Analysis
-
max time kernel
120s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 09:11
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe
-
Size
67KB
-
MD5
a6a7f1d71bef5c87790a30695de4f2e0
-
SHA1
37ad9182ead50923ce42266515e7dde3cca4fb42
-
SHA256
1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8
-
SHA512
49eb7373330c4507452a4b2289a40a1942d669ed40b2739fcd85a762173d98acf8da685eba8a86596f4a56e5d1b00c103cc8951be09ec71dc88167c78f9afc2e
-
SSDEEP
1536:xcjW5+KdFH30n4kKWAkPhIkTRsJifTduD4oTxw:yjW5+KdFX1+RsJibdMTxw
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icmkpibd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bljeke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcmfeldm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlckoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpdej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diqabd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nipbpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpldkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbikokin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpijgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adcakdhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kncmknkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poapbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mggoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cchdlb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcmdlgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfqbol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgklma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oceaql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eikmkbeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdockgqp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfpggjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hafbid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgmldhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jelbqg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nikide32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdockgqp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lblflgqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghndjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpqoofhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ippkni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhebij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbefen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjbqei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhimaill.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdjbcim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgqqcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieepad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igaapiqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekncjfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpnlid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfggccdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kphbmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jambpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfflal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Leqjcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaegaaah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fidmniqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjomlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfgikgjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fknido32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbgnpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcldoef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lblflgqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnoiqpqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfpagd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afngoand.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeffpn32.exe -
Executes dropped EXE 64 IoCs
pid Process 2208 Mhdcbjal.exe 2712 Mbmgkp32.exe 2836 Mkelcenm.exe 2844 Ndnplk32.exe 2800 Nnfeep32.exe 2620 Ndpmbjbk.exe 2132 Nnhakp32.exe 2488 Nmnoll32.exe 2156 Ombhgljn.exe 1704 Oiiilm32.exe 1044 Ofmiea32.exe 1724 Onhnjclg.exe 2288 Ollncgjq.exe 2148 Odgchjhl.exe 1716 Oakcan32.exe 2344 Ppqqbjkm.exe 2248 Pmdalo32.exe 1008 Pikaqppk.exe 848 Pbcfie32.exe 2372 Pojgnf32.exe 276 Phckglbq.exe 1584 Qomcdf32.exe 1736 Qibhao32.exe 888 Qeihfp32.exe 2700 Aekelo32.exe 2296 Aodjdede.exe 2920 Ahlnmjkf.exe 2708 Acfonhgd.exe 2904 Alncgn32.exe 2264 Ajbdpblo.exe 792 Bgfdjfkh.exe 956 Bapejd32.exe 896 Bkhjcing.exe 2944 Babbpc32.exe 2244 Bdpnlo32.exe 2564 Bkjfhile.exe 1496 Bdbkaoce.exe 2796 Bohoogbk.exe 3012 Bdehgnqc.exe 1864 Cjbpoeoj.exe 936 Ckamihfm.exe 864 Cnpieceq.exe 2504 Cdjabn32.exe 1612 Cfknjfbl.exe 1984 Cocbbk32.exe 1272 Cfmjoe32.exe 2000 Ccakij32.exe 2416 Cincaq32.exe 1624 Cklpml32.exe 2256 Cbfhjfdk.exe 2628 Dmllgo32.exe 804 Dpjhcj32.exe 2052 Dgemgm32.exe 2732 Eaegaaah.exe 2752 Ehopnk32.exe 2884 Ejpipf32.exe 2240 Epmahmcm.exe 2948 Eeijpdbd.exe 1796 Elcbmn32.exe 1640 Efifjg32.exe 1324 Eigbfb32.exe 2776 Epakcm32.exe 1032 Eenckc32.exe 1592 Fpcghl32.exe -
Loads dropped DLL 64 IoCs
pid Process 2980 1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe 2980 1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe 2208 Mhdcbjal.exe 2208 Mhdcbjal.exe 2712 Mbmgkp32.exe 2712 Mbmgkp32.exe 2836 Mkelcenm.exe 2836 Mkelcenm.exe 2844 Ndnplk32.exe 2844 Ndnplk32.exe 2800 Nnfeep32.exe 2800 Nnfeep32.exe 2620 Ndpmbjbk.exe 2620 Ndpmbjbk.exe 2132 Nnhakp32.exe 2132 Nnhakp32.exe 2488 Nmnoll32.exe 2488 Nmnoll32.exe 2156 Ombhgljn.exe 2156 Ombhgljn.exe 1704 Oiiilm32.exe 1704 Oiiilm32.exe 1044 Ofmiea32.exe 1044 Ofmiea32.exe 1724 Onhnjclg.exe 1724 Onhnjclg.exe 2288 Ollncgjq.exe 2288 Ollncgjq.exe 2148 Odgchjhl.exe 2148 Odgchjhl.exe 1716 Oakcan32.exe 1716 Oakcan32.exe 2344 Ppqqbjkm.exe 2344 Ppqqbjkm.exe 2248 Pmdalo32.exe 2248 Pmdalo32.exe 1008 Pikaqppk.exe 1008 Pikaqppk.exe 848 Pbcfie32.exe 848 Pbcfie32.exe 2372 Pojgnf32.exe 2372 Pojgnf32.exe 276 Phckglbq.exe 276 Phckglbq.exe 1584 Qomcdf32.exe 1584 Qomcdf32.exe 1736 Qibhao32.exe 1736 Qibhao32.exe 888 Qeihfp32.exe 888 Qeihfp32.exe 2700 Aekelo32.exe 2700 Aekelo32.exe 2296 Aodjdede.exe 2296 Aodjdede.exe 2920 Ahlnmjkf.exe 2920 Ahlnmjkf.exe 2708 Acfonhgd.exe 2708 Acfonhgd.exe 2904 Alncgn32.exe 2904 Alncgn32.exe 2264 Ajbdpblo.exe 2264 Ajbdpblo.exe 792 Bgfdjfkh.exe 792 Bgfdjfkh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kkngmm32.dll Cfknjfbl.exe File opened for modification C:\Windows\SysWOW64\Lblhep32.exe Lpnlid32.exe File opened for modification C:\Windows\SysWOW64\Hecedmaa.exe Hnimgcjd.exe File opened for modification C:\Windows\SysWOW64\Djjlmj32.exe Process not Found File created C:\Windows\SysWOW64\Jficbn32.exe Jhebij32.exe File created C:\Windows\SysWOW64\Njeijc32.dll Bhbdpf32.exe File created C:\Windows\SysWOW64\Oeianohn.dll Ndkoemji.exe File created C:\Windows\SysWOW64\Kgcbpemp.exe Kmnnblmj.exe File created C:\Windows\SysWOW64\Elhokg32.exe Eiibok32.exe File created C:\Windows\SysWOW64\Hqfige32.dll Nhjofbdk.exe File created C:\Windows\SysWOW64\Ngpoigdg.dll Fnkchahn.exe File created C:\Windows\SysWOW64\Hfkkmaol.exe Hoacqggo.exe File created C:\Windows\SysWOW64\Anoqcekc.dll Pnnlfd32.exe File created C:\Windows\SysWOW64\Pbnfgk32.dll Khmamhek.exe File opened for modification C:\Windows\SysWOW64\Pdpcgl32.exe Pldobjec.exe File opened for modification C:\Windows\SysWOW64\Bbpioa32.exe Bmcpfj32.exe File created C:\Windows\SysWOW64\Neabophn.exe Nngjbfpa.exe File opened for modification C:\Windows\SysWOW64\Kpbajggh.exe Process not Found File created C:\Windows\SysWOW64\Belcck32.exe Beignlig.exe File opened for modification C:\Windows\SysWOW64\Cfpinnfj.exe Clheeh32.exe File created C:\Windows\SysWOW64\Nphbhm32.exe Nmifla32.exe File created C:\Windows\SysWOW64\Fhmcllgo.dll Angklf32.exe File opened for modification C:\Windows\SysWOW64\Lkjolc32.exe Process not Found File created C:\Windows\SysWOW64\Oglgji32.exe Process not Found File created C:\Windows\SysWOW64\Cfmjoe32.exe Cocbbk32.exe File created C:\Windows\SysWOW64\Pidggp32.dll Bgqqcd32.exe File opened for modification C:\Windows\SysWOW64\Iilqnp32.exe Ipclej32.exe File opened for modification C:\Windows\SysWOW64\Flgdod32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ingmoj32.exe Ickoimie.exe File opened for modification C:\Windows\SysWOW64\Jjfplfll.exe Jiecdn32.exe File created C:\Windows\SysWOW64\Qhoegi32.dll Anhomg32.exe File created C:\Windows\SysWOW64\Ejnqkh32.exe Egpdom32.exe File created C:\Windows\SysWOW64\Mhklfbcj.exe Mnfhhicd.exe File created C:\Windows\SysWOW64\Eaodhk32.dll Fholmo32.exe File created C:\Windows\SysWOW64\Cnbndbhi.dll Nphbhm32.exe File opened for modification C:\Windows\SysWOW64\Fhpflblk.exe Fgojdj32.exe File created C:\Windows\SysWOW64\Dkminf32.dll Kgfannba.exe File opened for modification C:\Windows\SysWOW64\Hqdeciho.exe Process not Found File created C:\Windows\SysWOW64\Kmkodd32.exe Jbandfkj.exe File created C:\Windows\SysWOW64\Pkiikm32.exe Peoanckj.exe File opened for modification C:\Windows\SysWOW64\Ajibeg32.exe Aaqnmbdd.exe File opened for modification C:\Windows\SysWOW64\Pmamne32.exe Pjbqaj32.exe File opened for modification C:\Windows\SysWOW64\Gkqjlpmd.exe Process not Found File created C:\Windows\SysWOW64\Bohejibe.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gkaghf32.exe Gpkckneh.exe File opened for modification C:\Windows\SysWOW64\Jlleni32.exe Idqpjg32.exe File opened for modification C:\Windows\SysWOW64\Nphbhm32.exe Nmifla32.exe File opened for modification C:\Windows\SysWOW64\Bgjknijp.exe Bnagecdp.exe File created C:\Windows\SysWOW64\Gmlokdgp.exe Gccjbo32.exe File created C:\Windows\SysWOW64\Ofhefe32.dll Lcdmekne.exe File created C:\Windows\SysWOW64\Pnmaofkf.dll Cdkfco32.exe File created C:\Windows\SysWOW64\Maboal32.dll Cbpncn32.exe File created C:\Windows\SysWOW64\Elcmldoe.dll Imifpagp.exe File created C:\Windows\SysWOW64\Iapghlbe.exe Ippkni32.exe File created C:\Windows\SysWOW64\Injnfl32.exe Idaimfjf.exe File created C:\Windows\SysWOW64\Fhhbffkk.exe Fpqjeiji.exe File created C:\Windows\SysWOW64\Ccpjae32.dll Oamaan32.exe File created C:\Windows\SysWOW64\Adjoqjfc.exe Qaifoo32.exe File opened for modification C:\Windows\SysWOW64\Lljolodf.exe Kfmfchfo.exe File opened for modification C:\Windows\SysWOW64\Pamnpahp.exe Pcgqoech.exe File created C:\Windows\SysWOW64\Ahbqliap.exe Afngoand.exe File created C:\Windows\SysWOW64\Nbnhppoa.dll Kpqaanqd.exe File created C:\Windows\SysWOW64\Eqfjdnpo.dll Hmcimq32.exe File created C:\Windows\SysWOW64\Dgejkj32.dll Bigbmb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5648 2372 Process not Found 1147 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdohme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqjhkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iemoebmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmdlgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgillijo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjlgna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dplbbndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchfff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogiegc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdjnge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfqbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkcnleom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnlpmiog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgemgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaheqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppelfbol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaknmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njnion32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbbacdfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iianjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgbiggof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgklma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpgae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfoho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofafhck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahlnmjkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fphgpnhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djaiho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfeep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pojgnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baakem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanmde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmcmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchcmnlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Belhem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdpbaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjbncqkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bohoogbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldgdpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fobodn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcjamb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqapek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpicjend.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbqaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbqbioeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phphgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkneb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhkngcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmfeldm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmklikob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdjckfda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqhfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nimaic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjpmmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcbib32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbcfc32.dll" Hohhfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjbqei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Higkdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dflbbm32.dll" Ilaieljl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feeipfhl.dll" Qeihfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidhjg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikaglgei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opkcpndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fcehpbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkhdohnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpbfggdo.dll" Mfpdim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abghlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneddmal.dll" Alncgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qogiamoa.dll" Dgcnihnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcflbpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjimafji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcboqhc.dll" 1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfnpgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjpodhfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaecne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmobpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olablfbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffaeneno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkegbc32.dll" Hacabgig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkeogn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohhmhk32.dll" Hafbid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eifgeike.dll" Cleaebna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elahkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdpepejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnbpcde.dll" Jpdibapb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilfeidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chimmcji.dll" Dkdjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcojn32.dll" Cocbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Babpgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nngjbfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jofaoo32.dll" Neabophn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppqqbjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okaclf32.dll" Hjqpcq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kncmknkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llefld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqebij32.dll" Ffghlcei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjnohc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfqdkpa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqmkflcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnbeacbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kekbip32.dll" Phphgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhfjaph.dll" Ffaeneno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gigllafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfkogno.dll" Jmjidneo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgoief32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pamnpahp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cocpjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeijpdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enblpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaeonhdm.dll" Qibhao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbnleo32.dll" Hlgodgnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhjnniic.dll" Mbiokdam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haoggh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icamaenn.dll" Nihjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcbee32.dll" Cbhejf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fcbcdfpo.dll" Ihehbpel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jllggbde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgfnfq32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2980 wrote to memory of 2208 2980 1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe 29 PID 2980 wrote to memory of 2208 2980 1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe 29 PID 2980 wrote to memory of 2208 2980 1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe 29 PID 2980 wrote to memory of 2208 2980 1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe 29 PID 2208 wrote to memory of 2712 2208 Mhdcbjal.exe 30 PID 2208 wrote to memory of 2712 2208 Mhdcbjal.exe 30 PID 2208 wrote to memory of 2712 2208 Mhdcbjal.exe 30 PID 2208 wrote to memory of 2712 2208 Mhdcbjal.exe 30 PID 2712 wrote to memory of 2836 2712 Mbmgkp32.exe 31 PID 2712 wrote to memory of 2836 2712 Mbmgkp32.exe 31 PID 2712 wrote to memory of 2836 2712 Mbmgkp32.exe 31 PID 2712 wrote to memory of 2836 2712 Mbmgkp32.exe 31 PID 2836 wrote to memory of 2844 2836 Mkelcenm.exe 32 PID 2836 wrote to memory of 2844 2836 Mkelcenm.exe 32 PID 2836 wrote to memory of 2844 2836 Mkelcenm.exe 32 PID 2836 wrote to memory of 2844 2836 Mkelcenm.exe 32 PID 2844 wrote to memory of 2800 2844 Ndnplk32.exe 33 PID 2844 wrote to memory of 2800 2844 Ndnplk32.exe 33 PID 2844 wrote to memory of 2800 2844 Ndnplk32.exe 33 PID 2844 wrote to memory of 2800 2844 Ndnplk32.exe 33 PID 2800 wrote to memory of 2620 2800 Nnfeep32.exe 34 PID 2800 wrote to memory of 2620 2800 Nnfeep32.exe 34 PID 2800 wrote to memory of 2620 2800 Nnfeep32.exe 34 PID 2800 wrote to memory of 2620 2800 Nnfeep32.exe 34 PID 2620 wrote to memory of 2132 2620 Ndpmbjbk.exe 35 PID 2620 wrote to memory of 2132 2620 Ndpmbjbk.exe 35 PID 2620 wrote to memory of 2132 2620 Ndpmbjbk.exe 35 PID 2620 wrote to memory of 2132 2620 Ndpmbjbk.exe 35 PID 2132 wrote to memory of 2488 2132 Nnhakp32.exe 36 PID 2132 wrote to memory of 2488 2132 Nnhakp32.exe 36 PID 2132 wrote to memory of 2488 2132 Nnhakp32.exe 36 PID 2132 wrote to memory of 2488 2132 Nnhakp32.exe 36 PID 2488 wrote to memory of 2156 2488 Nmnoll32.exe 37 PID 2488 wrote to memory of 2156 2488 Nmnoll32.exe 37 PID 2488 wrote to memory of 2156 2488 Nmnoll32.exe 37 PID 2488 wrote to memory of 2156 2488 Nmnoll32.exe 37 PID 2156 wrote to memory of 1704 2156 Ombhgljn.exe 38 PID 2156 wrote to memory of 1704 2156 Ombhgljn.exe 38 PID 2156 wrote to memory of 1704 2156 Ombhgljn.exe 38 PID 2156 wrote to memory of 1704 2156 Ombhgljn.exe 38 PID 1704 wrote to memory of 1044 1704 Oiiilm32.exe 39 PID 1704 wrote to memory of 1044 1704 Oiiilm32.exe 39 PID 1704 wrote to memory of 1044 1704 Oiiilm32.exe 39 PID 1704 wrote to memory of 1044 1704 Oiiilm32.exe 39 PID 1044 wrote to memory of 1724 1044 Ofmiea32.exe 40 PID 1044 wrote to memory of 1724 1044 Ofmiea32.exe 40 PID 1044 wrote to memory of 1724 1044 Ofmiea32.exe 40 PID 1044 wrote to memory of 1724 1044 Ofmiea32.exe 40 PID 1724 wrote to memory of 2288 1724 Onhnjclg.exe 41 PID 1724 wrote to memory of 2288 1724 Onhnjclg.exe 41 PID 1724 wrote to memory of 2288 1724 Onhnjclg.exe 41 PID 1724 wrote to memory of 2288 1724 Onhnjclg.exe 41 PID 2288 wrote to memory of 2148 2288 Ollncgjq.exe 42 PID 2288 wrote to memory of 2148 2288 Ollncgjq.exe 42 PID 2288 wrote to memory of 2148 2288 Ollncgjq.exe 42 PID 2288 wrote to memory of 2148 2288 Ollncgjq.exe 42 PID 2148 wrote to memory of 1716 2148 Odgchjhl.exe 43 PID 2148 wrote to memory of 1716 2148 Odgchjhl.exe 43 PID 2148 wrote to memory of 1716 2148 Odgchjhl.exe 43 PID 2148 wrote to memory of 1716 2148 Odgchjhl.exe 43 PID 1716 wrote to memory of 2344 1716 Oakcan32.exe 44 PID 1716 wrote to memory of 2344 1716 Oakcan32.exe 44 PID 1716 wrote to memory of 2344 1716 Oakcan32.exe 44 PID 1716 wrote to memory of 2344 1716 Oakcan32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe"C:\Users\Admin\AppData\Local\Temp\1fe93ddfd587fac442405c693fbfec536ae600bb04bfda64d4d5954f27bc37e8N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Mhdcbjal.exeC:\Windows\system32\Mhdcbjal.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Mbmgkp32.exeC:\Windows\system32\Mbmgkp32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Mkelcenm.exeC:\Windows\system32\Mkelcenm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ndnplk32.exeC:\Windows\system32\Ndnplk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Nnfeep32.exeC:\Windows\system32\Nnfeep32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ndpmbjbk.exeC:\Windows\system32\Ndpmbjbk.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Nnhakp32.exeC:\Windows\system32\Nnhakp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Nmnoll32.exeC:\Windows\system32\Nmnoll32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ombhgljn.exeC:\Windows\system32\Ombhgljn.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Oiiilm32.exeC:\Windows\system32\Oiiilm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Ofmiea32.exeC:\Windows\system32\Ofmiea32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Ollncgjq.exeC:\Windows\system32\Ollncgjq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Odgchjhl.exeC:\Windows\system32\Odgchjhl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Ppqqbjkm.exeC:\Windows\system32\Ppqqbjkm.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Pmdalo32.exeC:\Windows\system32\Pmdalo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Pikaqppk.exeC:\Windows\system32\Pikaqppk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1008 -
C:\Windows\SysWOW64\Pbcfie32.exeC:\Windows\system32\Pbcfie32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Pojgnf32.exeC:\Windows\system32\Pojgnf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Phckglbq.exeC:\Windows\system32\Phckglbq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Qomcdf32.exeC:\Windows\system32\Qomcdf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Qibhao32.exeC:\Windows\system32\Qibhao32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Qeihfp32.exeC:\Windows\system32\Qeihfp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:888 -
C:\Windows\SysWOW64\Aekelo32.exeC:\Windows\system32\Aekelo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Aodjdede.exeC:\Windows\system32\Aodjdede.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2708 -
C:\Windows\SysWOW64\Alncgn32.exeC:\Windows\system32\Alncgn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe33⤵
- Executes dropped EXE
PID:956 -
C:\Windows\SysWOW64\Bkhjcing.exeC:\Windows\system32\Bkhjcing.exe34⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Babbpc32.exeC:\Windows\system32\Babbpc32.exe35⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe36⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Bkjfhile.exeC:\Windows\system32\Bkjfhile.exe37⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe38⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe40⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Cjbpoeoj.exeC:\Windows\system32\Cjbpoeoj.exe41⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Ckamihfm.exeC:\Windows\system32\Ckamihfm.exe42⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe43⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Cdjabn32.exeC:\Windows\system32\Cdjabn32.exe44⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Cocbbk32.exeC:\Windows\system32\Cocbbk32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Cfmjoe32.exeC:\Windows\system32\Cfmjoe32.exe47⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Ccakij32.exeC:\Windows\system32\Ccakij32.exe48⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe49⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Cklpml32.exeC:\Windows\system32\Cklpml32.exe50⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe51⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe52⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Dpjhcj32.exeC:\Windows\system32\Dpjhcj32.exe53⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Eaegaaah.exeC:\Windows\system32\Eaegaaah.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Ehopnk32.exeC:\Windows\system32\Ehopnk32.exe56⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Ejpipf32.exeC:\Windows\system32\Ejpipf32.exe57⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Epmahmcm.exeC:\Windows\system32\Epmahmcm.exe58⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2948 -
C:\Windows\SysWOW64\Elcbmn32.exeC:\Windows\system32\Elcbmn32.exe60⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Efifjg32.exeC:\Windows\system32\Efifjg32.exe61⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Eigbfb32.exeC:\Windows\system32\Eigbfb32.exe62⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Epakcm32.exeC:\Windows\system32\Epakcm32.exe63⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Eenckc32.exeC:\Windows\system32\Eenckc32.exe64⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Fpcghl32.exeC:\Windows\system32\Fpcghl32.exe65⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Faedpdcc.exeC:\Windows\system32\Faedpdcc.exe66⤵PID:1988
-
C:\Windows\SysWOW64\Fholmo32.exeC:\Windows\system32\Fholmo32.exe67⤵
- Drops file in System32 directory
PID:1500 -
C:\Windows\SysWOW64\Fdemap32.exeC:\Windows\system32\Fdemap32.exe68⤵PID:820
-
C:\Windows\SysWOW64\Fomndhng.exeC:\Windows\system32\Fomndhng.exe69⤵PID:2916
-
C:\Windows\SysWOW64\Fhfbmn32.exeC:\Windows\system32\Fhfbmn32.exe70⤵PID:1012
-
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe71⤵PID:2448
-
C:\Windows\SysWOW64\Gcapckod.exeC:\Windows\system32\Gcapckod.exe72⤵PID:2912
-
C:\Windows\SysWOW64\Ggphji32.exeC:\Windows\system32\Ggphji32.exe73⤵PID:2632
-
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe74⤵PID:2780
-
C:\Windows\SysWOW64\Gomjckqc.exeC:\Windows\system32\Gomjckqc.exe75⤵PID:2816
-
C:\Windows\SysWOW64\Gheola32.exeC:\Windows\system32\Gheola32.exe76⤵PID:2868
-
C:\Windows\SysWOW64\Hhjhgpcn.exeC:\Windows\system32\Hhjhgpcn.exe77⤵PID:364
-
C:\Windows\SysWOW64\Hgpeimhf.exeC:\Windows\system32\Hgpeimhf.exe78⤵PID:656
-
C:\Windows\SysWOW64\Hnimeg32.exeC:\Windows\system32\Hnimeg32.exe79⤵PID:644
-
C:\Windows\SysWOW64\Hjpnjheg.exeC:\Windows\system32\Hjpnjheg.exe80⤵PID:3000
-
C:\Windows\SysWOW64\Hchbcmlh.exeC:\Windows\system32\Hchbcmlh.exe81⤵PID:1828
-
C:\Windows\SysWOW64\Ickoimie.exeC:\Windows\system32\Ickoimie.exe82⤵
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\Ingmoj32.exeC:\Windows\system32\Ingmoj32.exe83⤵PID:1268
-
C:\Windows\SysWOW64\Iaheqe32.exeC:\Windows\system32\Iaheqe32.exe84⤵
- System Location Discovery: System Language Discovery
PID:592 -
C:\Windows\SysWOW64\Ijpjik32.exeC:\Windows\system32\Ijpjik32.exe85⤵PID:1516
-
C:\Windows\SysWOW64\Jgdkbo32.exeC:\Windows\system32\Jgdkbo32.exe86⤵PID:2552
-
C:\Windows\SysWOW64\Jalolemm.exeC:\Windows\system32\Jalolemm.exe87⤵PID:952
-
C:\Windows\SysWOW64\Jpdibapb.exeC:\Windows\system32\Jpdibapb.exe88⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Jjimpj32.exeC:\Windows\system32\Jjimpj32.exe89⤵PID:2596
-
C:\Windows\SysWOW64\Jpfehq32.exeC:\Windows\system32\Jpfehq32.exe90⤵PID:2676
-
C:\Windows\SysWOW64\Kphbmp32.exeC:\Windows\system32\Kphbmp32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2992 -
C:\Windows\SysWOW64\Kbikokin.exeC:\Windows\system32\Kbikokin.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe93⤵PID:2060
-
C:\Windows\SysWOW64\Kdmdlc32.exeC:\Windows\system32\Kdmdlc32.exe94⤵PID:2964
-
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe95⤵PID:424
-
C:\Windows\SysWOW64\Lpfagd32.exeC:\Windows\system32\Lpfagd32.exe96⤵PID:1936
-
C:\Windows\SysWOW64\Lmjbphod.exeC:\Windows\system32\Lmjbphod.exe97⤵PID:2924
-
C:\Windows\SysWOW64\Lbgkhoml.exeC:\Windows\system32\Lbgkhoml.exe98⤵PID:1768
-
C:\Windows\SysWOW64\Lmlofhmb.exeC:\Windows\system32\Lmlofhmb.exe99⤵PID:1632
-
C:\Windows\SysWOW64\Lggpdmap.exeC:\Windows\system32\Lggpdmap.exe100⤵PID:1732
-
C:\Windows\SysWOW64\Lihifhoq.exeC:\Windows\system32\Lihifhoq.exe101⤵PID:1484
-
C:\Windows\SysWOW64\Mlhbgc32.exeC:\Windows\system32\Mlhbgc32.exe102⤵PID:2004
-
C:\Windows\SysWOW64\Maejpj32.exeC:\Windows\system32\Maejpj32.exe103⤵PID:2932
-
C:\Windows\SysWOW64\Mknohpqj.exeC:\Windows\system32\Mknohpqj.exe104⤵PID:2928
-
C:\Windows\SysWOW64\Nfqbol32.exeC:\Windows\system32\Nfqbol32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Onqaonnc.exeC:\Windows\system32\Onqaonnc.exe106⤵PID:2304
-
C:\Windows\SysWOW64\Ogiegc32.exeC:\Windows\system32\Ogiegc32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Oqajqi32.exeC:\Windows\system32\Oqajqi32.exe108⤵PID:2860
-
C:\Windows\SysWOW64\Okgnna32.exeC:\Windows\system32\Okgnna32.exe109⤵PID:924
-
C:\Windows\SysWOW64\Oqcffi32.exeC:\Windows\system32\Oqcffi32.exe110⤵PID:2452
-
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe111⤵PID:2440
-
C:\Windows\SysWOW64\Ofcldoef.exeC:\Windows\system32\Ofcldoef.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe113⤵PID:1664
-
C:\Windows\SysWOW64\Pblinp32.exeC:\Windows\system32\Pblinp32.exe114⤵PID:2896
-
C:\Windows\SysWOW64\Pppihdha.exeC:\Windows\system32\Pppihdha.exe115⤵PID:1968
-
C:\Windows\SysWOW64\Pembpkfi.exeC:\Windows\system32\Pembpkfi.exe116⤵PID:368
-
C:\Windows\SysWOW64\Ppbfmdfo.exeC:\Windows\system32\Ppbfmdfo.exe117⤵PID:2748
-
C:\Windows\SysWOW64\Pbqbioeb.exeC:\Windows\system32\Pbqbioeb.exe118⤵
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Pjlgna32.exeC:\Windows\system32\Pjlgna32.exe119⤵
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Phphgf32.exeC:\Windows\system32\Phphgf32.exe120⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2908 -
C:\Windows\SysWOW64\Qfedhb32.exeC:\Windows\system32\Qfedhb32.exe121⤵PID:2788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-