Analysis
-
max time kernel
118s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 06:19
Behavioral task
behavioral1
Sample
7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620feN.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620feN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620feN.exe
-
Size
194KB
-
MD5
a88c03f8a72c38a8416e4d95f3bca8c0
-
SHA1
28cc8c439304b6c6aa44089ee3f866b1f5c1b6d6
-
SHA256
7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620fe
-
SHA512
ad8b83e51ca2c6630f4da269d9287e9363ae118b35600428ff24fe4f2f808e9b5d8a06e8a7b350c1961aa64a19e161b0190ab9f7a967944a1ec1d4b3b84a91f7
-
SSDEEP
3072:4955o/tu6dCtREJ3mMIM/kEmMIGumMIc/1GV:as/tusCtyJ35/pbuh/UV
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldlghhde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iabcbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhbjmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfdpaqej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpblne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biikne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccceeqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edohki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiaaaicm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljbmbpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Almjcobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdhnnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkffohon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plheil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fondonbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fehmlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlbjcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oclpdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoakfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnogmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfppfcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elkbipdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggbljogc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldkeoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qefihg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aokfpjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jblbpnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enqfco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibejfffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkajkoml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfobmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkdlaplh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imqdcjkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilceog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gocnjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfeep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dodlfmlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdjddf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnhqll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekeiel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpajdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncpgeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popkeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koelibnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjcoaeol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oafhmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpajdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpfcohfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biakbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncbkenba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieelnkpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqjehngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nehjmppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iflmlfcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnlilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahjgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alhaho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bblpae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddpndhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkocfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Necqbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acdfki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khpaidpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohiob32.exe -
Executes dropped EXE 64 IoCs
pid Process 1652 Biahijec.exe 2376 Bpkqfdmp.exe 2916 Bmoaoikj.exe 2976 Cpmmkdkn.exe 2844 Cppjadhk.exe 2692 Caqfiloi.exe 280 Cjikaa32.exe 2068 Cbpcbo32.exe 584 Cligkdlm.exe 2232 Cmjdcm32.exe 2848 Cfbhlb32.exe 3040 Cmlqimph.exe 872 Dhaefepn.exe 940 Dajiok32.exe 2764 Diencmcj.exe 860 Dpofpg32.exe 892 Dmcgik32.exe 1000 Ddmofeam.exe 1648 Dijgnm32.exe 1516 Dcblgbfe.exe 2492 Deahcneh.exe 2324 Eoimlc32.exe 2588 Ehaaei32.exe 1932 Eajennij.exe 2756 Ehdnkh32.exe 2888 Ekbjgd32.exe 2092 Enqfco32.exe 2788 Ekdglcmh.exe 2688 Epaodjlo.exe 2716 Ehhgfgla.exe 2736 Enepnoji.exe 1356 Eaalom32.exe 2536 Edohki32.exe 2568 Ekipgb32.exe 1332 Fdaephpc.exe 2948 Fcdele32.exe 3016 Fjomhonj.exe 1992 Fokfqflb.exe 684 Ffenmp32.exe 2644 Fhcjilcb.exe 2200 Fonbff32.exe 2168 Fjcfco32.exe 532 Fmacpj32.exe 2468 Fclkldqe.exe 2336 Ffjghppi.exe 1008 Foblaefj.exe 1628 Fbqhnqen.exe 1492 Gdodjlda.exe 2544 Ggnqfgce.exe 2904 Godhgedg.exe 2876 Gngiba32.exe 2700 Gqfeom32.exe 2712 Geaaolbo.exe 2924 Gjnigb32.exe 2620 Gbeaip32.exe 2044 Gqhadmhc.exe 3004 Gcgnphgf.exe 2944 Gknfaehi.exe 1724 Gnlbnagl.exe 2640 Gqknjlfp.exe 268 Gcikfhed.exe 560 Gfggbcdg.exe 1860 Gnoocq32.exe 1780 Gamkol32.exe -
Loads dropped DLL 64 IoCs
pid Process 2024 7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620feN.exe 2024 7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620feN.exe 1652 Biahijec.exe 1652 Biahijec.exe 2376 Bpkqfdmp.exe 2376 Bpkqfdmp.exe 2916 Bmoaoikj.exe 2916 Bmoaoikj.exe 2976 Cpmmkdkn.exe 2976 Cpmmkdkn.exe 2844 Cppjadhk.exe 2844 Cppjadhk.exe 2692 Caqfiloi.exe 2692 Caqfiloi.exe 280 Cjikaa32.exe 280 Cjikaa32.exe 2068 Cbpcbo32.exe 2068 Cbpcbo32.exe 584 Cligkdlm.exe 584 Cligkdlm.exe 2232 Cmjdcm32.exe 2232 Cmjdcm32.exe 2848 Cfbhlb32.exe 2848 Cfbhlb32.exe 3040 Cmlqimph.exe 3040 Cmlqimph.exe 872 Dhaefepn.exe 872 Dhaefepn.exe 940 Dajiok32.exe 940 Dajiok32.exe 2764 Diencmcj.exe 2764 Diencmcj.exe 860 Dpofpg32.exe 860 Dpofpg32.exe 892 Dmcgik32.exe 892 Dmcgik32.exe 1000 Ddmofeam.exe 1000 Ddmofeam.exe 1648 Dijgnm32.exe 1648 Dijgnm32.exe 1516 Dcblgbfe.exe 1516 Dcblgbfe.exe 2492 Deahcneh.exe 2492 Deahcneh.exe 2324 Eoimlc32.exe 2324 Eoimlc32.exe 2588 Ehaaei32.exe 2588 Ehaaei32.exe 1932 Eajennij.exe 1932 Eajennij.exe 2756 Ehdnkh32.exe 2756 Ehdnkh32.exe 2888 Ekbjgd32.exe 2888 Ekbjgd32.exe 2092 Enqfco32.exe 2092 Enqfco32.exe 2788 Ekdglcmh.exe 2788 Ekdglcmh.exe 2688 Epaodjlo.exe 2688 Epaodjlo.exe 2716 Ehhgfgla.exe 2716 Ehhgfgla.exe 2736 Enepnoji.exe 2736 Enepnoji.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Damhmc32.exe Dmalmdcg.exe File opened for modification C:\Windows\SysWOW64\Ekblplgo.exe Elpldp32.exe File created C:\Windows\SysWOW64\Ljfckodo.exe Lghgocek.exe File opened for modification C:\Windows\SysWOW64\Fmacpj32.exe Fjcfco32.exe File opened for modification C:\Windows\SysWOW64\Iflmlfcn.exe Idnppjcj.exe File opened for modification C:\Windows\SysWOW64\Kgmkef32.exe Kdooij32.exe File created C:\Windows\SysWOW64\Jdjioh32.exe Jalmcl32.exe File created C:\Windows\SysWOW64\Pdffcn32.exe Pahjgb32.exe File opened for modification C:\Windows\SysWOW64\Gjcekj32.exe Ggeiooea.exe File created C:\Windows\SysWOW64\Jkeecd32.dll Mqgahh32.exe File created C:\Windows\SysWOW64\Jnjjcbiq.exe Jklnggjm.exe File created C:\Windows\SysWOW64\Kpbiempj.exe Khkadoog.exe File created C:\Windows\SysWOW64\Nnhobgag.exe Nljcflbd.exe File opened for modification C:\Windows\SysWOW64\Mnfhfmhc.exe Mglpjc32.exe File created C:\Windows\SysWOW64\Ngcbie32.exe Ncggifep.exe File created C:\Windows\SysWOW64\Agenobhd.dll Gdodjlda.exe File created C:\Windows\SysWOW64\Bgcbja32.exe Baiingae.exe File created C:\Windows\SysWOW64\Aiedgbnd.dll Dhjdjc32.exe File created C:\Windows\SysWOW64\Dcgdlpkc.dll Eekdmk32.exe File opened for modification C:\Windows\SysWOW64\Hkndiabh.exe Hgbhibio.exe File created C:\Windows\SysWOW64\Hijmin32.exe Hflpmb32.exe File opened for modification C:\Windows\SysWOW64\Kahciaog.exe Knmghb32.exe File created C:\Windows\SysWOW64\Noddcolo.dll Bfkobj32.exe File opened for modification C:\Windows\SysWOW64\Mqoocmcg.exe Mmcbbo32.exe File opened for modification C:\Windows\SysWOW64\Olobcm32.exe Omlahqeo.exe File created C:\Windows\SysWOW64\Maeljf32.dll Ehgmiq32.exe File created C:\Windows\SysWOW64\Mgomoboc.exe Mogene32.exe File created C:\Windows\SysWOW64\Kdbppi32.dll Kdgoelnk.exe File created C:\Windows\SysWOW64\Nebgoa32.exe Nmkpnd32.exe File opened for modification C:\Windows\SysWOW64\Infjfblm.exe Ipcjje32.exe File created C:\Windows\SysWOW64\Ofbikf32.exe Obgmjh32.exe File created C:\Windows\SysWOW64\Ahoamplo.exe Afqeaemk.exe File opened for modification C:\Windows\SysWOW64\Fefpfi32.exe Fcgdjmlo.exe File opened for modification C:\Windows\SysWOW64\Cmlqimph.exe Cfbhlb32.exe File created C:\Windows\SysWOW64\Hhdmgkhc.dll Kfjibdbf.exe File created C:\Windows\SysWOW64\Eimlafah.dll Ljjjmeie.exe File created C:\Windows\SysWOW64\Dgcdjk32.dll Mookod32.exe File created C:\Windows\SysWOW64\Hpofcajk.dll Kcqfahom.exe File created C:\Windows\SysWOW64\Bclnpegj.dll Pkholjam.exe File opened for modification C:\Windows\SysWOW64\Pahjgb32.exe Pmlngdhk.exe File created C:\Windows\SysWOW64\Ibmldh32.dll Djcpqidc.exe File opened for modification C:\Windows\SysWOW64\Iddfqi32.exe Ipijpkei.exe File opened for modification C:\Windows\SysWOW64\Ldnbeokn.exe Lmfjcajl.exe File created C:\Windows\SysWOW64\Nhffikob.exe Nehjmppo.exe File created C:\Windows\SysWOW64\Qaapab32.dll Ojgokflc.exe File created C:\Windows\SysWOW64\Ekppjmia.exe Elnonp32.exe File created C:\Windows\SysWOW64\Ijmdql32.exe Ifahpnfl.exe File created C:\Windows\SysWOW64\Liakqjpo.dll Lednal32.exe File created C:\Windows\SysWOW64\Odhgec32.dll Ceioieei.exe File created C:\Windows\SysWOW64\Cabldeik.exe Cikdbhhi.exe File opened for modification C:\Windows\SysWOW64\Nmjicn32.exe Necqbp32.exe File opened for modification C:\Windows\SysWOW64\Qhgbibgg.exe Qdkfic32.exe File created C:\Windows\SysWOW64\Ceioieei.exe Cmbghgdg.exe File created C:\Windows\SysWOW64\Cjkamk32.exe Cbcikn32.exe File created C:\Windows\SysWOW64\Gqkqbe32.exe Glpdbfek.exe File opened for modification C:\Windows\SysWOW64\Ikbndqnc.exe Iggbdb32.exe File created C:\Windows\SysWOW64\Hhbfpj32.exe Hiofdmkq.exe File opened for modification C:\Windows\SysWOW64\Kdgoelnk.exe Kahciaog.exe File opened for modification C:\Windows\SysWOW64\Niijdq32.exe Maabcc32.exe File created C:\Windows\SysWOW64\Mbginggd.dll Almjcobe.exe File opened for modification C:\Windows\SysWOW64\Fcjqpm32.exe Fondonbc.exe File created C:\Windows\SysWOW64\Hkpaoape.exe Hibebeqb.exe File opened for modification C:\Windows\SysWOW64\Hcndag32.exe Hmdldmja.exe File created C:\Windows\SysWOW64\Pkgoccel.dll Njipabhe.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9984 9920 Process not Found 1057 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjfpokk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkmakbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbfeam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihaldgak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelcho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cejhld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immkiodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akbgdkgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deajlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diencmcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljbmbpkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgpjin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nglmifca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdgoelnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhlgnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiamql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbeaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlddpkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pceqfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodlfmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijelgemi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjkfglom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaillp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oclpdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcpqfgol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgmbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbckagm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcikfhed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgeopqfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aglhph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laknfmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbengc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jephgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkoidcaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldikbhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqgngk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gggclfkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elgioe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbkdgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmiojla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edohki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajjeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dihmae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqkqbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkndiabh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikbndqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igioiacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlegic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oppbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnplgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhffikob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbnhfhoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkelcenm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfggbcdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqhhbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gklkdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbafel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbhcfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olehbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Polakmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qamjmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhjdjc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcgjllbn.dll" Mogene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiniaboi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpnji32.dll" Cjljpjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqpjndio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mffgfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkoodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlqgob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqckgi32.dll" Kkigfdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfenjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hamgno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilblkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebiomefn.dll" Phabdmgq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmmiaknb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opbopn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fclmem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geaaolbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnjekdon.dll" Hliieioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfdngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imekmp32.dll" Ekblplgo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbpmbndm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldchdjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbpolb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Immbmp32.dll" Ggeiooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnimjoak.dll" Oojhfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idchbb32.dll" Ppiapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ooffmafi.dll" Hfbckagm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lphlck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jehpna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcolqccn.dll" Lmfjcajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Empphi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneacffj.dll" Indnqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgfnqkbe.dll" Ekipgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fonbff32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgeopqfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhbhdnio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhifmcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajlng32.dll" Nfcdfiob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adncoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnknqpgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiclnpjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjnbmlmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkchooim.dll" Klimcf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmfjcajl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojnmbglh.dll" Mfchgflg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idmele32.dll" Lomidgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blfmgmin.dll" Ckdpinhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koelibnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljhngfkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fofekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiblmldn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdpml32.dll" Gqhadmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijfkjba.dll" Gnenfjdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcljdpke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhgbibgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpkihl32.dll" Bnkmakbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkafib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hajkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgeopqfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhopcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfppfcmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgjgepqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjikaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elfcoj32.dll" Gmjbchnq.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1652 2024 7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620feN.exe 30 PID 2024 wrote to memory of 1652 2024 7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620feN.exe 30 PID 2024 wrote to memory of 1652 2024 7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620feN.exe 30 PID 2024 wrote to memory of 1652 2024 7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620feN.exe 30 PID 1652 wrote to memory of 2376 1652 Biahijec.exe 31 PID 1652 wrote to memory of 2376 1652 Biahijec.exe 31 PID 1652 wrote to memory of 2376 1652 Biahijec.exe 31 PID 1652 wrote to memory of 2376 1652 Biahijec.exe 31 PID 2376 wrote to memory of 2916 2376 Bpkqfdmp.exe 32 PID 2376 wrote to memory of 2916 2376 Bpkqfdmp.exe 32 PID 2376 wrote to memory of 2916 2376 Bpkqfdmp.exe 32 PID 2376 wrote to memory of 2916 2376 Bpkqfdmp.exe 32 PID 2916 wrote to memory of 2976 2916 Bmoaoikj.exe 33 PID 2916 wrote to memory of 2976 2916 Bmoaoikj.exe 33 PID 2916 wrote to memory of 2976 2916 Bmoaoikj.exe 33 PID 2916 wrote to memory of 2976 2916 Bmoaoikj.exe 33 PID 2976 wrote to memory of 2844 2976 Cpmmkdkn.exe 34 PID 2976 wrote to memory of 2844 2976 Cpmmkdkn.exe 34 PID 2976 wrote to memory of 2844 2976 Cpmmkdkn.exe 34 PID 2976 wrote to memory of 2844 2976 Cpmmkdkn.exe 34 PID 2844 wrote to memory of 2692 2844 Cppjadhk.exe 35 PID 2844 wrote to memory of 2692 2844 Cppjadhk.exe 35 PID 2844 wrote to memory of 2692 2844 Cppjadhk.exe 35 PID 2844 wrote to memory of 2692 2844 Cppjadhk.exe 35 PID 2692 wrote to memory of 280 2692 Caqfiloi.exe 36 PID 2692 wrote to memory of 280 2692 Caqfiloi.exe 36 PID 2692 wrote to memory of 280 2692 Caqfiloi.exe 36 PID 2692 wrote to memory of 280 2692 Caqfiloi.exe 36 PID 280 wrote to memory of 2068 280 Cjikaa32.exe 37 PID 280 wrote to memory of 2068 280 Cjikaa32.exe 37 PID 280 wrote to memory of 2068 280 Cjikaa32.exe 37 PID 280 wrote to memory of 2068 280 Cjikaa32.exe 37 PID 2068 wrote to memory of 584 2068 Cbpcbo32.exe 38 PID 2068 wrote to memory of 584 2068 Cbpcbo32.exe 38 PID 2068 wrote to memory of 584 2068 Cbpcbo32.exe 38 PID 2068 wrote to memory of 584 2068 Cbpcbo32.exe 38 PID 584 wrote to memory of 2232 584 Cligkdlm.exe 39 PID 584 wrote to memory of 2232 584 Cligkdlm.exe 39 PID 584 wrote to memory of 2232 584 Cligkdlm.exe 39 PID 584 wrote to memory of 2232 584 Cligkdlm.exe 39 PID 2232 wrote to memory of 2848 2232 Cmjdcm32.exe 40 PID 2232 wrote to memory of 2848 2232 Cmjdcm32.exe 40 PID 2232 wrote to memory of 2848 2232 Cmjdcm32.exe 40 PID 2232 wrote to memory of 2848 2232 Cmjdcm32.exe 40 PID 2848 wrote to memory of 3040 2848 Cfbhlb32.exe 41 PID 2848 wrote to memory of 3040 2848 Cfbhlb32.exe 41 PID 2848 wrote to memory of 3040 2848 Cfbhlb32.exe 41 PID 2848 wrote to memory of 3040 2848 Cfbhlb32.exe 41 PID 3040 wrote to memory of 872 3040 Cmlqimph.exe 42 PID 3040 wrote to memory of 872 3040 Cmlqimph.exe 42 PID 3040 wrote to memory of 872 3040 Cmlqimph.exe 42 PID 3040 wrote to memory of 872 3040 Cmlqimph.exe 42 PID 872 wrote to memory of 940 872 Dhaefepn.exe 43 PID 872 wrote to memory of 940 872 Dhaefepn.exe 43 PID 872 wrote to memory of 940 872 Dhaefepn.exe 43 PID 872 wrote to memory of 940 872 Dhaefepn.exe 43 PID 940 wrote to memory of 2764 940 Dajiok32.exe 44 PID 940 wrote to memory of 2764 940 Dajiok32.exe 44 PID 940 wrote to memory of 2764 940 Dajiok32.exe 44 PID 940 wrote to memory of 2764 940 Dajiok32.exe 44 PID 2764 wrote to memory of 860 2764 Diencmcj.exe 45 PID 2764 wrote to memory of 860 2764 Diencmcj.exe 45 PID 2764 wrote to memory of 860 2764 Diencmcj.exe 45 PID 2764 wrote to memory of 860 2764 Diencmcj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620feN.exe"C:\Users\Admin\AppData\Local\Temp\7bf40369e2d1a2272ca424fa0822eb56eaef8318b2ee6c6ce6ca2623457620feN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Biahijec.exeC:\Windows\system32\Biahijec.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Bmoaoikj.exeC:\Windows\system32\Bmoaoikj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Cpmmkdkn.exeC:\Windows\system32\Cpmmkdkn.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Cppjadhk.exeC:\Windows\system32\Cppjadhk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Caqfiloi.exeC:\Windows\system32\Caqfiloi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Cjikaa32.exeC:\Windows\system32\Cjikaa32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:280 -
C:\Windows\SysWOW64\Cbpcbo32.exeC:\Windows\system32\Cbpcbo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Cligkdlm.exeC:\Windows\system32\Cligkdlm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Cmjdcm32.exeC:\Windows\system32\Cmjdcm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Dhaefepn.exeC:\Windows\system32\Dhaefepn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:872 -
C:\Windows\SysWOW64\Dajiok32.exeC:\Windows\system32\Dajiok32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\SysWOW64\Diencmcj.exeC:\Windows\system32\Diencmcj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Dpofpg32.exeC:\Windows\system32\Dpofpg32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:860 -
C:\Windows\SysWOW64\Dmcgik32.exeC:\Windows\system32\Dmcgik32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Ddmofeam.exeC:\Windows\system32\Ddmofeam.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Dijgnm32.exeC:\Windows\system32\Dijgnm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Dcblgbfe.exeC:\Windows\system32\Dcblgbfe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Deahcneh.exeC:\Windows\system32\Deahcneh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Eoimlc32.exeC:\Windows\system32\Eoimlc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Ehaaei32.exeC:\Windows\system32\Ehaaei32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Eajennij.exeC:\Windows\system32\Eajennij.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1932 -
C:\Windows\SysWOW64\Ehdnkh32.exeC:\Windows\system32\Ehdnkh32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Ekbjgd32.exeC:\Windows\system32\Ekbjgd32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Enqfco32.exeC:\Windows\system32\Enqfco32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Ekdglcmh.exeC:\Windows\system32\Ekdglcmh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Epaodjlo.exeC:\Windows\system32\Epaodjlo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Ehhgfgla.exeC:\Windows\system32\Ehhgfgla.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Enepnoji.exeC:\Windows\system32\Enepnoji.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Eaalom32.exeC:\Windows\system32\Eaalom32.exe33⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Edohki32.exeC:\Windows\system32\Edohki32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2536 -
C:\Windows\SysWOW64\Ekipgb32.exeC:\Windows\system32\Ekipgb32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Fdaephpc.exeC:\Windows\system32\Fdaephpc.exe36⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Fcdele32.exeC:\Windows\system32\Fcdele32.exe37⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Fjomhonj.exeC:\Windows\system32\Fjomhonj.exe38⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Fokfqflb.exeC:\Windows\system32\Fokfqflb.exe39⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe40⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Fhcjilcb.exeC:\Windows\system32\Fhcjilcb.exe41⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Fonbff32.exeC:\Windows\system32\Fonbff32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Fjcfco32.exeC:\Windows\system32\Fjcfco32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Fmacpj32.exeC:\Windows\system32\Fmacpj32.exe44⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Fclkldqe.exeC:\Windows\system32\Fclkldqe.exe45⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Ffjghppi.exeC:\Windows\system32\Ffjghppi.exe46⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Foblaefj.exeC:\Windows\system32\Foblaefj.exe47⤵
- Executes dropped EXE
PID:1008 -
C:\Windows\SysWOW64\Fbqhnqen.exeC:\Windows\system32\Fbqhnqen.exe48⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Gdodjlda.exeC:\Windows\system32\Gdodjlda.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1492 -
C:\Windows\SysWOW64\Ggnqfgce.exeC:\Windows\system32\Ggnqfgce.exe50⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Godhgedg.exeC:\Windows\system32\Godhgedg.exe51⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Gngiba32.exeC:\Windows\system32\Gngiba32.exe52⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Gqfeom32.exeC:\Windows\system32\Gqfeom32.exe53⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Geaaolbo.exeC:\Windows\system32\Geaaolbo.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Gjnigb32.exeC:\Windows\system32\Gjnigb32.exe55⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Gbeaip32.exeC:\Windows\system32\Gbeaip32.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\Gqhadmhc.exeC:\Windows\system32\Gqhadmhc.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2044 -
C:\Windows\SysWOW64\Gcgnphgf.exeC:\Windows\system32\Gcgnphgf.exe58⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Gknfaehi.exeC:\Windows\system32\Gknfaehi.exe59⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Gnlbnagl.exeC:\Windows\system32\Gnlbnagl.exe60⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Gqknjlfp.exeC:\Windows\system32\Gqknjlfp.exe61⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Gcikfhed.exeC:\Windows\system32\Gcikfhed.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:268 -
C:\Windows\SysWOW64\Gfggbcdg.exeC:\Windows\system32\Gfggbcdg.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:560 -
C:\Windows\SysWOW64\Gnoocq32.exeC:\Windows\system32\Gnoocq32.exe64⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Gamkol32.exeC:\Windows\system32\Gamkol32.exe65⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Gppkkikh.exeC:\Windows\system32\Gppkkikh.exe66⤵PID:328
-
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe67⤵
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Gihpcn32.exeC:\Windows\system32\Gihpcn32.exe68⤵PID:404
-
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe69⤵
- Drops file in System32 directory
PID:1912 -
C:\Windows\SysWOW64\Hcndag32.exeC:\Windows\system32\Hcndag32.exe70⤵PID:2900
-
C:\Windows\SysWOW64\Hflpmb32.exeC:\Windows\system32\Hflpmb32.exe71⤵
- Drops file in System32 directory
PID:3012 -
C:\Windows\SysWOW64\Hijmin32.exeC:\Windows\system32\Hijmin32.exe72⤵PID:2836
-
C:\Windows\SysWOW64\Hliieioi.exeC:\Windows\system32\Hliieioi.exe73⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Hcpqfgol.exeC:\Windows\system32\Hcpqfgol.exe74⤵
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Hfnmbbnp.exeC:\Windows\system32\Hfnmbbnp.exe75⤵PID:1476
-
C:\Windows\SysWOW64\Heamno32.exeC:\Windows\system32\Heamno32.exe76⤵PID:2960
-
C:\Windows\SysWOW64\Hmheol32.exeC:\Windows\system32\Hmheol32.exe77⤵PID:2180
-
C:\Windows\SysWOW64\Hlkekilg.exeC:\Windows\system32\Hlkekilg.exe78⤵PID:2556
-
C:\Windows\SysWOW64\Hbengc32.exeC:\Windows\system32\Hbengc32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2116 -
C:\Windows\SysWOW64\Hiofdmkq.exeC:\Windows\system32\Hiofdmkq.exe80⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Hhbfpj32.exeC:\Windows\system32\Hhbfpj32.exe81⤵PID:924
-
C:\Windows\SysWOW64\Hlnbqijd.exeC:\Windows\system32\Hlnbqijd.exe82⤵PID:1784
-
C:\Windows\SysWOW64\Hnlnmd32.exeC:\Windows\system32\Hnlnmd32.exe83⤵PID:1500
-
C:\Windows\SysWOW64\Hajkip32.exeC:\Windows\system32\Hajkip32.exe84⤵
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Hiabjm32.exeC:\Windows\system32\Hiabjm32.exe85⤵PID:1112
-
C:\Windows\SysWOW64\Hhdcejph.exeC:\Windows\system32\Hhdcejph.exe86⤵PID:2004
-
C:\Windows\SysWOW64\Hjcoaeol.exeC:\Windows\system32\Hjcoaeol.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2132 -
C:\Windows\SysWOW64\Hnnkbd32.exeC:\Windows\system32\Hnnkbd32.exe88⤵PID:2064
-
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe89⤵
- Modifies registry class
PID:476 -
C:\Windows\SysWOW64\Idkcjk32.exeC:\Windows\system32\Idkcjk32.exe90⤵PID:2384
-
C:\Windows\SysWOW64\Ilblkh32.exeC:\Windows\system32\Ilblkh32.exe91⤵
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Ijelgemi.exeC:\Windows\system32\Ijelgemi.exe92⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\Inqhhc32.exeC:\Windows\system32\Inqhhc32.exe93⤵PID:2380
-
C:\Windows\SysWOW64\Iaoddodf.exeC:\Windows\system32\Iaoddodf.exe94⤵PID:1956
-
C:\Windows\SysWOW64\Idnppjcj.exeC:\Windows\system32\Idnppjcj.exe95⤵
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Iflmlfcn.exeC:\Windows\system32\Iflmlfcn.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2264 -
C:\Windows\SysWOW64\Iocdmccp.exeC:\Windows\system32\Iocdmccp.exe97⤵PID:2016
-
C:\Windows\SysWOW64\Ipdaek32.exeC:\Windows\system32\Ipdaek32.exe98⤵PID:2860
-
C:\Windows\SysWOW64\Idpmejag.exeC:\Windows\system32\Idpmejag.exe99⤵PID:2896
-
C:\Windows\SysWOW64\Ifniaeqk.exeC:\Windows\system32\Ifniaeqk.exe100⤵PID:2820
-
C:\Windows\SysWOW64\Ijjebd32.exeC:\Windows\system32\Ijjebd32.exe101⤵PID:1596
-
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe102⤵PID:2776
-
C:\Windows\SysWOW64\Iadnon32.exeC:\Windows\system32\Iadnon32.exe103⤵PID:2928
-
C:\Windows\SysWOW64\Idbjkj32.exeC:\Windows\system32\Idbjkj32.exe104⤵PID:2572
-
C:\Windows\SysWOW64\Ibejfffo.exeC:\Windows\system32\Ibejfffo.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:572 -
C:\Windows\SysWOW64\Iklbhdga.exeC:\Windows\system32\Iklbhdga.exe106⤵PID:3032
-
C:\Windows\SysWOW64\Imkndofe.exeC:\Windows\system32\Imkndofe.exe107⤵PID:1352
-
C:\Windows\SysWOW64\Ipijpkei.exeC:\Windows\system32\Ipijpkei.exe108⤵
- Drops file in System32 directory
PID:992 -
C:\Windows\SysWOW64\Iddfqi32.exeC:\Windows\system32\Iddfqi32.exe109⤵PID:1576
-
C:\Windows\SysWOW64\Ibgglfdl.exeC:\Windows\system32\Ibgglfdl.exe110⤵PID:2188
-
C:\Windows\SysWOW64\Iefchacp.exeC:\Windows\system32\Iefchacp.exe111⤵PID:2140
-
C:\Windows\SysWOW64\Immkiodb.exeC:\Windows\system32\Immkiodb.exe112⤵
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe113⤵PID:1964
-
C:\Windows\SysWOW64\Jongag32.exeC:\Windows\system32\Jongag32.exe114⤵PID:1208
-
C:\Windows\SysWOW64\Jbjcaf32.exeC:\Windows\system32\Jbjcaf32.exe115⤵PID:2804
-
C:\Windows\SysWOW64\Jehpna32.exeC:\Windows\system32\Jehpna32.exe116⤵
- Modifies registry class
PID:2864 -
C:\Windows\SysWOW64\Jiclnpjg.exeC:\Windows\system32\Jiclnpjg.exe117⤵
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe118⤵PID:2740
-
C:\Windows\SysWOW64\Jblpge32.exeC:\Windows\system32\Jblpge32.exe119⤵PID:1192
-
C:\Windows\SysWOW64\Jaopcbga.exeC:\Windows\system32\Jaopcbga.exe120⤵PID:2648
-
C:\Windows\SysWOW64\Jejlca32.exeC:\Windows\system32\Jejlca32.exe121⤵PID:876
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-