Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04/10/2024, 18:39
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a2f6db599d1944424e68c80530ba3d4102b2e5f32f8046efd807b5f52cea0f07N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
a2f6db599d1944424e68c80530ba3d4102b2e5f32f8046efd807b5f52cea0f07N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
a2f6db599d1944424e68c80530ba3d4102b2e5f32f8046efd807b5f52cea0f07N.exe
-
Size
448KB
-
MD5
c0088834ac2ab01975f5d9f1ece6fa80
-
SHA1
1725181989b5405745b7b02ab146a9537461aad8
-
SHA256
a2f6db599d1944424e68c80530ba3d4102b2e5f32f8046efd807b5f52cea0f07
-
SHA512
b387704b051e77cfce811ec4298b3ed3d67b50363b417d5ff78433aea9876043abb68523df7d0b0ed166be80543e097634f0a90e580c93ce77a277ebb8ae719a
-
SSDEEP
6144:hEuYHNlZD4PQ///NR5fLYG3eujPQ///NR5fqZo4tjS6Y:8H//NcZ7/NC64tm6Y
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bclang32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jglklggl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggjga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjillkj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gacjadad.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Micoed32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifhdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmfnpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njinmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idbodn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqipio32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flngfn32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmigoagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moipoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hekgfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qfpbmfdf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efffmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkkeclfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmikeaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiaael32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohlqcagj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmfclm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmabggdm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgaeolp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkgiimng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emmdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faenpf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbddfmgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Milidebi.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afinioip.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kckqbj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emehdh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qepkbpak.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Niakfbpa.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bahkih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlpaoaj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjlmclqa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjoiil32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnmijq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcidmkpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Coegoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cihclh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icknfcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffqhcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinmhkke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjneln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckpbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbeapmll.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhpfqcln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcain32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcpjnjii.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgcamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkegpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgiiiidd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eigonjcj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjmkoeqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkalplel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmlkhofd.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcecb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfmcfp32.exe -
Executes dropped EXE 64 IoCs
pid Process 900 Neffpj32.exe 2340 Nookip32.exe 3564 Oidofh32.exe 4952 Ooagno32.exe 1136 Olehhc32.exe 4904 Ogklelna.exe 4532 Oofaiokl.exe 1516 Oepifi32.exe 4528 Oohnonij.exe 2672 Ophjiaql.exe 2084 Ploknb32.exe 2976 Pfgogh32.exe 2676 Ppmcdq32.exe 4940 Ppopjp32.exe 4536 Pgihfj32.exe 4020 Phjenbhp.exe 1452 Pfnegggi.exe 3488 Plhnda32.exe 2972 Qfpbmfdf.exe 2120 Qqffjo32.exe 1648 Qhakoa32.exe 2616 Acgolj32.exe 3240 Ahfdjanb.exe 716 Aggegh32.exe 3528 Aqoiqn32.exe 452 Aijnep32.exe 4160 Aglnbhal.exe 544 Bqdblmhl.exe 2336 Bjlgdc32.exe 3152 Bcelmhen.exe 4212 Bqilgmdg.exe 4056 Bjaqpbkh.exe 2964 Bgeaifia.exe 980 Bmbiamhi.exe 3016 Bclang32.exe 1716 Bfjnjcni.exe 1572 Cmdfgm32.exe 1356 Cpbbch32.exe 2584 Cflkpblf.exe 4288 Cmfclm32.exe 1792 Cglgjeci.exe 4900 Cjjcfabm.exe 1172 Cadlbk32.exe 1652 Cfadkb32.exe 3228 Cmklglpn.exe 2000 Caghhk32.exe 3980 Cgqqdeod.exe 4180 Cibmlmeb.exe 464 Ccgajfeh.exe 2728 Cffmfadl.exe 4128 Dakacjdb.exe 3300 Dgejpd32.exe 4412 Dfhjkabi.exe 3572 Dmbbhkjf.exe 5072 Dclkee32.exe 4332 Diicml32.exe 4432 Dpckjfgg.exe 652 Dfmcfp32.exe 880 Dikpbl32.exe 3496 Dabhdinj.exe 3968 Dhlpqc32.exe 924 Dinmhkke.exe 2784 Dpgeee32.exe 1684 Dhomfc32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bnhpfjhc.dll Obcceg32.exe File opened for modification C:\Windows\SysWOW64\Dlkbjqgm.exe Dimenegi.exe File opened for modification C:\Windows\SysWOW64\Inlihl32.exe Iknmla32.exe File created C:\Windows\SysWOW64\Cjgjmg32.dll Hibjli32.exe File created C:\Windows\SysWOW64\Caghhk32.exe Cmklglpn.exe File created C:\Windows\SysWOW64\Kamqij32.dll Diicml32.exe File opened for modification C:\Windows\SysWOW64\Dfmcfp32.exe Dpckjfgg.exe File created C:\Windows\SysWOW64\Cclnpmna.dll Kjkpoq32.exe File created C:\Windows\SysWOW64\Jkjpda32.dll Kngkqbgl.exe File created C:\Windows\SysWOW64\Aooold32.dll Lckiihok.exe File opened for modification C:\Windows\SysWOW64\Cbfgkffn.exe Cnkkjh32.exe File created C:\Windows\SysWOW64\Cadlbk32.exe Cjjcfabm.exe File created C:\Windows\SysWOW64\Lefekh32.dll Fpmggb32.exe File created C:\Windows\SysWOW64\Ljgpkonp.exe Lejgch32.exe File opened for modification C:\Windows\SysWOW64\Pcmeke32.exe Pkenjh32.exe File opened for modification C:\Windows\SysWOW64\Onkidm32.exe Nfcabp32.exe File opened for modification C:\Windows\SysWOW64\Bobabg32.exe Bhhiemoj.exe File created C:\Windows\SysWOW64\Cpbjkn32.exe Cncnob32.exe File opened for modification C:\Windows\SysWOW64\Nookip32.exe Neffpj32.exe File created C:\Windows\SysWOW64\Ipjedh32.exe Inlihl32.exe File opened for modification C:\Windows\SysWOW64\Mkhapk32.exe Lenicahg.exe File created C:\Windows\SysWOW64\Famkjfqd.dll Lopmii32.exe File created C:\Windows\SysWOW64\Igdgglfl.exe Iomoenej.exe File opened for modification C:\Windows\SysWOW64\Mmfkhmdi.exe Ljhnlb32.exe File created C:\Windows\SysWOW64\Podmed32.dll Fibojhim.exe File created C:\Windows\SysWOW64\Bhamkipi.exe Bjnmpl32.exe File opened for modification C:\Windows\SysWOW64\Gipdap32.exe Gbfldf32.exe File created C:\Windows\SysWOW64\Knchpiom.exe Kkeldnpi.exe File created C:\Windows\SysWOW64\Fdffbake.exe Fmlneg32.exe File created C:\Windows\SysWOW64\Ogacbllg.dll Pmlmkn32.exe File opened for modification C:\Windows\SysWOW64\Jjpode32.exe Jgbchj32.exe File created C:\Windows\SysWOW64\Amlogfel.exe Aoioli32.exe File created C:\Windows\SysWOW64\Kiejmi32.exe Kqnbkl32.exe File created C:\Windows\SysWOW64\Oblmdhdo.exe Ooqqdi32.exe File created C:\Windows\SysWOW64\Ckfphc32.exe Cihclh32.exe File created C:\Windows\SysWOW64\Iibjhgbi.dll Bahkih32.exe File created C:\Windows\SysWOW64\Fbqdpi32.dll Imkbnf32.exe File opened for modification C:\Windows\SysWOW64\Jlgepanl.exe Jiiicf32.exe File created C:\Windows\SysWOW64\Jchdqkfl.dll Nagiji32.exe File opened for modification C:\Windows\SysWOW64\Fkbkdkpp.exe Fpmggb32.exe File opened for modification C:\Windows\SysWOW64\Gahcmd32.exe Ggbook32.exe File created C:\Windows\SysWOW64\Lkeekk32.exe Lekmnajj.exe File opened for modification C:\Windows\SysWOW64\Nmlddqem.exe Nlkgmh32.exe File created C:\Windows\SysWOW64\Mejpje32.exe Mblcnj32.exe File created C:\Windows\SysWOW64\Nbnpcj32.exe Njghbl32.exe File opened for modification C:\Windows\SysWOW64\Lnmkfh32.exe Lgccinoe.exe File created C:\Windows\SysWOW64\Dgcihgaj.exe Dddllkbf.exe File created C:\Windows\SysWOW64\Ikcmbfcj.exe Idieem32.exe File created C:\Windows\SysWOW64\Gedobm32.dll Bkafmd32.exe File created C:\Windows\SysWOW64\Kmdlffhj.exe Kjepjkhf.exe File created C:\Windows\SysWOW64\Ebmenh32.dll Dbpjaeoc.exe File created C:\Windows\SysWOW64\Jebfng32.exe Jcdjbk32.exe File created C:\Windows\SysWOW64\Aonhghjl.exe Ahdpjn32.exe File created C:\Windows\SysWOW64\Jbecoe32.dll Qoelkp32.exe File created C:\Windows\SysWOW64\Pjldplpd.dll Bnfihkqm.exe File created C:\Windows\SysWOW64\Clgbmp32.exe Cfnjpfcl.exe File created C:\Windows\SysWOW64\Imkbnf32.exe Iedjmioj.exe File created C:\Windows\SysWOW64\Ppahmb32.exe Panhbfep.exe File created C:\Windows\SysWOW64\Poomegpf.exe Plpqil32.exe File created C:\Windows\SysWOW64\Eobkhf32.dll Ahdged32.exe File opened for modification C:\Windows\SysWOW64\Cohkokgj.exe Ckmonl32.exe File created C:\Windows\SysWOW64\Hfcnpn32.exe Holfoqcm.exe File opened for modification C:\Windows\SysWOW64\Lqikmc32.exe Ljobpiql.exe File created C:\Windows\SysWOW64\Akqfkp32.exe Ahbjoe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1208 16940 WerFault.exe 966 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kilpmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhnbhok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bemqih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedjmioj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmioc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfcmhpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncccnol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cibmlmeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpofii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgeee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhfedm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Injmcmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdgged32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okgaijaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdpmbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkkjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Offnhpfo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjneln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqglkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glldgljg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqoiqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggbook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooagno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifhdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aednci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnegbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffceip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcanll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlggjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpdoqgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncabfkqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblbca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnaqgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbcmakpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anobgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnpfop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpmjejp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmipdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmblagmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aphnnafb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gahcmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkbjqgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnoncim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaindh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckpbnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpcbhji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjgaoqm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjdho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnoki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knooej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgmeigd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljobpiql.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchppmij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjeljhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coadnlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koodbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdnoplhh.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiknlagg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgeakekd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Figmglee.dll" Ogekbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cggkemhh.dll" Qjfmkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgcihgaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehmok32.dll" Qpcecb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dikpbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debbhd32.dll" Eigonjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lejgch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddhmmpnk.dll" Mjellmbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkahilkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmpmnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhgbbckh.dll" Nfaemp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afbgkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bobabg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dabhdinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piiqdm32.dll" Dflmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgbchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njgigo32.dll" Kpjgaoqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abhemohm.dll" Kckqbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adnbpqkj.dll" Bmhocd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhbebj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lehagi32.dll" Fdffbake.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmbfqoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdjbiheb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjgdg32.dll" Akepfpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbalhp32.dll" Bojomm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpode32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blqhpg32.dll" Onkidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnlonj32.dll" Jjmcnbdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plpqil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phganm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdgged32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coadnlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpefcn32.dll" Jghpbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjhjm32.dll" Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icdheded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnpnbg32.dll" Cfadkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbpkkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhnblp32.dll" Fmfnpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jihdpleo.dll" Glldgljg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbbpmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffceip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boldhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Najceeoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akepfpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlobem32.dll" Cdimqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plhnda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmophg32.dll" Iikmbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iebngial.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boldhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idjnmo32.dll" Pekbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghdief32.dll" Lkeekk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bebjdgmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enigke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmmmfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hffken32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bphgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpkgc32.dll" Hlhccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpbiip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnnfbmk.dll" Ikqqlgem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbmiag32.dll" Oifeab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ceifibod.dll" Qkmdkgob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bohibc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1884 wrote to memory of 900 1884 a2f6db599d1944424e68c80530ba3d4102b2e5f32f8046efd807b5f52cea0f07N.exe 82 PID 1884 wrote to memory of 900 1884 a2f6db599d1944424e68c80530ba3d4102b2e5f32f8046efd807b5f52cea0f07N.exe 82 PID 1884 wrote to memory of 900 1884 a2f6db599d1944424e68c80530ba3d4102b2e5f32f8046efd807b5f52cea0f07N.exe 82 PID 900 wrote to memory of 2340 900 Neffpj32.exe 83 PID 900 wrote to memory of 2340 900 Neffpj32.exe 83 PID 900 wrote to memory of 2340 900 Neffpj32.exe 83 PID 2340 wrote to memory of 3564 2340 Nookip32.exe 84 PID 2340 wrote to memory of 3564 2340 Nookip32.exe 84 PID 2340 wrote to memory of 3564 2340 Nookip32.exe 84 PID 3564 wrote to memory of 4952 3564 Oidofh32.exe 85 PID 3564 wrote to memory of 4952 3564 Oidofh32.exe 85 PID 3564 wrote to memory of 4952 3564 Oidofh32.exe 85 PID 4952 wrote to memory of 1136 4952 Ooagno32.exe 86 PID 4952 wrote to memory of 1136 4952 Ooagno32.exe 86 PID 4952 wrote to memory of 1136 4952 Ooagno32.exe 86 PID 1136 wrote to memory of 4904 1136 Olehhc32.exe 87 PID 1136 wrote to memory of 4904 1136 Olehhc32.exe 87 PID 1136 wrote to memory of 4904 1136 Olehhc32.exe 87 PID 4904 wrote to memory of 4532 4904 Ogklelna.exe 88 PID 4904 wrote to memory of 4532 4904 Ogklelna.exe 88 PID 4904 wrote to memory of 4532 4904 Ogklelna.exe 88 PID 4532 wrote to memory of 1516 4532 Oofaiokl.exe 89 PID 4532 wrote to memory of 1516 4532 Oofaiokl.exe 89 PID 4532 wrote to memory of 1516 4532 Oofaiokl.exe 89 PID 1516 wrote to memory of 4528 1516 Oepifi32.exe 90 PID 1516 wrote to memory of 4528 1516 Oepifi32.exe 90 PID 1516 wrote to memory of 4528 1516 Oepifi32.exe 90 PID 4528 wrote to memory of 2672 4528 Oohnonij.exe 91 PID 4528 wrote to memory of 2672 4528 Oohnonij.exe 91 PID 4528 wrote to memory of 2672 4528 Oohnonij.exe 91 PID 2672 wrote to memory of 2084 2672 Ophjiaql.exe 92 PID 2672 wrote to memory of 2084 2672 Ophjiaql.exe 92 PID 2672 wrote to memory of 2084 2672 Ophjiaql.exe 92 PID 2084 wrote to memory of 2976 2084 Ploknb32.exe 93 PID 2084 wrote to memory of 2976 2084 Ploknb32.exe 93 PID 2084 wrote to memory of 2976 2084 Ploknb32.exe 93 PID 2976 wrote to memory of 2676 2976 Pfgogh32.exe 94 PID 2976 wrote to memory of 2676 2976 Pfgogh32.exe 94 PID 2976 wrote to memory of 2676 2976 Pfgogh32.exe 94 PID 2676 wrote to memory of 4940 2676 Ppmcdq32.exe 95 PID 2676 wrote to memory of 4940 2676 Ppmcdq32.exe 95 PID 2676 wrote to memory of 4940 2676 Ppmcdq32.exe 95 PID 4940 wrote to memory of 4536 4940 Ppopjp32.exe 96 PID 4940 wrote to memory of 4536 4940 Ppopjp32.exe 96 PID 4940 wrote to memory of 4536 4940 Ppopjp32.exe 96 PID 4536 wrote to memory of 4020 4536 Pgihfj32.exe 97 PID 4536 wrote to memory of 4020 4536 Pgihfj32.exe 97 PID 4536 wrote to memory of 4020 4536 Pgihfj32.exe 97 PID 4020 wrote to memory of 1452 4020 Phjenbhp.exe 98 PID 4020 wrote to memory of 1452 4020 Phjenbhp.exe 98 PID 4020 wrote to memory of 1452 4020 Phjenbhp.exe 98 PID 1452 wrote to memory of 3488 1452 Pfnegggi.exe 99 PID 1452 wrote to memory of 3488 1452 Pfnegggi.exe 99 PID 1452 wrote to memory of 3488 1452 Pfnegggi.exe 99 PID 3488 wrote to memory of 2972 3488 Plhnda32.exe 100 PID 3488 wrote to memory of 2972 3488 Plhnda32.exe 100 PID 3488 wrote to memory of 2972 3488 Plhnda32.exe 100 PID 2972 wrote to memory of 2120 2972 Qfpbmfdf.exe 101 PID 2972 wrote to memory of 2120 2972 Qfpbmfdf.exe 101 PID 2972 wrote to memory of 2120 2972 Qfpbmfdf.exe 101 PID 2120 wrote to memory of 1648 2120 Qqffjo32.exe 102 PID 2120 wrote to memory of 1648 2120 Qqffjo32.exe 102 PID 2120 wrote to memory of 1648 2120 Qqffjo32.exe 102 PID 1648 wrote to memory of 2616 1648 Qhakoa32.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2f6db599d1944424e68c80530ba3d4102b2e5f32f8046efd807b5f52cea0f07N.exe"C:\Users\Admin\AppData\Local\Temp\a2f6db599d1944424e68c80530ba3d4102b2e5f32f8046efd807b5f52cea0f07N.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\Neffpj32.exeC:\Windows\system32\Neffpj32.exe2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Nookip32.exeC:\Windows\system32\Nookip32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Oidofh32.exeC:\Windows\system32\Oidofh32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\Ooagno32.exeC:\Windows\system32\Ooagno32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\Olehhc32.exeC:\Windows\system32\Olehhc32.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1136 -
C:\Windows\SysWOW64\Ogklelna.exeC:\Windows\system32\Ogklelna.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Oofaiokl.exeC:\Windows\system32\Oofaiokl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\Oepifi32.exeC:\Windows\system32\Oepifi32.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Oohnonij.exeC:\Windows\system32\Oohnonij.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4528 -
C:\Windows\SysWOW64\Ophjiaql.exeC:\Windows\system32\Ophjiaql.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Ploknb32.exeC:\Windows\system32\Ploknb32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Pfgogh32.exeC:\Windows\system32\Pfgogh32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ppmcdq32.exeC:\Windows\system32\Ppmcdq32.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Ppopjp32.exeC:\Windows\system32\Ppopjp32.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\SysWOW64\Pgihfj32.exeC:\Windows\system32\Pgihfj32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\SysWOW64\Phjenbhp.exeC:\Windows\system32\Phjenbhp.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Windows\SysWOW64\Pfnegggi.exeC:\Windows\system32\Pfnegggi.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Windows\SysWOW64\Plhnda32.exeC:\Windows\system32\Plhnda32.exe19⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3488 -
C:\Windows\SysWOW64\Qfpbmfdf.exeC:\Windows\system32\Qfpbmfdf.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Qqffjo32.exeC:\Windows\system32\Qqffjo32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Qhakoa32.exeC:\Windows\system32\Qhakoa32.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\Acgolj32.exeC:\Windows\system32\Acgolj32.exe23⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Ahfdjanb.exeC:\Windows\system32\Ahfdjanb.exe24⤵
- Executes dropped EXE
PID:3240 -
C:\Windows\SysWOW64\Aggegh32.exeC:\Windows\system32\Aggegh32.exe25⤵
- Executes dropped EXE
PID:716 -
C:\Windows\SysWOW64\Aqoiqn32.exeC:\Windows\system32\Aqoiqn32.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3528 -
C:\Windows\SysWOW64\Aijnep32.exeC:\Windows\system32\Aijnep32.exe27⤵
- Executes dropped EXE
PID:452 -
C:\Windows\SysWOW64\Aglnbhal.exeC:\Windows\system32\Aglnbhal.exe28⤵
- Executes dropped EXE
PID:4160 -
C:\Windows\SysWOW64\Bqdblmhl.exeC:\Windows\system32\Bqdblmhl.exe29⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Bjlgdc32.exeC:\Windows\system32\Bjlgdc32.exe30⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Bcelmhen.exeC:\Windows\system32\Bcelmhen.exe31⤵
- Executes dropped EXE
PID:3152 -
C:\Windows\SysWOW64\Bqilgmdg.exeC:\Windows\system32\Bqilgmdg.exe32⤵
- Executes dropped EXE
PID:4212 -
C:\Windows\SysWOW64\Bjaqpbkh.exeC:\Windows\system32\Bjaqpbkh.exe33⤵
- Executes dropped EXE
PID:4056 -
C:\Windows\SysWOW64\Bgeaifia.exeC:\Windows\system32\Bgeaifia.exe34⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Bmbiamhi.exeC:\Windows\system32\Bmbiamhi.exe35⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Bclang32.exeC:\Windows\system32\Bclang32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Bfjnjcni.exeC:\Windows\system32\Bfjnjcni.exe37⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Cmdfgm32.exeC:\Windows\system32\Cmdfgm32.exe38⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Cpbbch32.exeC:\Windows\system32\Cpbbch32.exe39⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Cflkpblf.exeC:\Windows\system32\Cflkpblf.exe40⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Cmfclm32.exeC:\Windows\system32\Cmfclm32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4288 -
C:\Windows\SysWOW64\Cglgjeci.exeC:\Windows\system32\Cglgjeci.exe42⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Cjjcfabm.exeC:\Windows\system32\Cjjcfabm.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4900 -
C:\Windows\SysWOW64\Cadlbk32.exeC:\Windows\system32\Cadlbk32.exe44⤵
- Executes dropped EXE
PID:1172 -
C:\Windows\SysWOW64\Cfadkb32.exeC:\Windows\system32\Cfadkb32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Cmklglpn.exeC:\Windows\system32\Cmklglpn.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3228 -
C:\Windows\SysWOW64\Caghhk32.exeC:\Windows\system32\Caghhk32.exe47⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Cgqqdeod.exeC:\Windows\system32\Cgqqdeod.exe48⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\Cibmlmeb.exeC:\Windows\system32\Cibmlmeb.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4180 -
C:\Windows\SysWOW64\Ccgajfeh.exeC:\Windows\system32\Ccgajfeh.exe50⤵
- Executes dropped EXE
PID:464 -
C:\Windows\SysWOW64\Cffmfadl.exeC:\Windows\system32\Cffmfadl.exe51⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Dakacjdb.exeC:\Windows\system32\Dakacjdb.exe52⤵
- Executes dropped EXE
PID:4128 -
C:\Windows\SysWOW64\Dgejpd32.exeC:\Windows\system32\Dgejpd32.exe53⤵
- Executes dropped EXE
PID:3300 -
C:\Windows\SysWOW64\Dfhjkabi.exeC:\Windows\system32\Dfhjkabi.exe54⤵
- Executes dropped EXE
PID:4412 -
C:\Windows\SysWOW64\Dmbbhkjf.exeC:\Windows\system32\Dmbbhkjf.exe55⤵
- Executes dropped EXE
PID:3572 -
C:\Windows\SysWOW64\Dclkee32.exeC:\Windows\system32\Dclkee32.exe56⤵
- Executes dropped EXE
PID:5072 -
C:\Windows\SysWOW64\Diicml32.exeC:\Windows\system32\Diicml32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4332 -
C:\Windows\SysWOW64\Dpckjfgg.exeC:\Windows\system32\Dpckjfgg.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4432 -
C:\Windows\SysWOW64\Dfmcfp32.exeC:\Windows\system32\Dfmcfp32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:652 -
C:\Windows\SysWOW64\Dikpbl32.exeC:\Windows\system32\Dikpbl32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Dabhdinj.exeC:\Windows\system32\Dabhdinj.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:3496 -
C:\Windows\SysWOW64\Dhlpqc32.exeC:\Windows\system32\Dhlpqc32.exe62⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Dinmhkke.exeC:\Windows\system32\Dinmhkke.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Dpgeee32.exeC:\Windows\system32\Dpgeee32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Dhomfc32.exeC:\Windows\system32\Dhomfc32.exe65⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Eipinkib.exeC:\Windows\system32\Eipinkib.exe66⤵PID:4356
-
C:\Windows\SysWOW64\Edemkd32.exeC:\Windows\system32\Edemkd32.exe67⤵PID:2536
-
C:\Windows\SysWOW64\Efdjgo32.exeC:\Windows\system32\Efdjgo32.exe68⤵PID:4408
-
C:\Windows\SysWOW64\Eaindh32.exeC:\Windows\system32\Eaindh32.exe69⤵
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Windows\SysWOW64\Edhjqc32.exeC:\Windows\system32\Edhjqc32.exe70⤵
- System Location Discovery: System Language Discovery
PID:4052 -
C:\Windows\SysWOW64\Efffmo32.exeC:\Windows\system32\Efffmo32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:384 -
C:\Windows\SysWOW64\Ealkjh32.exeC:\Windows\system32\Ealkjh32.exe72⤵PID:4632
-
C:\Windows\SysWOW64\Ehfcfb32.exeC:\Windows\system32\Ehfcfb32.exe73⤵PID:4520
-
C:\Windows\SysWOW64\Eigonjcj.exeC:\Windows\system32\Eigonjcj.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4572 -
C:\Windows\SysWOW64\Epagkd32.exeC:\Windows\system32\Epagkd32.exe75⤵PID:1688
-
C:\Windows\SysWOW64\Ehhpla32.exeC:\Windows\system32\Ehhpla32.exe76⤵PID:3788
-
C:\Windows\SysWOW64\Emehdh32.exeC:\Windows\system32\Emehdh32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4040 -
C:\Windows\SysWOW64\Ehjlaaig.exeC:\Windows\system32\Ehjlaaig.exe78⤵PID:2632
-
C:\Windows\SysWOW64\Filiii32.exeC:\Windows\system32\Filiii32.exe79⤵PID:5060
-
C:\Windows\SysWOW64\Facqkg32.exeC:\Windows\system32\Facqkg32.exe80⤵PID:4804
-
C:\Windows\SysWOW64\Fkkeclfh.exeC:\Windows\system32\Fkkeclfh.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3640 -
C:\Windows\SysWOW64\Faenpf32.exeC:\Windows\system32\Faenpf32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2852 -
C:\Windows\SysWOW64\Fmlneg32.exeC:\Windows\system32\Fmlneg32.exe83⤵
- Drops file in System32 directory
PID:4156 -
C:\Windows\SysWOW64\Fdffbake.exeC:\Windows\system32\Fdffbake.exe84⤵
- Modifies registry class
PID:876 -
C:\Windows\SysWOW64\Fibojhim.exeC:\Windows\system32\Fibojhim.exe85⤵
- Drops file in System32 directory
PID:3136 -
C:\Windows\SysWOW64\Fpmggb32.exeC:\Windows\system32\Fpmggb32.exe86⤵
- Drops file in System32 directory
PID:1132 -
C:\Windows\SysWOW64\Fkbkdkpp.exeC:\Windows\system32\Fkbkdkpp.exe87⤵PID:1492
-
C:\Windows\SysWOW64\Fdkpma32.exeC:\Windows\system32\Fdkpma32.exe88⤵PID:3060
-
C:\Windows\SysWOW64\Gkdhjknm.exeC:\Windows\system32\Gkdhjknm.exe89⤵PID:2404
-
C:\Windows\SysWOW64\Gaopfe32.exeC:\Windows\system32\Gaopfe32.exe90⤵PID:4700
-
C:\Windows\SysWOW64\Gdmmbq32.exeC:\Windows\system32\Gdmmbq32.exe91⤵PID:1904
-
C:\Windows\SysWOW64\Ggkiol32.exeC:\Windows\system32\Ggkiol32.exe92⤵PID:216
-
C:\Windows\SysWOW64\Gmeakf32.exeC:\Windows\system32\Gmeakf32.exe93⤵PID:1908
-
C:\Windows\SysWOW64\Gdoihpbk.exeC:\Windows\system32\Gdoihpbk.exe94⤵PID:3596
-
C:\Windows\SysWOW64\Gkiaej32.exeC:\Windows\system32\Gkiaej32.exe95⤵
- System Location Discovery: System Language Discovery
PID:740 -
C:\Windows\SysWOW64\Gacjadad.exeC:\Windows\system32\Gacjadad.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:664 -
C:\Windows\SysWOW64\Ghmbno32.exeC:\Windows\system32\Ghmbno32.exe97⤵
- System Location Discovery: System Language Discovery
PID:4260 -
C:\Windows\SysWOW64\Ginnfgop.exeC:\Windows\system32\Ginnfgop.exe98⤵PID:2740
-
C:\Windows\SysWOW64\Gaefgd32.exeC:\Windows\system32\Gaefgd32.exe99⤵PID:2716
-
C:\Windows\SysWOW64\Gddbcp32.exeC:\Windows\system32\Gddbcp32.exe100⤵PID:1232
-
C:\Windows\SysWOW64\Ggbook32.exeC:\Windows\system32\Ggbook32.exe101⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Windows\SysWOW64\Gahcmd32.exeC:\Windows\system32\Gahcmd32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Hhbkinel.exeC:\Windows\system32\Hhbkinel.exe103⤵PID:348
-
C:\Windows\SysWOW64\Hkpheidp.exeC:\Windows\system32\Hkpheidp.exe104⤵PID:4460
-
C:\Windows\SysWOW64\Hjchaf32.exeC:\Windows\system32\Hjchaf32.exe105⤵PID:3516
-
C:\Windows\SysWOW64\Hajpbckl.exeC:\Windows\system32\Hajpbckl.exe106⤵PID:4836
-
C:\Windows\SysWOW64\Hgghjjid.exeC:\Windows\system32\Hgghjjid.exe107⤵PID:3412
-
C:\Windows\SysWOW64\Hnaqgd32.exeC:\Windows\system32\Hnaqgd32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Hpomcp32.exeC:\Windows\system32\Hpomcp32.exe109⤵PID:4928
-
C:\Windows\SysWOW64\Hhfedm32.exeC:\Windows\system32\Hhfedm32.exe110⤵
- System Location Discovery: System Language Discovery
PID:4568 -
C:\Windows\SysWOW64\Hkeaqi32.exeC:\Windows\system32\Hkeaqi32.exe111⤵PID:2480
-
C:\Windows\SysWOW64\Hjhalefe.exeC:\Windows\system32\Hjhalefe.exe112⤵PID:3108
-
C:\Windows\SysWOW64\Hpbiip32.exeC:\Windows\system32\Hpbiip32.exe113⤵
- Modifies registry class
PID:1840 -
C:\Windows\SysWOW64\Hkgnfhnh.exeC:\Windows\system32\Hkgnfhnh.exe114⤵PID:2252
-
C:\Windows\SysWOW64\Hnfjbdmk.exeC:\Windows\system32\Hnfjbdmk.exe115⤵PID:4484
-
C:\Windows\SysWOW64\Hpdfnolo.exeC:\Windows\system32\Hpdfnolo.exe116⤵PID:4896
-
C:\Windows\SysWOW64\Hgnoki32.exeC:\Windows\system32\Hgnoki32.exe117⤵
- System Location Discovery: System Language Discovery
PID:4920 -
C:\Windows\SysWOW64\Hjlkge32.exeC:\Windows\system32\Hjlkge32.exe118⤵PID:1540
-
C:\Windows\SysWOW64\Hacbhb32.exeC:\Windows\system32\Hacbhb32.exe119⤵PID:432
-
C:\Windows\SysWOW64\Idbodn32.exeC:\Windows\system32\Idbodn32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5136 -
C:\Windows\SysWOW64\Igqkqiai.exeC:\Windows\system32\Igqkqiai.exe121⤵PID:5180
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-