Analysis
-
max time kernel
114s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 21:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe
-
Size
512KB
-
MD5
c2f557961214c4cd734f0ac10f5cba70
-
SHA1
29898b021870d3d4c434203f13f59e2d411e25bd
-
SHA256
a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9
-
SHA512
932a1f4da590eafa81bc511bc0dc4f56e4519bc25ea9a7b226f2fb196fe5bf78bf00652da11342701a6208eded1f64b80500d36a2be59d810cf550b8c0887910
-
SSDEEP
6144:kLToUfz853XBpnTfwNPbAvjDAcXxxXfY09cnEWPDZ:kPLQBpnchWcZ
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbjgbbpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpkoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifkfap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohkpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjgdfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehdnkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edenjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goodpb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiehbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pahjgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckgmon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gafcahil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdbhcfjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibejfffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngfqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfjaej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gklkdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhlapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcknjidn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnhlcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fihcdkom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnffnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbobgfnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdlqjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jepoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgkanomj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiphmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbkkepio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnknqpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nffcebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anpahn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjagdlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehiiop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cldnqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjbghkfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkhpfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjkfglom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hccfoehi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lobbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahdkhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lllihf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leqeed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baajji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpbenpqh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjhgdqef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgjelg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elqcnfdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pelpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djcpqidc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gemfghek.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbbiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heamno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhieo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnaokn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpndkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfkobj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eajhgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbhmfk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqgngk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnfcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epdncb32.exe -
Executes dropped EXE 64 IoCs
pid Process 2512 Hplbamdf.exe 2944 Heijidbn.exe 2144 Ihjcko32.exe 1636 Iencdc32.exe 2740 Iljifm32.exe 2476 Iainddpg.exe 948 Jakjjcnd.exe 1968 Jgkphj32.exe 568 Jjkiie32.exe 2412 Jafmngde.exe 2084 Jhqeka32.exe 2532 Kdlpkb32.exe 2300 Kjihci32.exe 1496 Lmlnjcgg.exe 2548 Lqjfpbmm.exe 2544 Lchclmla.exe 2072 Lenioenj.exe 1744 Lbbiii32.exe 1628 Laeidfdn.exe 264 Leqeed32.exe 1668 Mljnaocd.exe 2780 Magfjebk.exe 1944 Mcfbfaao.exe 2940 Mjpkbk32.exe 2848 Mjbghkfi.exe 2956 Mnncii32.exe 2736 Mhfhaoec.exe 2692 Mmcpjfcj.exe 2764 Mpalfabn.exe 2492 Npcika32.exe 1340 Nfmahkhh.exe 1416 Nbdbml32.exe 2756 Ninjjf32.exe 2460 Nbfobllj.exe 1264 Niqgof32.exe 2228 Nbilhkig.exe 2096 Neghdg32.exe 2408 Nkdpmn32.exe 716 Nmbmii32.exe 2884 Nhhqfb32.exe 2560 Ngkaaolf.exe 1732 Oaqeogll.exe 1592 Opcejd32.exe 2172 Oiljcj32.exe 2776 Omgfdhbq.exe 340 Oacbdg32.exe 2132 Ocdnloph.exe 1128 Ollcee32.exe 2888 Odckfb32.exe 2904 Oipcnieb.exe 3024 Opjlkc32.exe 2708 Ogddhmdl.exe 1852 Oibpdico.exe 2032 Olalpdbc.exe 344 Oophlpag.exe 2384 Panehkaj.exe 2684 Plcied32.exe 2056 Pelnniga.exe 1500 Pdonjf32.exe 2380 Podbgo32.exe 1864 Pabncj32.exe 1464 Pkkblp32.exe 2504 Pofomolo.exe 2652 Phocfd32.exe -
Loads dropped DLL 64 IoCs
pid Process 1364 a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe 1364 a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe 2512 Hplbamdf.exe 2512 Hplbamdf.exe 2944 Heijidbn.exe 2944 Heijidbn.exe 2144 Ihjcko32.exe 2144 Ihjcko32.exe 1636 Iencdc32.exe 1636 Iencdc32.exe 2740 Iljifm32.exe 2740 Iljifm32.exe 2476 Iainddpg.exe 2476 Iainddpg.exe 948 Jakjjcnd.exe 948 Jakjjcnd.exe 1968 Jgkphj32.exe 1968 Jgkphj32.exe 568 Jjkiie32.exe 568 Jjkiie32.exe 2412 Jafmngde.exe 2412 Jafmngde.exe 2084 Jhqeka32.exe 2084 Jhqeka32.exe 2532 Kdlpkb32.exe 2532 Kdlpkb32.exe 2300 Kjihci32.exe 2300 Kjihci32.exe 1496 Lmlnjcgg.exe 1496 Lmlnjcgg.exe 2548 Lqjfpbmm.exe 2548 Lqjfpbmm.exe 2544 Lchclmla.exe 2544 Lchclmla.exe 2072 Lenioenj.exe 2072 Lenioenj.exe 1744 Lbbiii32.exe 1744 Lbbiii32.exe 1628 Laeidfdn.exe 1628 Laeidfdn.exe 264 Leqeed32.exe 264 Leqeed32.exe 1668 Mljnaocd.exe 1668 Mljnaocd.exe 2780 Magfjebk.exe 2780 Magfjebk.exe 1944 Mcfbfaao.exe 1944 Mcfbfaao.exe 2940 Mjpkbk32.exe 2940 Mjpkbk32.exe 2848 Mjbghkfi.exe 2848 Mjbghkfi.exe 2956 Mnncii32.exe 2956 Mnncii32.exe 2736 Mhfhaoec.exe 2736 Mhfhaoec.exe 2692 Mmcpjfcj.exe 2692 Mmcpjfcj.exe 2764 Mpalfabn.exe 2764 Mpalfabn.exe 2492 Npcika32.exe 2492 Npcika32.exe 1340 Nfmahkhh.exe 1340 Nfmahkhh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gjnigb32.exe Ggpmkgab.exe File created C:\Windows\SysWOW64\Ghjajqph.dll Mfhabe32.exe File created C:\Windows\SysWOW64\Cnogmk32.exe Ckajqo32.exe File created C:\Windows\SysWOW64\Enbhgphd.dll Gjqfmb32.exe File created C:\Windows\SysWOW64\Kpbiempj.exe Klfndn32.exe File created C:\Windows\SysWOW64\Lolpah32.exe Lkqdajhc.exe File created C:\Windows\SysWOW64\Fhglil32.dll Hndaao32.exe File created C:\Windows\SysWOW64\Kpnbgh32.dll Khkdmh32.exe File created C:\Windows\SysWOW64\Nidoamch.exe Nffcebdd.exe File created C:\Windows\SysWOW64\Kkohkj32.dll Nidmhd32.exe File created C:\Windows\SysWOW64\Ofmgmhgh.exe Ooeolkff.exe File created C:\Windows\SysWOW64\Jkkkfi32.dll Deikhhhe.exe File created C:\Windows\SysWOW64\Gnhapl32.dll Nkdpmn32.exe File created C:\Windows\SysWOW64\Amebjgai.exe Ajgfnk32.exe File opened for modification C:\Windows\SysWOW64\Eeiggk32.exe Egfglocf.exe File opened for modification C:\Windows\SysWOW64\Hjmolp32.exe Hccfoehi.exe File created C:\Windows\SysWOW64\Cbnhfhoc.exe Ckdpinhf.exe File created C:\Windows\SysWOW64\Mjpkbk32.exe Mcfbfaao.exe File created C:\Windows\SysWOW64\Hnfgbfba.dll Nfmahkhh.exe File created C:\Windows\SysWOW64\Jgpbfh32.exe Jdbfjm32.exe File created C:\Windows\SysWOW64\Pppnia32.exe Pamnnemo.exe File created C:\Windows\SysWOW64\Okdpmh32.dll Ecodfogg.exe File opened for modification C:\Windows\SysWOW64\Ibdclp32.exe Iilocklc.exe File opened for modification C:\Windows\SysWOW64\Dmalmdcg.exe Djcpqidc.exe File created C:\Windows\SysWOW64\Kaieai32.exe Kkomepon.exe File created C:\Windows\SysWOW64\Lolbjahp.exe Lhbjmg32.exe File created C:\Windows\SysWOW64\Mcfbfaao.exe Magfjebk.exe File created C:\Windows\SysWOW64\Eagiho32.exe Dhodpidl.exe File created C:\Windows\SysWOW64\Pibbke32.dll Gfggbcdg.exe File created C:\Windows\SysWOW64\Doocln32.exe Dlqgob32.exe File created C:\Windows\SysWOW64\Obgmjh32.exe Oddmokoo.exe File opened for modification C:\Windows\SysWOW64\Ggeiooea.exe Gcimop32.exe File created C:\Windows\SysWOW64\Bcdpacgl.exe Bjlkhn32.exe File created C:\Windows\SysWOW64\Dijgnm32.exe Ddmofeam.exe File opened for modification C:\Windows\SysWOW64\Gjqfmb32.exe Gednek32.exe File created C:\Windows\SysWOW64\Iemdfn32.dll Qjbehfbo.exe File opened for modification C:\Windows\SysWOW64\Qicoleno.exe Phabdmgq.exe File opened for modification C:\Windows\SysWOW64\Qpocno32.exe Qkbkfh32.exe File created C:\Windows\SysWOW64\Flbehbqm.exe Fehmlh32.exe File created C:\Windows\SysWOW64\Lhjcendg.dll Kbokda32.exe File opened for modification C:\Windows\SysWOW64\Qnpeijla.exe Qdhqpe32.exe File created C:\Windows\SysWOW64\Plildb32.exe Pglclk32.exe File opened for modification C:\Windows\SysWOW64\Eiocbd32.exe Eecgafkj.exe File created C:\Windows\SysWOW64\Kkeacf32.dll Eokiabjf.exe File opened for modification C:\Windows\SysWOW64\Immkiodb.exe Iefchacp.exe File created C:\Windows\SysWOW64\Lijngqak.dll Fnplgl32.exe File created C:\Windows\SysWOW64\Ppicdhan.dll Bgkeol32.exe File created C:\Windows\SysWOW64\Jfidah32.dll Mnncii32.exe File created C:\Windows\SysWOW64\Inqhhc32.exe Ijelgemi.exe File created C:\Windows\SysWOW64\Anhdmh32.exe Ahllda32.exe File created C:\Windows\SysWOW64\Elefkiaj.dll Kiqdmm32.exe File opened for modification C:\Windows\SysWOW64\Kkfjpemb.exe Kdlbckee.exe File opened for modification C:\Windows\SysWOW64\Dpbenpqh.exe Dlfina32.exe File created C:\Windows\SysWOW64\Hleggpll.dll Ipecndab.exe File created C:\Windows\SysWOW64\Ngoinfao.exe Nccmng32.exe File opened for modification C:\Windows\SysWOW64\Mljnaocd.exe Leqeed32.exe File opened for modification C:\Windows\SysWOW64\Nmbmii32.exe Nkdpmn32.exe File created C:\Windows\SysWOW64\Aehmoh32.exe Aalaoipc.exe File opened for modification C:\Windows\SysWOW64\Agloko32.exe Adncoc32.exe File opened for modification C:\Windows\SysWOW64\Mbbkabdh.exe Lodoefed.exe File created C:\Windows\SysWOW64\Nicfnn32.exe Nalnmahf.exe File opened for modification C:\Windows\SysWOW64\Gqmmhdka.exe Gnoaliln.exe File created C:\Windows\SysWOW64\Pfiffp32.dll Nidoamch.exe File opened for modification C:\Windows\SysWOW64\Nmbenc32.exe Nblaajbd.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8028 7888 WerFault.exe 780 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deonff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogddhmdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jocceo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhqfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aehmoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefchacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpajdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdlbckee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddinn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flkmokoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plildb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gicpnhbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcpiombe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkiie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjaaglp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjfdcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bocckoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplknh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmgef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqhbcqmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfghagio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Claake32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglnajjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklaepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qicoleno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiooocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjbghkfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaooin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chkoef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hliieioi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijphqbpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kejahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlnjcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcpjfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmejmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeblgodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnaokn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmbmii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caepdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkfap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpbenpqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjephakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlkhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpjkgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjgclcjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olobcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqffna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folhio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fondonbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baajji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cahmik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koelibnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcgaae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfhabe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollljo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfaaalep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipoqofjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpcfih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdnloph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cejfckie.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjpknjgd.dll" Ealbcngg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihkifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnffnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgpjin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgnfpm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankhmncb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjlkhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffenmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjbmkg32.dll" Mbobgfnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oedqcdim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pppnia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppegdapd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpgedepn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbbiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeanjk32.dll" Kobfqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agldbd32.dll" Ghmohcbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijphqbpo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oipcnieb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iagchmjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omlahqeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dogbkiop.dll" Odckfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmbnhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggeiooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcoimalh.dll" Afnfcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idnppjcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Doocln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ledcahkp.dll" Lllpclnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqidme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bejiehfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhlapc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbghmc32.dll" Iigehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mchadifq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpkcam32.dll" Cjkamk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiabjm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmgpcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbhbpk32.dll" Ilmgef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pacqlcdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caepdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nadoiccn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmnppdb.dll" Ofmgmhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lijngqak.dll" Fnplgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndfqak32.dll" Kpeonkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aehmoh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdonjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgmbff32.dll" Ihkifi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pamnnemo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iilocklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpajdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ninjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccjfigpf.dll" Ankabh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joicje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkepdbkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlgfqldf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaffca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldkeoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhglil32.dll" Hndaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oldooi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajicf32.dll" Mhbflj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lenioenj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnpnga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daplmimi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaliaphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmmmbg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1364 wrote to memory of 2512 1364 a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe 30 PID 1364 wrote to memory of 2512 1364 a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe 30 PID 1364 wrote to memory of 2512 1364 a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe 30 PID 1364 wrote to memory of 2512 1364 a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe 30 PID 2512 wrote to memory of 2944 2512 Hplbamdf.exe 31 PID 2512 wrote to memory of 2944 2512 Hplbamdf.exe 31 PID 2512 wrote to memory of 2944 2512 Hplbamdf.exe 31 PID 2512 wrote to memory of 2944 2512 Hplbamdf.exe 31 PID 2944 wrote to memory of 2144 2944 Heijidbn.exe 32 PID 2944 wrote to memory of 2144 2944 Heijidbn.exe 32 PID 2944 wrote to memory of 2144 2944 Heijidbn.exe 32 PID 2944 wrote to memory of 2144 2944 Heijidbn.exe 32 PID 2144 wrote to memory of 1636 2144 Ihjcko32.exe 33 PID 2144 wrote to memory of 1636 2144 Ihjcko32.exe 33 PID 2144 wrote to memory of 1636 2144 Ihjcko32.exe 33 PID 2144 wrote to memory of 1636 2144 Ihjcko32.exe 33 PID 1636 wrote to memory of 2740 1636 Iencdc32.exe 34 PID 1636 wrote to memory of 2740 1636 Iencdc32.exe 34 PID 1636 wrote to memory of 2740 1636 Iencdc32.exe 34 PID 1636 wrote to memory of 2740 1636 Iencdc32.exe 34 PID 2740 wrote to memory of 2476 2740 Iljifm32.exe 35 PID 2740 wrote to memory of 2476 2740 Iljifm32.exe 35 PID 2740 wrote to memory of 2476 2740 Iljifm32.exe 35 PID 2740 wrote to memory of 2476 2740 Iljifm32.exe 35 PID 2476 wrote to memory of 948 2476 Iainddpg.exe 36 PID 2476 wrote to memory of 948 2476 Iainddpg.exe 36 PID 2476 wrote to memory of 948 2476 Iainddpg.exe 36 PID 2476 wrote to memory of 948 2476 Iainddpg.exe 36 PID 948 wrote to memory of 1968 948 Jakjjcnd.exe 37 PID 948 wrote to memory of 1968 948 Jakjjcnd.exe 37 PID 948 wrote to memory of 1968 948 Jakjjcnd.exe 37 PID 948 wrote to memory of 1968 948 Jakjjcnd.exe 37 PID 1968 wrote to memory of 568 1968 Jgkphj32.exe 38 PID 1968 wrote to memory of 568 1968 Jgkphj32.exe 38 PID 1968 wrote to memory of 568 1968 Jgkphj32.exe 38 PID 1968 wrote to memory of 568 1968 Jgkphj32.exe 38 PID 568 wrote to memory of 2412 568 Jjkiie32.exe 39 PID 568 wrote to memory of 2412 568 Jjkiie32.exe 39 PID 568 wrote to memory of 2412 568 Jjkiie32.exe 39 PID 568 wrote to memory of 2412 568 Jjkiie32.exe 39 PID 2412 wrote to memory of 2084 2412 Jafmngde.exe 40 PID 2412 wrote to memory of 2084 2412 Jafmngde.exe 40 PID 2412 wrote to memory of 2084 2412 Jafmngde.exe 40 PID 2412 wrote to memory of 2084 2412 Jafmngde.exe 40 PID 2084 wrote to memory of 2532 2084 Jhqeka32.exe 41 PID 2084 wrote to memory of 2532 2084 Jhqeka32.exe 41 PID 2084 wrote to memory of 2532 2084 Jhqeka32.exe 41 PID 2084 wrote to memory of 2532 2084 Jhqeka32.exe 41 PID 2532 wrote to memory of 2300 2532 Kdlpkb32.exe 42 PID 2532 wrote to memory of 2300 2532 Kdlpkb32.exe 42 PID 2532 wrote to memory of 2300 2532 Kdlpkb32.exe 42 PID 2532 wrote to memory of 2300 2532 Kdlpkb32.exe 42 PID 2300 wrote to memory of 1496 2300 Kjihci32.exe 43 PID 2300 wrote to memory of 1496 2300 Kjihci32.exe 43 PID 2300 wrote to memory of 1496 2300 Kjihci32.exe 43 PID 2300 wrote to memory of 1496 2300 Kjihci32.exe 43 PID 1496 wrote to memory of 2548 1496 Lmlnjcgg.exe 44 PID 1496 wrote to memory of 2548 1496 Lmlnjcgg.exe 44 PID 1496 wrote to memory of 2548 1496 Lmlnjcgg.exe 44 PID 1496 wrote to memory of 2548 1496 Lmlnjcgg.exe 44 PID 2548 wrote to memory of 2544 2548 Lqjfpbmm.exe 45 PID 2548 wrote to memory of 2544 2548 Lqjfpbmm.exe 45 PID 2548 wrote to memory of 2544 2548 Lqjfpbmm.exe 45 PID 2548 wrote to memory of 2544 2548 Lqjfpbmm.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe"C:\Users\Admin\AppData\Local\Temp\a0176fdfc672f109c8cf3fb6ea789eca5a55f1eef7ce6a509c461acfccad19f9N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\SysWOW64\Hplbamdf.exeC:\Windows\system32\Hplbamdf.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Heijidbn.exeC:\Windows\system32\Heijidbn.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Ihjcko32.exeC:\Windows\system32\Ihjcko32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Iljifm32.exeC:\Windows\system32\Iljifm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Iainddpg.exeC:\Windows\system32\Iainddpg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Jakjjcnd.exeC:\Windows\system32\Jakjjcnd.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Jgkphj32.exeC:\Windows\system32\Jgkphj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Jjkiie32.exeC:\Windows\system32\Jjkiie32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Jhqeka32.exeC:\Windows\system32\Jhqeka32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Kdlpkb32.exeC:\Windows\system32\Kdlpkb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Kjihci32.exeC:\Windows\system32\Kjihci32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Lmlnjcgg.exeC:\Windows\system32\Lmlnjcgg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Lqjfpbmm.exeC:\Windows\system32\Lqjfpbmm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Lchclmla.exeC:\Windows\system32\Lchclmla.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Lenioenj.exeC:\Windows\system32\Lenioenj.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2072 -
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Leqeed32.exeC:\Windows\system32\Leqeed32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Magfjebk.exeC:\Windows\system32\Magfjebk.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2780 -
C:\Windows\SysWOW64\Mcfbfaao.exeC:\Windows\system32\Mcfbfaao.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Mjbghkfi.exeC:\Windows\system32\Mjbghkfi.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Mhfhaoec.exeC:\Windows\system32\Mhfhaoec.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Mmcpjfcj.exeC:\Windows\system32\Mmcpjfcj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2764 -
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Nfmahkhh.exeC:\Windows\system32\Nfmahkhh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1340 -
C:\Windows\SysWOW64\Nbdbml32.exeC:\Windows\system32\Nbdbml32.exe33⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Ninjjf32.exeC:\Windows\system32\Ninjjf32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Nbfobllj.exeC:\Windows\system32\Nbfobllj.exe35⤵
- Executes dropped EXE
PID:2460 -
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe36⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\Nbilhkig.exeC:\Windows\system32\Nbilhkig.exe37⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Neghdg32.exeC:\Windows\system32\Neghdg32.exe38⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Nkdpmn32.exeC:\Windows\system32\Nkdpmn32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Nmbmii32.exeC:\Windows\system32\Nmbmii32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:716 -
C:\Windows\SysWOW64\Nhhqfb32.exeC:\Windows\system32\Nhhqfb32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Ngkaaolf.exeC:\Windows\system32\Ngkaaolf.exe42⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Oaqeogll.exeC:\Windows\system32\Oaqeogll.exe43⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Opcejd32.exeC:\Windows\system32\Opcejd32.exe44⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Oiljcj32.exeC:\Windows\system32\Oiljcj32.exe45⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Omgfdhbq.exeC:\Windows\system32\Omgfdhbq.exe46⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Oacbdg32.exeC:\Windows\system32\Oacbdg32.exe47⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Ollcee32.exeC:\Windows\system32\Ollcee32.exe49⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Odckfb32.exeC:\Windows\system32\Odckfb32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Oipcnieb.exeC:\Windows\system32\Oipcnieb.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Opjlkc32.exeC:\Windows\system32\Opjlkc32.exe52⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Ogddhmdl.exeC:\Windows\system32\Ogddhmdl.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Oibpdico.exeC:\Windows\system32\Oibpdico.exe54⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Olalpdbc.exeC:\Windows\system32\Olalpdbc.exe55⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Oophlpag.exeC:\Windows\system32\Oophlpag.exe56⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe57⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe58⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Pelnniga.exeC:\Windows\system32\Pelnniga.exe59⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Pdonjf32.exeC:\Windows\system32\Pdonjf32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1500 -
C:\Windows\SysWOW64\Podbgo32.exeC:\Windows\system32\Podbgo32.exe61⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Pabncj32.exeC:\Windows\system32\Pabncj32.exe62⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Pkkblp32.exeC:\Windows\system32\Pkkblp32.exe63⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Pofomolo.exeC:\Windows\system32\Pofomolo.exe64⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Phocfd32.exeC:\Windows\system32\Phocfd32.exe65⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Pjppmlhm.exeC:\Windows\system32\Pjppmlhm.exe66⤵PID:1408
-
C:\Windows\SysWOW64\Pchdfb32.exeC:\Windows\system32\Pchdfb32.exe67⤵PID:2836
-
C:\Windows\SysWOW64\Pkplgoop.exeC:\Windows\system32\Pkplgoop.exe68⤵PID:1624
-
C:\Windows\SysWOW64\Qmahog32.exeC:\Windows\system32\Qmahog32.exe69⤵PID:2168
-
C:\Windows\SysWOW64\Qdhqpe32.exeC:\Windows\system32\Qdhqpe32.exe70⤵
- Drops file in System32 directory
PID:2800 -
C:\Windows\SysWOW64\Qnpeijla.exeC:\Windows\system32\Qnpeijla.exe71⤵PID:2720
-
C:\Windows\SysWOW64\Qqoaefke.exeC:\Windows\system32\Qqoaefke.exe72⤵PID:2752
-
C:\Windows\SysWOW64\Ajgfnk32.exeC:\Windows\system32\Ajgfnk32.exe73⤵
- Drops file in System32 directory
PID:2424 -
C:\Windows\SysWOW64\Amebjgai.exeC:\Windows\system32\Amebjgai.exe74⤵PID:924
-
C:\Windows\SysWOW64\Afnfcl32.exeC:\Windows\system32\Afnfcl32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Ajibckpc.exeC:\Windows\system32\Ajibckpc.exe76⤵PID:2872
-
C:\Windows\SysWOW64\Akkokc32.exeC:\Windows\system32\Akkokc32.exe77⤵PID:2468
-
C:\Windows\SysWOW64\Afpchl32.exeC:\Windows\system32\Afpchl32.exe78⤵PID:2972
-
C:\Windows\SysWOW64\Akmlacdn.exeC:\Windows\system32\Akmlacdn.exe79⤵PID:2428
-
C:\Windows\SysWOW64\Ankhmncb.exeC:\Windows\system32\Ankhmncb.exe80⤵
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Aialjgbh.exeC:\Windows\system32\Aialjgbh.exe81⤵PID:1528
-
C:\Windows\SysWOW64\Agdlfd32.exeC:\Windows\system32\Agdlfd32.exe82⤵PID:2284
-
C:\Windows\SysWOW64\Aalaoipc.exeC:\Windows\system32\Aalaoipc.exe83⤵
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Aehmoh32.exeC:\Windows\system32\Aehmoh32.exe84⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Agfikc32.exeC:\Windows\system32\Agfikc32.exe85⤵PID:876
-
C:\Windows\SysWOW64\Anpahn32.exeC:\Windows\system32\Anpahn32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\Bejiehfi.exeC:\Windows\system32\Bejiehfi.exe87⤵
- Modifies registry class
PID:2820 -
C:\Windows\SysWOW64\Bghfacem.exeC:\Windows\system32\Bghfacem.exe88⤵PID:2868
-
C:\Windows\SysWOW64\Bjgbmoda.exeC:\Windows\system32\Bjgbmoda.exe89⤵PID:2264
-
C:\Windows\SysWOW64\Baajji32.exeC:\Windows\system32\Baajji32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1212 -
C:\Windows\SysWOW64\Bjiobnbn.exeC:\Windows\system32\Bjiobnbn.exe91⤵PID:1492
-
C:\Windows\SysWOW64\Bmhkojab.exeC:\Windows\system32\Bmhkojab.exe92⤵PID:1532
-
C:\Windows\SysWOW64\Bgmolb32.exeC:\Windows\system32\Bgmolb32.exe93⤵PID:1400
-
C:\Windows\SysWOW64\Bjlkhn32.exeC:\Windows\system32\Bjlkhn32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:2208 -
C:\Windows\SysWOW64\Bcdpacgl.exeC:\Windows\system32\Bcdpacgl.exe95⤵PID:2668
-
C:\Windows\SysWOW64\Bbgplq32.exeC:\Windows\system32\Bbgplq32.exe96⤵PID:2020
-
C:\Windows\SysWOW64\Blodefdg.exeC:\Windows\system32\Blodefdg.exe97⤵PID:2664
-
C:\Windows\SysWOW64\Bcfmfc32.exeC:\Windows\system32\Bcfmfc32.exe98⤵PID:3052
-
C:\Windows\SysWOW64\Biceoj32.exeC:\Windows\system32\Biceoj32.exe99⤵PID:1708
-
C:\Windows\SysWOW64\Claake32.exeC:\Windows\system32\Claake32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2828 -
C:\Windows\SysWOW64\Cnpnga32.exeC:\Windows\system32\Cnpnga32.exe101⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Cejfckie.exeC:\Windows\system32\Cejfckie.exe102⤵
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Cldnqe32.exeC:\Windows\system32\Cldnqe32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2060 -
C:\Windows\SysWOW64\Cobjmq32.exeC:\Windows\system32\Cobjmq32.exe104⤵PID:2116
-
C:\Windows\SysWOW64\Celbik32.exeC:\Windows\system32\Celbik32.exe105⤵PID:652
-
C:\Windows\SysWOW64\Chkoef32.exeC:\Windows\system32\Chkoef32.exe106⤵
- System Location Discovery: System Language Discovery
PID:696 -
C:\Windows\SysWOW64\Caccnllf.exeC:\Windows\system32\Caccnllf.exe107⤵PID:2244
-
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe108⤵PID:2620
-
C:\Windows\SysWOW64\Cogdhpkp.exeC:\Windows\system32\Cogdhpkp.exe109⤵PID:972
-
C:\Windows\SysWOW64\Caepdk32.exeC:\Windows\system32\Caepdk32.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1012 -
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe111⤵PID:1020
-
C:\Windows\SysWOW64\Ckndmaad.exeC:\Windows\system32\Ckndmaad.exe112⤵PID:2932
-
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe113⤵PID:1964
-
C:\Windows\SysWOW64\Cahmik32.exeC:\Windows\system32\Cahmik32.exe114⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Cdfief32.exeC:\Windows\system32\Cdfief32.exe115⤵PID:1392
-
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe116⤵PID:2352
-
C:\Windows\SysWOW64\Dajiok32.exeC:\Windows\system32\Dajiok32.exe117⤵PID:1096
-
C:\Windows\SysWOW64\Ddhekfeb.exeC:\Windows\system32\Ddhekfeb.exe118⤵PID:2128
-
C:\Windows\SysWOW64\Dbkffc32.exeC:\Windows\system32\Dbkffc32.exe119⤵PID:104
-
C:\Windows\SysWOW64\Diencmcj.exeC:\Windows\system32\Diencmcj.exe120⤵PID:1648
-
C:\Windows\SysWOW64\Dalfdjdl.exeC:\Windows\system32\Dalfdjdl.exe121⤵PID:1576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-