchligab.dll" Kkiiom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpacon32.dll" Anjjjn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1620 wrote to memory of 1936 1620 fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c.exe 30 PID 1620 wrote to memory of 1936 1620 fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c.exe 30 PID 1620 wrote to memory of 1936 1620 fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c.exe 30 PID 1620 wrote to memory of 1936 1620 fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c.exe 30 PID 1936 wrote to memory of 2908 1936 Idemkp32.exe 31 PID 1936 wrote to memory of 2908 1936 Idemkp32.exe 31 PID 1936 wrote to memory of 2908 1936 Idemkp32.exe 31 PID 1936 wrote to memory of 2908 1936 Idemkp32.exe 31 PID 2908 wrote to memory of 2816 2908 Ihcfan32.exe 32 PID 2908 wrote to memory of 2816 2908 Ihcfan32.exe 32 PID 2908 wrote to memory of 2816 2908 Ihcfan32.exe 32 PID 2908 wrote to memory of 2816 2908 Ihcfan32.exe 32 PID 2816 wrote to memory of 2852 2816 Jkabmi32.exe 33 PID 2816 wrote to memory of 2852 2816 Jkabmi32.exe 33 PID 2816 wrote to memory of 2852 2816 Jkabmi32.exe 33 PID 2816 wrote to memory of 2852 2816 Jkabmi32.exe 33 PID 2852 wrote to memory of 2840 2852 Jdjgfomh.exe 34 PID 2852 wrote to memory of 2840 2852 Jdjgfomh.exe 34 PID 2852 wrote to memory of 2840 2852 Jdjgfomh.exe 34 PID 2852 wrote to memory of 2840 2852 Jdjgfomh.exe 34 PID 2840 wrote to memory of 1236 2840 Jjgonf32.exe 35 PID 2840 wrote to memory of 1236 2840 Jjgonf32.exe 35 PID 2840 wrote to memory of 1236 2840 Jjgonf32.exe 35 PID 2840 wrote to memory of 1236 2840 Jjgonf32.exe 35 PID 1236 wrote to memory of 1456 1236 Jcocgkbp.exe 36 PID 1236 wrote to memory of 1456 1236 Jcocgkbp.exe 36 PID 1236 wrote to memory of 1456 1236 Jcocgkbp.exe 36 PID 1236 wrote to memory of 1456 1236 Jcocgkbp.exe 36 PID 1456 wrote to memory of 1652 1456 Jcaqmkpn.exe 37 PID 1456 wrote to memory of 1652 1456 Jcaqmkpn.exe 37 PID 1456 wrote to memory of 1652 1456 Jcaqmkpn.exe 37 PID 1456 wrote to memory of 1652 1456 Jcaqmkpn.exe 37 PID 1652 wrote to memory of 1436 1652 Jcdmbk32.exe 38 PID 1652 wrote to memory of 1436 1652 Jcdmbk32.exe 38 PID 1652 wrote to memory of 1436 1652 Jcdmbk32.exe 38 PID 1652 wrote to memory of 1436 1652 Jcdmbk32.exe 38 PID 1436 wrote to memory of 3028 1436 Jllakpdk.exe 39 PID 1436 wrote to memory of 3028 1436 Jllakpdk.exe 39 PID 1436 wrote to memory of 3028 1436 Jllakpdk.exe 39 PID 1436 wrote to memory of 3028 1436 Jllakpdk.exe 39 PID 3028 wrote to memory of 2736 3028 Kbkgig32.exe 40 PID 3028 wrote to memory of 2736 3028 Kbkgig32.exe 40 PID 3028 wrote to memory of 2736 3028 Kbkgig32.exe 40 PID 3028 wrote to memory of 2736 3028 Kbkgig32.exe 40 PID 2736 wrote to memory of 964 2736 Kbncof32.exe 41 PID 2736 wrote to memory of 964 2736 Kbncof32.exe 41 PID 2736 wrote to memory of 964 2736 Kbncof32.exe 41 PID 2736 wrote to memory of 964 2736 Kbncof32.exe 41 PID 964 wrote to memory of 2168 964 Kkfhglen.exe 42 PID 964 wrote to memory of 2168 964 Kkfhglen.exe 42 PID 964 wrote to memory of 2168 964 Kkfhglen.exe 42 PID 964 wrote to memory of 2168 964 Kkfhglen.exe 42 PID 2168 wrote to memory of 2388 2168 Kngaig32.exe 43 PID 2168 wrote to memory of 2388 2168 Kngaig32.exe 43 PID 2168 wrote to memory of 2388 2168 Kngaig32.exe 43 PID 2168 wrote to memory of 2388 2168 Kngaig32.exe 43 PID 2388 wrote to memory of 1152 2388 Kfbemi32.exe 44 PID 2388 wrote to memory of 1152 2388 Kfbemi32.exe 44 PID 2388 wrote to memory of 1152 2388 Kfbemi32.exe 44 PID 2388 wrote to memory of 1152 2388 Kfbemi32.exe 44 PID 1152 wrote to memory of 948 1152 Lojjfo32.exe 45 PID 1152 wrote to memory of 948 1152 Lojjfo32.exe 45 PID 1152 wrote to memory of 948 1152 Lojjfo32.exe 45 PID 1152 wrote to memory of 948 1152 Lojjfo32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c.exe"C:\Users\Admin\AppData\Local\Temp\fae012adbabfac75b1c322b30f3644ed041712f068078ce58b70a1058f05ec6c.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Idemkp32.exeC:\Windows\system32\Idemkp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Jkabmi32.exeC:\Windows\system32\Jkabmi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Jjgonf32.exeC:\Windows\system32\Jjgonf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Jcocgkbp.exeC:\Windows\system32\Jcocgkbp.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Jcdmbk32.exeC:\Windows\system32\Jcdmbk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\SysWOW64\Kbkgig32.exeC:\Windows\system32\Kbkgig32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Kbncof32.exeC:\Windows\system32\Kbncof32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Kkfhglen.exeC:\Windows\system32\Kkfhglen.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Lojjfo32.exeC:\Windows\system32\Lojjfo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:948 -
C:\Windows\SysWOW64\Lndqbk32.exeC:\Windows\system32\Lndqbk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1824 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Mecbjd32.exeC:\Windows\system32\Mecbjd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1300 -
C:\Windows\SysWOW64\Mlmjgnaa.exeC:\Windows\system32\Mlmjgnaa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Mhckloge.exeC:\Windows\system32\Mhckloge.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Mmpcdfem.exeC:\Windows\system32\Mmpcdfem.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Mfihml32.exeC:\Windows\system32\Mfihml32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Miiaogio.exeC:\Windows\system32\Miiaogio.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Nbbegl32.exeC:\Windows\system32\Nbbegl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Npffaq32.exeC:\Windows\system32\Npffaq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Nphbfplf.exeC:\Windows\system32\Nphbfplf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Nhfdqb32.exeC:\Windows\system32\Nhfdqb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Okfmbm32.exeC:\Windows\system32\Okfmbm32.exe33⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Okijhmcm.exeC:\Windows\system32\Okijhmcm.exe34⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe35⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ocfkaone.exeC:\Windows\system32\Ocfkaone.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Onlooh32.exeC:\Windows\system32\Onlooh32.exe37⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe38⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Olalpdbc.exeC:\Windows\system32\Olalpdbc.exe39⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1064 -
C:\Windows\SysWOW64\Pelnniga.exeC:\Windows\system32\Pelnniga.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Pngbcldl.exeC:\Windows\system32\Pngbcldl.exe42⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe43⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Paekijkb.exeC:\Windows\system32\Paekijkb.exe44⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Pgacaaij.exeC:\Windows\system32\Pgacaaij.exe45⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Pqjhjf32.exeC:\Windows\system32\Pqjhjf32.exe46⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Qmahog32.exeC:\Windows\system32\Qmahog32.exe47⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Qgfmlp32.exeC:\Windows\system32\Qgfmlp32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe49⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Aehmoh32.exeC:\Windows\system32\Aehmoh32.exe50⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Anpahn32.exeC:\Windows\system32\Anpahn32.exe51⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Bcmjpd32.exeC:\Windows\system32\Bcmjpd32.exe52⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Bjgbmoda.exeC:\Windows\system32\Bjgbmoda.exe53⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Bemfjgdg.exeC:\Windows\system32\Bemfjgdg.exe54⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Bfncbp32.exeC:\Windows\system32\Bfncbp32.exe55⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Bacgohjk.exeC:\Windows\system32\Bacgohjk.exe56⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Bfppgohb.exeC:\Windows\system32\Bfppgohb.exe57⤵
- Executes dropped EXE
PID:1084 -
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe58⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Bfblmofp.exeC:\Windows\system32\Bfblmofp.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Blodefdg.exeC:\Windows\system32\Blodefdg.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Bfeibo32.exeC:\Windows\system32\Bfeibo32.exe61⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Cejfckie.exeC:\Windows\system32\Cejfckie.exe62⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Cihojiok.exeC:\Windows\system32\Cihojiok.exe63⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Codgbqmc.exeC:\Windows\system32\Codgbqmc.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Caccnllf.exeC:\Windows\system32\Caccnllf.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Ckkhga32.exeC:\Windows\system32\Ckkhga32.exe66⤵PID:3064
-
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe67⤵PID:2332
-
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe68⤵PID:1756
-
C:\Windows\SysWOW64\Dhaefepn.exeC:\Windows\system32\Dhaefepn.exe69⤵PID:2236
-
C:\Windows\SysWOW64\Dpmjjhmi.exeC:\Windows\system32\Dpmjjhmi.exe70⤵PID:2788
-
C:\Windows\SysWOW64\Dbkffc32.exeC:\Windows\system32\Dbkffc32.exe71⤵
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Dbnblb32.exeC:\Windows\system32\Dbnblb32.exe72⤵
- Drops file in System32 directory
PID:1144 -
C:\Windows\SysWOW64\Dkekmp32.exeC:\Windows\system32\Dkekmp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:936 -
C:\Windows\SysWOW64\Denknngk.exeC:\Windows\system32\Denknngk.exe74⤵PID:2060
-
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe75⤵PID:2408
-
C:\Windows\SysWOW64\Dpflqfeo.exeC:\Windows\system32\Dpflqfeo.exe76⤵PID:1716
-
C:\Windows\SysWOW64\Eioaillo.exeC:\Windows\system32\Eioaillo.exe77⤵PID:1008
-
C:\Windows\SysWOW64\Eajennij.exeC:\Windows\system32\Eajennij.exe78⤵
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Eonfgbhc.exeC:\Windows\system32\Eonfgbhc.exe79⤵PID:900
-
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe80⤵PID:2764
-
C:\Windows\SysWOW64\Eaooin32.exeC:\Windows\system32\Eaooin32.exe81⤵PID:1720
-
C:\Windows\SysWOW64\Egkgad32.exeC:\Windows\system32\Egkgad32.exe82⤵PID:2692
-
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe83⤵PID:2188
-
C:\Windows\SysWOW64\Ekipgb32.exeC:\Windows\system32\Ekipgb32.exe84⤵PID:1988
-
C:\Windows\SysWOW64\Fqfipj32.exeC:\Windows\system32\Fqfipj32.exe85⤵PID:2704
-
C:\Windows\SysWOW64\Fjomhonj.exeC:\Windows\system32\Fjomhonj.exe86⤵PID:2832
-
C:\Windows\SysWOW64\Fgbnbcmd.exeC:\Windows\system32\Fgbnbcmd.exe87⤵
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Fhcjilcb.exeC:\Windows\system32\Fhcjilcb.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Ffhkcpal.exeC:\Windows\system32\Ffhkcpal.exe89⤵PID:1228
-
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1680 -
C:\Windows\SysWOW64\Fbnkha32.exeC:\Windows\system32\Fbnkha32.exe91⤵PID:3060
-
C:\Windows\SysWOW64\Fbqhnqen.exeC:\Windows\system32\Fbqhnqen.exe92⤵PID:328
-
C:\Windows\SysWOW64\Godhgedg.exeC:\Windows\system32\Godhgedg.exe93⤵PID:2396
-
C:\Windows\SysWOW64\Gimmpj32.exeC:\Windows\system32\Gimmpj32.exe94⤵PID:2604
-
C:\Windows\SysWOW64\Gnjehaio.exeC:\Windows\system32\Gnjehaio.exe95⤵PID:2040
-
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe96⤵PID:2412
-
C:\Windows\SysWOW64\Gcikfhed.exeC:\Windows\system32\Gcikfhed.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1352 -
C:\Windows\SysWOW64\Gnoocq32.exeC:\Windows\system32\Gnoocq32.exe98⤵PID:2936
-
C:\Windows\SysWOW64\Gfjcgc32.exeC:\Windows\system32\Gfjcgc32.exe99⤵PID:420
-
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe100⤵PID:748
-
C:\Windows\SysWOW64\Hmfhjmho.exeC:\Windows\system32\Hmfhjmho.exe101⤵PID:1812
-
C:\Windows\SysWOW64\Hbcabc32.exeC:\Windows\system32\Hbcabc32.exe102⤵PID:2012
-
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe103⤵PID:1940
-
C:\Windows\SysWOW64\Hbengc32.exeC:\Windows\system32\Hbengc32.exe104⤵PID:1556
-
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe105⤵PID:2964
-
C:\Windows\SysWOW64\Hajkip32.exeC:\Windows\system32\Hajkip32.exe106⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Hhdcejph.exeC:\Windows\system32\Hhdcejph.exe107⤵PID:2732
-
C:\Windows\SysWOW64\Hnnkbd32.exeC:\Windows\system32\Hnnkbd32.exe108⤵PID:2628
-
C:\Windows\SysWOW64\Ihgpkinf.exeC:\Windows\system32\Ihgpkinf.exe109⤵PID:2892
-
C:\Windows\SysWOW64\Iaoddodf.exeC:\Windows\system32\Iaoddodf.exe110⤵PID:1448
-
C:\Windows\SysWOW64\Ijghmd32.exeC:\Windows\system32\Ijghmd32.exe111⤵PID:1932
-
C:\Windows\SysWOW64\Iocdmccp.exeC:\Windows\system32\Iocdmccp.exe112⤵PID:2124
-
C:\Windows\SysWOW64\Idpmejag.exeC:\Windows\system32\Idpmejag.exe113⤵PID:2500
-
C:\Windows\SysWOW64\Ifniaeqk.exeC:\Windows\system32\Ifniaeqk.exe114⤵PID:1468
-
C:\Windows\SysWOW64\Ipfnjkgk.exeC:\Windows\system32\Ipfnjkgk.exe115⤵PID:3004
-
C:\Windows\SysWOW64\Imkndofe.exeC:\Windows\system32\Imkndofe.exe116⤵PID:1660
-
C:\Windows\SysWOW64\Ipijpkei.exeC:\Windows\system32\Ipijpkei.exe117⤵PID:1304
-
C:\Windows\SysWOW64\Iiaoip32.exeC:\Windows\system32\Iiaoip32.exe118⤵PID:2612
-
C:\Windows\SysWOW64\Jaopcbga.exeC:\Windows\system32\Jaopcbga.exe119⤵PID:2144
-
C:\Windows\SysWOW64\Jlddpkgh.exeC:\Windows\system32\Jlddpkgh.exe120⤵
- Modifies registry class
PID:2772 -
C:\Windows\SysWOW64\Jaamhb32.exeC:\Windows\system32\Jaamhb32.exe121⤵PID:2224
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-