Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 05:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe
-
Size
91KB
-
MD5
7fe56c98c4a61eb8dab7113aa76e8a40
-
SHA1
9d1e846abbf7e594e70edc76092ad1067cf63c22
-
SHA256
d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376
-
SHA512
33c28c045b32cff5f02e6e780f0a0a9f15fc9ebc0701a5b25475eba17671b8cec07a4d2408327d43b924321239ab60ec52d0ea73f9471a439496d9fc784305ff
-
SSDEEP
1536:C7MFKQtwzvcgz4weZZs1wQtkfnLyDXdi8pE4g5a3iZ8saqYko:SMhWEyeI1w9GDN3E4xSzWP
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklqcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odgamdef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgicg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdompf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbfook32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnjicjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgblmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jagpdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggkqmoma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklkcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmedlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhpgfeao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkifdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecploipa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkbgckgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkcbnanl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pifbjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmqmod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lljpjchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkbcbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfdddm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bniajoic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnbnpkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnqdhga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjdmjgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijnkifgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmccqbpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhjfgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnkci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kindeddf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbfnjeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfljkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiqoeplo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oflpgnld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afliclij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khielcfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aklabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eaeipfei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbnmienj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpojkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2232 Nijnln32.exe 2684 Npdfhhhe.exe 1032 Oiljam32.exe 2824 Opfbngfb.exe 2892 Obdojcef.exe 2884 Ohagbj32.exe 2620 Okpcoe32.exe 2460 Oajlkojn.exe 928 Odhhgkib.exe 1944 Ohcdhi32.exe 2784 Oonldcih.exe 2868 Oehdan32.exe 712 Odjdmjgo.exe 2952 Oopijc32.exe 1920 Opaebkmc.exe 2364 Ogknoe32.exe 2584 Oijjka32.exe 708 Ppcbgkka.exe 3068 Pdonhj32.exe 872 Pgnjde32.exe 1008 Pkifdd32.exe 1844 Pmgbao32.exe 3024 Ppfomk32.exe 1096 Pcdkif32.exe 572 Pecgea32.exe 2576 Pincfpoo.exe 2920 Pphkbj32.exe 2796 Pcghof32.exe 2756 Phcpgm32.exe 2832 Plolgk32.exe 2612 Palepb32.exe 2664 Phfmllbd.exe 2380 Panaeb32.exe 2688 Pdmnam32.exe 2864 Pldebkhj.exe 2128 Qnebjc32.exe 1876 Qfljkp32.exe 2964 Qhjfgl32.exe 2956 Qgmfchei.exe 2444 Qngopb32.exe 1268 Qackpado.exe 2076 Abegfa32.exe 1252 Aqhhanig.exe 1316 Aknlofim.exe 1532 Ajqljc32.exe 2524 Amohfo32.exe 2092 Adfqgl32.exe 1716 Agdmdg32.exe 2124 Ajcipc32.exe 2820 Amaelomh.exe 2192 Aqmamm32.exe 2648 Ackmih32.exe 2676 Aggiigmn.exe 1072 Afjjed32.exe 1616 Aihfap32.exe 1860 Amcbankf.exe 2828 Acnjnh32.exe 908 Aflfjc32.exe 2312 Ajgbkbjp.exe 1856 Amfognic.exe 448 Aodkci32.exe 1680 Bcpgdhpp.exe 1420 Bfncpcoc.exe 1780 Beackp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2000 d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe 2000 d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe 2232 Nijnln32.exe 2232 Nijnln32.exe 2684 Npdfhhhe.exe 2684 Npdfhhhe.exe 1032 Oiljam32.exe 1032 Oiljam32.exe 2824 Opfbngfb.exe 2824 Opfbngfb.exe 2892 Obdojcef.exe 2892 Obdojcef.exe 2884 Ohagbj32.exe 2884 Ohagbj32.exe 2620 Okpcoe32.exe 2620 Okpcoe32.exe 2460 Oajlkojn.exe 2460 Oajlkojn.exe 928 Odhhgkib.exe 928 Odhhgkib.exe 1944 Ohcdhi32.exe 1944 Ohcdhi32.exe 2784 Oonldcih.exe 2784 Oonldcih.exe 2868 Oehdan32.exe 2868 Oehdan32.exe 712 Odjdmjgo.exe 712 Odjdmjgo.exe 2952 Oopijc32.exe 2952 Oopijc32.exe 1920 Opaebkmc.exe 1920 Opaebkmc.exe 2364 Ogknoe32.exe 2364 Ogknoe32.exe 2584 Oijjka32.exe 2584 Oijjka32.exe 708 Ppcbgkka.exe 708 Ppcbgkka.exe 3068 Pdonhj32.exe 3068 Pdonhj32.exe 872 Pgnjde32.exe 872 Pgnjde32.exe 1008 Pkifdd32.exe 1008 Pkifdd32.exe 1844 Pmgbao32.exe 1844 Pmgbao32.exe 3024 Ppfomk32.exe 3024 Ppfomk32.exe 1096 Pcdkif32.exe 1096 Pcdkif32.exe 572 Pecgea32.exe 572 Pecgea32.exe 2576 Pincfpoo.exe 2576 Pincfpoo.exe 2920 Pphkbj32.exe 2920 Pphkbj32.exe 2796 Pcghof32.exe 2796 Pcghof32.exe 2756 Phcpgm32.exe 2756 Phcpgm32.exe 2832 Plolgk32.exe 2832 Plolgk32.exe 2612 Palepb32.exe 2612 Palepb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jpajbl32.exe Jlfnangf.exe File created C:\Windows\SysWOW64\Hhhamf32.dll Process not Found File created C:\Windows\SysWOW64\Dbncjf32.exe Dldkmlhl.exe File created C:\Windows\SysWOW64\Elcpbigl.exe Eeiheo32.exe File created C:\Windows\SysWOW64\Onlahm32.exe Olmela32.exe File created C:\Windows\SysWOW64\Lpmdgf32.dll Process not Found File created C:\Windows\SysWOW64\Kndkfpje.dll Process not Found File created C:\Windows\SysWOW64\Pkifdd32.exe Pgnjde32.exe File opened for modification C:\Windows\SysWOW64\Cjgoje32.exe Bflbigdb.exe File created C:\Windows\SysWOW64\Hbmmlqlp.dll Lgingm32.exe File created C:\Windows\SysWOW64\Dmlqdp32.dll Mdadjd32.exe File created C:\Windows\SysWOW64\Allefimb.exe Ajmijmnn.exe File created C:\Windows\SysWOW64\Ojbbmnhc.exe Ohdfqbio.exe File opened for modification C:\Windows\SysWOW64\Iogpag32.exe Process not Found File created C:\Windows\SysWOW64\Njmoipaq.dll Gfkmie32.exe File opened for modification C:\Windows\SysWOW64\Kmcjedcg.exe Kkdnhi32.exe File created C:\Windows\SysWOW64\Nfgjml32.exe Ncinap32.exe File created C:\Windows\SysWOW64\Ekliqn32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Gaagcpdl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jmfcop32.exe Process not Found File created C:\Windows\SysWOW64\Ajqljc32.exe Aknlofim.exe File created C:\Windows\SysWOW64\Ajgbkbjp.exe Aflfjc32.exe File created C:\Windows\SysWOW64\Fdpojm32.dll Npdhaq32.exe File created C:\Windows\SysWOW64\Ghdjfq32.dll Colpld32.exe File opened for modification C:\Windows\SysWOW64\Ehnfpifm.exe Eikfdl32.exe File opened for modification C:\Windows\SysWOW64\Dhpemm32.exe Dphmloih.exe File opened for modification C:\Windows\SysWOW64\Dlgjldnm.exe Dihmpinj.exe File opened for modification C:\Windows\SysWOW64\Elacliin.exe Eibgpnjk.exe File created C:\Windows\SysWOW64\Lonibk32.exe Lkbmbl32.exe File created C:\Windows\SysWOW64\Ammbof32.dll Ohdfqbio.exe File opened for modification C:\Windows\SysWOW64\Kgnbnpkp.exe Kdpfadlm.exe File created C:\Windows\SysWOW64\Fdakoaln.dll Pgfjhcge.exe File created C:\Windows\SysWOW64\Ciokijfd.exe Cjljnn32.exe File created C:\Windows\SysWOW64\Dldkmlhl.exe Dhiomn32.exe File created C:\Windows\SysWOW64\Pdkiofep.dll Bkjdndjo.exe File created C:\Windows\SysWOW64\Neniei32.dll Dcohghbk.exe File created C:\Windows\SysWOW64\Jlnfak32.dll Ldmopa32.exe File opened for modification C:\Windows\SysWOW64\Cdmepgce.exe Cqaiph32.exe File created C:\Windows\SysWOW64\Kcecbq32.exe Kdbbgdjj.exe File created C:\Windows\SysWOW64\Mggabaea.exe Mclebc32.exe File created C:\Windows\SysWOW64\Qgjccb32.exe Qdlggg32.exe File created C:\Windows\SysWOW64\Bmnnkl32.exe Bnknoogp.exe File created C:\Windows\SysWOW64\Iclnjd32.dll Eakooqih.exe File created C:\Windows\SysWOW64\Einjdb32.exe Ekkjheja.exe File created C:\Windows\SysWOW64\Nhpfip32.dll Process not Found File created C:\Windows\SysWOW64\Ohmaibil.dll Fhbnbpjc.exe File opened for modification C:\Windows\SysWOW64\Ijcngenj.exe Process not Found File opened for modification C:\Windows\SysWOW64\Njbfnjeg.exe Nfgjml32.exe File created C:\Windows\SysWOW64\Igceej32.exe Process not Found File created C:\Windows\SysWOW64\Ddpobo32.exe Dbncjf32.exe File opened for modification C:\Windows\SysWOW64\Ffaaoh32.exe Fgnadkic.exe File created C:\Windows\SysWOW64\Qiekgbjc.dll Difqji32.exe File created C:\Windows\SysWOW64\Fkhbgbkc.exe Process not Found File created C:\Windows\SysWOW64\Hffhec32.dll Process not Found File created C:\Windows\SysWOW64\Cnimiblo.exe Cpfmmf32.exe File opened for modification C:\Windows\SysWOW64\Fckhhgcf.exe Foolgh32.exe File created C:\Windows\SysWOW64\Ojeobm32.exe Ohfcfb32.exe File opened for modification C:\Windows\SysWOW64\Ppkjac32.exe Plpopddd.exe File created C:\Windows\SysWOW64\Cgidfcdk.exe Bdkhjgeh.exe File created C:\Windows\SysWOW64\Ahknna32.dll Jhdegn32.exe File created C:\Windows\SysWOW64\Lkfhfpel.dll Qlfdac32.exe File created C:\Windows\SysWOW64\Hgbfnngi.exe Hcgjmo32.exe File opened for modification C:\Windows\SysWOW64\Hlgimqhf.exe Hmdhad32.exe File created C:\Windows\SysWOW64\Omklkkpl.exe Oippjl32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11572 11548 Process not Found 1224 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgebjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeoijidl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmfchei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciohqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiekpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonibk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qackpado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihiphln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojmpooah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caifjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpklkgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjmbaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jondnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomdoof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daplkmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfkmie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgclio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmndn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeeepjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnabb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjojef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alageg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhjfgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncmglp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogijnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceogcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feggob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjqmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojabdlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgnadkic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olpilg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edidqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimbkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akabgebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obbdml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjldf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqhhanig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgkocj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hidcef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhdacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohfcfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfcgbb32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glehgdkn.dll" Ijibng32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adaiee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkdmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdnmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamajj32.dll" Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kibemb32.dll" Fhjmfnok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hokhbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpojnle.dll" Pdppqbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnkdfakf.dll" Eopphehb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdmepgce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnacpffh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnjldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mffbkj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igejec32.dll" Alageg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghfcobil.dll" Ohiffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hagojlib.dll" Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eickphoo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmlkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlnfak32.dll" Ldmopa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajpepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppinkcnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkaamgeg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhpondph.dll" Cfpldf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikijafg.dll" Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bceibfgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbaice32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijnkifgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmbhcoif.dll" Aklabp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deakjjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnpdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Capocbbb.dll" Jhoklnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddiakkl.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkifdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfigpahm.dll" Dmhdkdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcghbo32.dll" Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hellqgnm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqeqqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkicbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdadjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckpckece.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iacjjacb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgnjde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amfognic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qfekkflj.dll" Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjejkao.dll" Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkklhjnk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2000 wrote to memory of 2232 2000 d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe 30 PID 2000 wrote to memory of 2232 2000 d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe 30 PID 2000 wrote to memory of 2232 2000 d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe 30 PID 2000 wrote to memory of 2232 2000 d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe 30 PID 2232 wrote to memory of 2684 2232 Nijnln32.exe 31 PID 2232 wrote to memory of 2684 2232 Nijnln32.exe 31 PID 2232 wrote to memory of 2684 2232 Nijnln32.exe 31 PID 2232 wrote to memory of 2684 2232 Nijnln32.exe 31 PID 2684 wrote to memory of 1032 2684 Npdfhhhe.exe 32 PID 2684 wrote to memory of 1032 2684 Npdfhhhe.exe 32 PID 2684 wrote to memory of 1032 2684 Npdfhhhe.exe 32 PID 2684 wrote to memory of 1032 2684 Npdfhhhe.exe 32 PID 1032 wrote to memory of 2824 1032 Oiljam32.exe 33 PID 1032 wrote to memory of 2824 1032 Oiljam32.exe 33 PID 1032 wrote to memory of 2824 1032 Oiljam32.exe 33 PID 1032 wrote to memory of 2824 1032 Oiljam32.exe 33 PID 2824 wrote to memory of 2892 2824 Opfbngfb.exe 34 PID 2824 wrote to memory of 2892 2824 Opfbngfb.exe 34 PID 2824 wrote to memory of 2892 2824 Opfbngfb.exe 34 PID 2824 wrote to memory of 2892 2824 Opfbngfb.exe 34 PID 2892 wrote to memory of 2884 2892 Obdojcef.exe 35 PID 2892 wrote to memory of 2884 2892 Obdojcef.exe 35 PID 2892 wrote to memory of 2884 2892 Obdojcef.exe 35 PID 2892 wrote to memory of 2884 2892 Obdojcef.exe 35 PID 2884 wrote to memory of 2620 2884 Ohagbj32.exe 36 PID 2884 wrote to memory of 2620 2884 Ohagbj32.exe 36 PID 2884 wrote to memory of 2620 2884 Ohagbj32.exe 36 PID 2884 wrote to memory of 2620 2884 Ohagbj32.exe 36 PID 2620 wrote to memory of 2460 2620 Okpcoe32.exe 37 PID 2620 wrote to memory of 2460 2620 Okpcoe32.exe 37 PID 2620 wrote to memory of 2460 2620 Okpcoe32.exe 37 PID 2620 wrote to memory of 2460 2620 Okpcoe32.exe 37 PID 2460 wrote to memory of 928 2460 Oajlkojn.exe 38 PID 2460 wrote to memory of 928 2460 Oajlkojn.exe 38 PID 2460 wrote to memory of 928 2460 Oajlkojn.exe 38 PID 2460 wrote to memory of 928 2460 Oajlkojn.exe 38 PID 928 wrote to memory of 1944 928 Odhhgkib.exe 39 PID 928 wrote to memory of 1944 928 Odhhgkib.exe 39 PID 928 wrote to memory of 1944 928 Odhhgkib.exe 39 PID 928 wrote to memory of 1944 928 Odhhgkib.exe 39 PID 1944 wrote to memory of 2784 1944 Ohcdhi32.exe 40 PID 1944 wrote to memory of 2784 1944 Ohcdhi32.exe 40 PID 1944 wrote to memory of 2784 1944 Ohcdhi32.exe 40 PID 1944 wrote to memory of 2784 1944 Ohcdhi32.exe 40 PID 2784 wrote to memory of 2868 2784 Oonldcih.exe 41 PID 2784 wrote to memory of 2868 2784 Oonldcih.exe 41 PID 2784 wrote to memory of 2868 2784 Oonldcih.exe 41 PID 2784 wrote to memory of 2868 2784 Oonldcih.exe 41 PID 2868 wrote to memory of 712 2868 Oehdan32.exe 42 PID 2868 wrote to memory of 712 2868 Oehdan32.exe 42 PID 2868 wrote to memory of 712 2868 Oehdan32.exe 42 PID 2868 wrote to memory of 712 2868 Oehdan32.exe 42 PID 712 wrote to memory of 2952 712 Odjdmjgo.exe 43 PID 712 wrote to memory of 2952 712 Odjdmjgo.exe 43 PID 712 wrote to memory of 2952 712 Odjdmjgo.exe 43 PID 712 wrote to memory of 2952 712 Odjdmjgo.exe 43 PID 2952 wrote to memory of 1920 2952 Oopijc32.exe 44 PID 2952 wrote to memory of 1920 2952 Oopijc32.exe 44 PID 2952 wrote to memory of 1920 2952 Oopijc32.exe 44 PID 2952 wrote to memory of 1920 2952 Oopijc32.exe 44 PID 1920 wrote to memory of 2364 1920 Opaebkmc.exe 45 PID 1920 wrote to memory of 2364 1920 Opaebkmc.exe 45 PID 1920 wrote to memory of 2364 1920 Opaebkmc.exe 45 PID 1920 wrote to memory of 2364 1920 Opaebkmc.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe"C:\Users\Admin\AppData\Local\Temp\d6728967178921014e21dfae07711dbfc0731a1eb88161004a2724bbabcf1376N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Ohcdhi32.exeC:\Windows\system32\Ohcdhi32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Ogknoe32.exeC:\Windows\system32\Ogknoe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2364 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:708 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Pkifdd32.exeC:\Windows\system32\Pkifdd32.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1096 -
C:\Windows\SysWOW64\Pecgea32.exeC:\Windows\system32\Pecgea32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:572 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2576 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2756 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe33⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe34⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe35⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe36⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe37⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Qngopb32.exeC:\Windows\system32\Qngopb32.exe41⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1268 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe43⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Ajqljc32.exeC:\Windows\system32\Ajqljc32.exe46⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe47⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe48⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe49⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe51⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe52⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe53⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe54⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe55⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe56⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe57⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe58⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:908 -
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe60⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe62⤵
- Executes dropped EXE
PID:448 -
C:\Windows\SysWOW64\Bcpgdhpp.exeC:\Windows\system32\Bcpgdhpp.exe63⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe64⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe65⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe66⤵PID:2924
-
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe67⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe68⤵PID:380
-
C:\Windows\SysWOW64\Bfqpecma.exeC:\Windows\system32\Bfqpecma.exe69⤵PID:2876
-
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe70⤵PID:2624
-
C:\Windows\SysWOW64\Bgblmk32.exeC:\Windows\system32\Bgblmk32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Boidnh32.exeC:\Windows\system32\Boidnh32.exe72⤵PID:1996
-
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe73⤵PID:2352
-
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe74⤵PID:1740
-
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe75⤵PID:1752
-
C:\Windows\SysWOW64\Bjbeofpp.exeC:\Windows\system32\Bjbeofpp.exe76⤵PID:1408
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe77⤵PID:2528
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe78⤵PID:876
-
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe79⤵PID:1332
-
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe80⤵PID:2268
-
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe81⤵PID:1880
-
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe82⤵PID:1744
-
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe83⤵PID:2320
-
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe84⤵PID:2816
-
C:\Windows\SysWOW64\Bejfao32.exeC:\Windows\system32\Bejfao32.exe85⤵PID:2060
-
C:\Windows\SysWOW64\Bgibnj32.exeC:\Windows\system32\Bgibnj32.exe86⤵PID:2712
-
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe87⤵
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe88⤵PID:2968
-
C:\Windows\SysWOW64\Cnckjddd.exeC:\Windows\system32\Cnckjddd.exe89⤵PID:2984
-
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2980 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe91⤵PID:2476
-
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe92⤵PID:1956
-
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe94⤵PID:2516
-
C:\Windows\SysWOW64\Cillkbac.exeC:\Windows\system32\Cillkbac.exe95⤵PID:1736
-
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe96⤵PID:2692
-
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe97⤵PID:2708
-
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe98⤵PID:3008
-
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe99⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Cjlheehe.exeC:\Windows\system32\Cjlheehe.exe100⤵PID:1620
-
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe101⤵
- System Location Discovery: System Language Discovery
PID:2700 -
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe102⤵PID:2160
-
C:\Windows\SysWOW64\Cpiqmlfm.exeC:\Windows\system32\Cpiqmlfm.exe103⤵PID:1064
-
C:\Windows\SysWOW64\Cbgmigeq.exeC:\Windows\system32\Cbgmigeq.exe104⤵PID:1604
-
C:\Windows\SysWOW64\Ceeieced.exeC:\Windows\system32\Ceeieced.exe105⤵PID:1724
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe106⤵PID:784
-
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe107⤵PID:1980
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe108⤵PID:3032
-
C:\Windows\SysWOW64\Cicalakk.exeC:\Windows\system32\Cicalakk.exe109⤵PID:2600
-
C:\Windows\SysWOW64\Clbnhmjo.exeC:\Windows\system32\Clbnhmjo.exe110⤵PID:2332
-
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe111⤵PID:1708
-
C:\Windows\SysWOW64\Copjdhib.exeC:\Windows\system32\Copjdhib.exe112⤵PID:1936
-
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe113⤵PID:1676
-
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe114⤵PID:1328
-
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe115⤵
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe116⤵
- Drops file in System32 directory
PID:2368 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe117⤵
- Drops file in System32 directory
PID:2360 -
C:\Windows\SysWOW64\Ddpobo32.exeC:\Windows\system32\Ddpobo32.exe118⤵PID:2740
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe119⤵PID:2652
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe120⤵PID:2292
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe121⤵
- Modifies registry class
PID:1972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-