Analysis
-
max time kernel
70s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
10-10-2024 00:00
Behavioral task
behavioral1
Sample
589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12aN.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
General
-
Target
589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12aN.exe
-
Size
337KB
-
MD5
ae75c496c666dc609a76c50fbcfaf580
-
SHA1
ffc22475120ced1897465479d8c32bb813cae69e
-
SHA256
589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12a
-
SHA512
610c0d37af89a01cb1868e1f828e5d7728063683370e468c9d9bae154f83257cfea760214e5d5475ac7fe4cf5b437f7119375b546ba838916521b8c86745a2dd
-
SSDEEP
3072:3+M/MIESlCurSzB5HQrmIgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:LkbSlCMCTwr/1+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlnmjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Echoepmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcibdad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Damhmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebffm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haggijgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhpigk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhlgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdmhcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlhbgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eamdlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ingmoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hminbkql.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dieiap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdnme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqgahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ginefe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elgioe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjpglfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfggbcdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Podbgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danohi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbehgabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqkbkicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjdpgnee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnodjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpigk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkdgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhfihd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjqglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlfebcnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlqgob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pacqlcdi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 1724 Oheppe32.exe 2348 Piemih32.exe 2912 Plcied32.exe 2940 Podbgo32.exe 2344 Pgogla32.exe 2668 Pjppmlhm.exe 2384 Pkplgoop.exe 2340 Qfimhmlo.exe 2320 Qcmnaaji.exe 2892 Aodnfbpm.exe 944 Abbjbnoq.exe 1740 Akmlacdn.exe 2180 Aeepjh32.exe 1228 Akbelbpi.exe 1692 Bcmjpd32.exe 2552 Bemfjgdg.exe 1644 Bjiobnbn.exe 740 Bfppgohb.exe 536 Biolckgf.exe 1844 Bcdpacgl.exe 1988 Bjnhnn32.exe 1372 Bcfmfc32.exe 1632 Bbimbpld.exe 804 Behinlkh.exe 1612 Cnpnga32.exe 1748 Chhbpfhi.exe 2760 Cppjadhk.exe 580 Cihojiok.exe 2900 Cbpcbo32.exe 1756 Caccnllf.exe 2684 Ckkhga32.exe 2240 Cfbhlb32.exe 592 Coiqmp32.exe 2628 Dfdeab32.exe 2868 Dmomnlne.exe 1540 Dmajdl32.exe 2264 Dpofpg32.exe 2136 Dmcgik32.exe 2132 Dglkba32.exe 1048 Dlhdjh32.exe 2276 Dogpfc32.exe 2012 Dgnhhq32.exe 2080 Dlkqpg32.exe 1368 Eoimlc32.exe 332 Eagiho32.exe 2256 Ehaaei32.exe 380 Ekpmad32.exe 2984 Eajennij.exe 3060 Edhbjjhn.exe 2784 Eonfgbhc.exe 2932 Ealbcngg.exe 2816 Ehfkphnd.exe 1388 Eopcmb32.exe 2748 Edmkei32.exe 2888 Ekgcbcke.exe 1932 Ejjdmp32.exe 2752 Epdljjjm.exe 2176 Fnhlcn32.exe 292 Fqfipj32.exe 552 Fcdele32.exe 1492 Ffcahq32.exe 2064 Fqheei32.exe 2432 Fcgaae32.exe 2600 Fjajno32.exe -
Loads dropped DLL 64 IoCs
pid Process 2300 589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12aN.exe 2300 589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12aN.exe 1724 Oheppe32.exe 1724 Oheppe32.exe 2348 Piemih32.exe 2348 Piemih32.exe 2912 Plcied32.exe 2912 Plcied32.exe 2940 Podbgo32.exe 2940 Podbgo32.exe 2344 Pgogla32.exe 2344 Pgogla32.exe 2668 Pjppmlhm.exe 2668 Pjppmlhm.exe 2384 Pkplgoop.exe 2384 Pkplgoop.exe 2340 Qfimhmlo.exe 2340 Qfimhmlo.exe 2320 Qcmnaaji.exe 2320 Qcmnaaji.exe 2892 Aodnfbpm.exe 2892 Aodnfbpm.exe 944 Abbjbnoq.exe 944 Abbjbnoq.exe 1740 Akmlacdn.exe 1740 Akmlacdn.exe 2180 Aeepjh32.exe 2180 Aeepjh32.exe 1228 Akbelbpi.exe 1228 Akbelbpi.exe 1692 Bcmjpd32.exe 1692 Bcmjpd32.exe 2552 Bemfjgdg.exe 2552 Bemfjgdg.exe 1644 Bjiobnbn.exe 1644 Bjiobnbn.exe 740 Bfppgohb.exe 740 Bfppgohb.exe 536 Biolckgf.exe 536 Biolckgf.exe 1844 Bcdpacgl.exe 1844 Bcdpacgl.exe 1988 Bjnhnn32.exe 1988 Bjnhnn32.exe 1372 Bcfmfc32.exe 1372 Bcfmfc32.exe 1632 Bbimbpld.exe 1632 Bbimbpld.exe 804 Behinlkh.exe 804 Behinlkh.exe 1612 Cnpnga32.exe 1612 Cnpnga32.exe 1748 Chhbpfhi.exe 1748 Chhbpfhi.exe 2760 Cppjadhk.exe 2760 Cppjadhk.exe 580 Cihojiok.exe 580 Cihojiok.exe 2900 Cbpcbo32.exe 2900 Cbpcbo32.exe 1756 Caccnllf.exe 1756 Caccnllf.exe 2684 Ckkhga32.exe 2684 Ckkhga32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hancef32.exe Gheola32.exe File created C:\Windows\SysWOW64\Lafgagdb.dll Process not Found File created C:\Windows\SysWOW64\Kcfgobbh.dll Process not Found File opened for modification C:\Windows\SysWOW64\Idqpjg32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lhpkoo32.exe Kccbgh32.exe File opened for modification C:\Windows\SysWOW64\Anfjpa32.exe Akhndf32.exe File created C:\Windows\SysWOW64\Blhhag32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fkmhij32.exe Fofhdidp.exe File created C:\Windows\SysWOW64\Nipffb32.dll Process not Found File created C:\Windows\SysWOW64\Mhgpgjoj.exe Mbmgkp32.exe File opened for modification C:\Windows\SysWOW64\Hnljkf32.exe Hcfenn32.exe File created C:\Windows\SysWOW64\Elefkiaj.dll Khcdijac.exe File opened for modification C:\Windows\SysWOW64\Icnbic32.exe Iekbmfdc.exe File created C:\Windows\SysWOW64\Pembpkfi.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gjnbmlmj.exe Gccjpb32.exe File created C:\Windows\SysWOW64\Gadllf32.dll Dfdqpdja.exe File opened for modification C:\Windows\SysWOW64\Oofpgolq.exe Process not Found File created C:\Windows\SysWOW64\Cpikne32.dll Mqgahh32.exe File opened for modification C:\Windows\SysWOW64\Pacbel32.exe Process not Found File created C:\Windows\SysWOW64\Fkmhij32.exe Fofhdidp.exe File opened for modification C:\Windows\SysWOW64\Jeenfd32.exe Ijpjik32.exe File created C:\Windows\SysWOW64\Dhoeadlm.dll Gjolpkhj.exe File created C:\Windows\SysWOW64\Kpiihgoh.exe Johlpoij.exe File created C:\Windows\SysWOW64\Pmnede32.dll Process not Found File created C:\Windows\SysWOW64\Fmnkma32.dll Oiahpkdj.exe File created C:\Windows\SysWOW64\Hkljljko.exe Process not Found File created C:\Windows\SysWOW64\Hahoodqi.exe Process not Found File created C:\Windows\SysWOW64\Lidafjlk.dll Process not Found File created C:\Windows\SysWOW64\Lmminemb.dll Ejjdmp32.exe File created C:\Windows\SysWOW64\Mkpppmko.exe Mibdcakk.exe File created C:\Windows\SysWOW64\Hnfdjdpm.dll Process not Found File created C:\Windows\SysWOW64\Nekbjf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Khhndi32.exe Knbjgq32.exe File created C:\Windows\SysWOW64\Onejjm32.exe Ogkbmcba.exe File created C:\Windows\SysWOW64\Kjdiigbm.exe Process not Found File created C:\Windows\SysWOW64\Jdocad32.dll Process not Found File created C:\Windows\SysWOW64\Giadfimp.dll Fokaoh32.exe File opened for modification C:\Windows\SysWOW64\Ikembicd.exe Process not Found File created C:\Windows\SysWOW64\Ikibkhla.exe Process not Found File created C:\Windows\SysWOW64\Mhmfgdch.exe Macnjk32.exe File created C:\Windows\SysWOW64\Lacnlhed.dll Process not Found File created C:\Windows\SysWOW64\Caidpcec.dll Process not Found File created C:\Windows\SysWOW64\Dkjcik32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lohiob32.exe Klimcf32.exe File created C:\Windows\SysWOW64\Jecnpg32.exe Jfpndkel.exe File opened for modification C:\Windows\SysWOW64\Fhifmcfa.exe Faonqiod.exe File created C:\Windows\SysWOW64\Nnfeep32.exe Nkhhie32.exe File created C:\Windows\SysWOW64\Cgdadjhq.dll Aabfqp32.exe File opened for modification C:\Windows\SysWOW64\Nliqoofa.exe Process not Found File created C:\Windows\SysWOW64\Hmmjcc32.dll Lgehpk32.exe File opened for modification C:\Windows\SysWOW64\Dbhbfmkd.exe Domffn32.exe File opened for modification C:\Windows\SysWOW64\Oddmokoo.exe Oaeacppk.exe File created C:\Windows\SysWOW64\Pgbejj32.exe Paemac32.exe File created C:\Windows\SysWOW64\Mlfebcnd.exe Lelmei32.exe File opened for modification C:\Windows\SysWOW64\Ckjnfobi.exe Process not Found File created C:\Windows\SysWOW64\Fndfmljk.exe Process not Found File created C:\Windows\SysWOW64\Hpmdelbi.dll Kkqhbf32.exe File created C:\Windows\SysWOW64\Helmiiec.exe Hbnqln32.exe File created C:\Windows\SysWOW64\Qdkpomkb.exe Qnagbc32.exe File created C:\Windows\SysWOW64\Gjolpkhj.exe Ghmohcbl.exe File opened for modification C:\Windows\SysWOW64\Fhfbmn32.exe Fpojlp32.exe File created C:\Windows\SysWOW64\Hpkjfq32.dll Process not Found File created C:\Windows\SysWOW64\Mfgpckkm.dll Process not Found File created C:\Windows\SysWOW64\Piemih32.exe Oheppe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7988 7496 Process not Found 1759 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabldeik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajlabc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmgmhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcaahofh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiahpkdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkpieggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamnnemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdhlih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joicje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gngiba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gghloe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaglc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffhkcpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfbck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcapckod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omdbdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcagkmaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedkbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gggclfkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khhndi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqajqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pedmbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bclcfnih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebekej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpigk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjplao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfdjpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iilalc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkcjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqbdllld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgdkbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adbmjbif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moflkfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majdkifd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehaaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdldmja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmegkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmdldmja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldihjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijegmepm.dll" Mogcelgm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghjcmh32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haggijgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcdfbkkf.dll" Oiqegb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nllbaloh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgphfbpi.dll" Lkqdajhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfncad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bdmhcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmpoce32.dll" Kifgllbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmanjch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmgokcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coaipi32.dll" Effidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gikpjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckopch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhfbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbeheeho.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dicildoo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Biebdbhl.dll" Ccloea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdgdlnop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhfbmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ginefe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jilmkffb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkmpgpcl.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgjelg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgamgken.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlqgob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohiob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgfghodj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnchjai.dll" Fqheei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbjcaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncbdjhnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehhejkik.dll" Cjdmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgbfin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fopole32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pimlmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhdcbjal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaiglnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lacnlhed.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmgbmq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fapapi32.dll" 589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Conpdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmfkbeoc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahgdbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Infomg32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglkba32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2300 wrote to memory of 1724 2300 589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12aN.exe 30 PID 2300 wrote to memory of 1724 2300 589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12aN.exe 30 PID 2300 wrote to memory of 1724 2300 589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12aN.exe 30 PID 2300 wrote to memory of 1724 2300 589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12aN.exe 30 PID 1724 wrote to memory of 2348 1724 Oheppe32.exe 31 PID 1724 wrote to memory of 2348 1724 Oheppe32.exe 31 PID 1724 wrote to memory of 2348 1724 Oheppe32.exe 31 PID 1724 wrote to memory of 2348 1724 Oheppe32.exe 31 PID 2348 wrote to memory of 2912 2348 Piemih32.exe 32 PID 2348 wrote to memory of 2912 2348 Piemih32.exe 32 PID 2348 wrote to memory of 2912 2348 Piemih32.exe 32 PID 2348 wrote to memory of 2912 2348 Piemih32.exe 32 PID 2912 wrote to memory of 2940 2912 Plcied32.exe 33 PID 2912 wrote to memory of 2940 2912 Plcied32.exe 33 PID 2912 wrote to memory of 2940 2912 Plcied32.exe 33 PID 2912 wrote to memory of 2940 2912 Plcied32.exe 33 PID 2940 wrote to memory of 2344 2940 Podbgo32.exe 34 PID 2940 wrote to memory of 2344 2940 Podbgo32.exe 34 PID 2940 wrote to memory of 2344 2940 Podbgo32.exe 34 PID 2940 wrote to memory of 2344 2940 Podbgo32.exe 34 PID 2344 wrote to memory of 2668 2344 Pgogla32.exe 35 PID 2344 wrote to memory of 2668 2344 Pgogla32.exe 35 PID 2344 wrote to memory of 2668 2344 Pgogla32.exe 35 PID 2344 wrote to memory of 2668 2344 Pgogla32.exe 35 PID 2668 wrote to memory of 2384 2668 Pjppmlhm.exe 36 PID 2668 wrote to memory of 2384 2668 Pjppmlhm.exe 36 PID 2668 wrote to memory of 2384 2668 Pjppmlhm.exe 36 PID 2668 wrote to memory of 2384 2668 Pjppmlhm.exe 36 PID 2384 wrote to memory of 2340 2384 Pkplgoop.exe 37 PID 2384 wrote to memory of 2340 2384 Pkplgoop.exe 37 PID 2384 wrote to memory of 2340 2384 Pkplgoop.exe 37 PID 2384 wrote to memory of 2340 2384 Pkplgoop.exe 37 PID 2340 wrote to memory of 2320 2340 Qfimhmlo.exe 38 PID 2340 wrote to memory of 2320 2340 Qfimhmlo.exe 38 PID 2340 wrote to memory of 2320 2340 Qfimhmlo.exe 38 PID 2340 wrote to memory of 2320 2340 Qfimhmlo.exe 38 PID 2320 wrote to memory of 2892 2320 Qcmnaaji.exe 39 PID 2320 wrote to memory of 2892 2320 Qcmnaaji.exe 39 PID 2320 wrote to memory of 2892 2320 Qcmnaaji.exe 39 PID 2320 wrote to memory of 2892 2320 Qcmnaaji.exe 39 PID 2892 wrote to memory of 944 2892 Aodnfbpm.exe 40 PID 2892 wrote to memory of 944 2892 Aodnfbpm.exe 40 PID 2892 wrote to memory of 944 2892 Aodnfbpm.exe 40 PID 2892 wrote to memory of 944 2892 Aodnfbpm.exe 40 PID 944 wrote to memory of 1740 944 Abbjbnoq.exe 41 PID 944 wrote to memory of 1740 944 Abbjbnoq.exe 41 PID 944 wrote to memory of 1740 944 Abbjbnoq.exe 41 PID 944 wrote to memory of 1740 944 Abbjbnoq.exe 41 PID 1740 wrote to memory of 2180 1740 Akmlacdn.exe 42 PID 1740 wrote to memory of 2180 1740 Akmlacdn.exe 42 PID 1740 wrote to memory of 2180 1740 Akmlacdn.exe 42 PID 1740 wrote to memory of 2180 1740 Akmlacdn.exe 42 PID 2180 wrote to memory of 1228 2180 Aeepjh32.exe 43 PID 2180 wrote to memory of 1228 2180 Aeepjh32.exe 43 PID 2180 wrote to memory of 1228 2180 Aeepjh32.exe 43 PID 2180 wrote to memory of 1228 2180 Aeepjh32.exe 43 PID 1228 wrote to memory of 1692 1228 Akbelbpi.exe 44 PID 1228 wrote to memory of 1692 1228 Akbelbpi.exe 44 PID 1228 wrote to memory of 1692 1228 Akbelbpi.exe 44 PID 1228 wrote to memory of 1692 1228 Akbelbpi.exe 44 PID 1692 wrote to memory of 2552 1692 Bcmjpd32.exe 45 PID 1692 wrote to memory of 2552 1692 Bcmjpd32.exe 45 PID 1692 wrote to memory of 2552 1692 Bcmjpd32.exe 45 PID 1692 wrote to memory of 2552 1692 Bcmjpd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12aN.exe"C:\Users\Admin\AppData\Local\Temp\589d66753d102553b3d9769c95e49320bd784558559a68e785669a83f35de12aN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Oheppe32.exeC:\Windows\system32\Oheppe32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Piemih32.exeC:\Windows\system32\Piemih32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Podbgo32.exeC:\Windows\system32\Podbgo32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Pgogla32.exeC:\Windows\system32\Pgogla32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2344 -
C:\Windows\SysWOW64\Pjppmlhm.exeC:\Windows\system32\Pjppmlhm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Pkplgoop.exeC:\Windows\system32\Pkplgoop.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Qfimhmlo.exeC:\Windows\system32\Qfimhmlo.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Qcmnaaji.exeC:\Windows\system32\Qcmnaaji.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Aodnfbpm.exeC:\Windows\system32\Aodnfbpm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Abbjbnoq.exeC:\Windows\system32\Abbjbnoq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Windows\SysWOW64\Akmlacdn.exeC:\Windows\system32\Akmlacdn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Aeepjh32.exeC:\Windows\system32\Aeepjh32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Akbelbpi.exeC:\Windows\system32\Akbelbpi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Bcmjpd32.exeC:\Windows\system32\Bcmjpd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\Bemfjgdg.exeC:\Windows\system32\Bemfjgdg.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Bjiobnbn.exeC:\Windows\system32\Bjiobnbn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Bfppgohb.exeC:\Windows\system32\Bfppgohb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:740 -
C:\Windows\SysWOW64\Biolckgf.exeC:\Windows\system32\Biolckgf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:536 -
C:\Windows\SysWOW64\Bcdpacgl.exeC:\Windows\system32\Bcdpacgl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1844 -
C:\Windows\SysWOW64\Bjnhnn32.exeC:\Windows\system32\Bjnhnn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1988 -
C:\Windows\SysWOW64\Bcfmfc32.exeC:\Windows\system32\Bcfmfc32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Bbimbpld.exeC:\Windows\system32\Bbimbpld.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1632 -
C:\Windows\SysWOW64\Behinlkh.exeC:\Windows\system32\Behinlkh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:804 -
C:\Windows\SysWOW64\Cnpnga32.exeC:\Windows\system32\Cnpnga32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Chhbpfhi.exeC:\Windows\system32\Chhbpfhi.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1748 -
C:\Windows\SysWOW64\Cppjadhk.exeC:\Windows\system32\Cppjadhk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Cihojiok.exeC:\Windows\system32\Cihojiok.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:580 -
C:\Windows\SysWOW64\Cbpcbo32.exeC:\Windows\system32\Cbpcbo32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Caccnllf.exeC:\Windows\system32\Caccnllf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1756 -
C:\Windows\SysWOW64\Ckkhga32.exeC:\Windows\system32\Ckkhga32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Cfbhlb32.exeC:\Windows\system32\Cfbhlb32.exe33⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Coiqmp32.exeC:\Windows\system32\Coiqmp32.exe34⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe35⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Dmomnlne.exeC:\Windows\system32\Dmomnlne.exe36⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Dmajdl32.exeC:\Windows\system32\Dmajdl32.exe37⤵
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Dpofpg32.exeC:\Windows\system32\Dpofpg32.exe38⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Dmcgik32.exeC:\Windows\system32\Dmcgik32.exe39⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Dglkba32.exeC:\Windows\system32\Dglkba32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Dlhdjh32.exeC:\Windows\system32\Dlhdjh32.exe41⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Dogpfc32.exeC:\Windows\system32\Dogpfc32.exe42⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Dgnhhq32.exeC:\Windows\system32\Dgnhhq32.exe43⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Dlkqpg32.exeC:\Windows\system32\Dlkqpg32.exe44⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Eoimlc32.exeC:\Windows\system32\Eoimlc32.exe45⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Eagiho32.exeC:\Windows\system32\Eagiho32.exe46⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Ehaaei32.exeC:\Windows\system32\Ehaaei32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe48⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Eajennij.exeC:\Windows\system32\Eajennij.exe49⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Edhbjjhn.exeC:\Windows\system32\Edhbjjhn.exe50⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Eonfgbhc.exeC:\Windows\system32\Eonfgbhc.exe51⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Ealbcngg.exeC:\Windows\system32\Ealbcngg.exe52⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Ehfkphnd.exeC:\Windows\system32\Ehfkphnd.exe53⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Eopcmb32.exeC:\Windows\system32\Eopcmb32.exe54⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Edmkei32.exeC:\Windows\system32\Edmkei32.exe55⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Ekgcbcke.exeC:\Windows\system32\Ekgcbcke.exe56⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Ejjdmp32.exeC:\Windows\system32\Ejjdmp32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1932 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe58⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe59⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Fqfipj32.exeC:\Windows\system32\Fqfipj32.exe60⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Fcdele32.exeC:\Windows\system32\Fcdele32.exe61⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Ffcahq32.exeC:\Windows\system32\Ffcahq32.exe62⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Fqheei32.exeC:\Windows\system32\Fqheei32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Fcgaae32.exeC:\Windows\system32\Fcgaae32.exe64⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Fjajno32.exeC:\Windows\system32\Fjajno32.exe65⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Fqkbkicd.exeC:\Windows\system32\Fqkbkicd.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2076 -
C:\Windows\SysWOW64\Fonbff32.exeC:\Windows\system32\Fonbff32.exe67⤵PID:1964
-
C:\Windows\SysWOW64\Ffhkcpal.exeC:\Windows\system32\Ffhkcpal.exe68⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe69⤵PID:2812
-
C:\Windows\SysWOW64\Fopole32.exeC:\Windows\system32\Fopole32.exe70⤵
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Ffjghppi.exeC:\Windows\system32\Ffjghppi.exe71⤵PID:2696
-
C:\Windows\SysWOW64\Fdmgdl32.exeC:\Windows\system32\Fdmgdl32.exe72⤵PID:2424
-
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe73⤵PID:1780
-
C:\Windows\SysWOW64\Fnelmb32.exeC:\Windows\system32\Fnelmb32.exe74⤵PID:1072
-
C:\Windows\SysWOW64\Gfldno32.exeC:\Windows\system32\Gfldno32.exe75⤵PID:1524
-
C:\Windows\SysWOW64\Gikpjk32.exeC:\Windows\system32\Gikpjk32.exe76⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Gngiba32.exeC:\Windows\system32\Gngiba32.exe77⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Geaaolbo.exeC:\Windows\system32\Geaaolbo.exe78⤵PID:2216
-
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe79⤵PID:2500
-
C:\Windows\SysWOW64\Gjnigb32.exeC:\Windows\system32\Gjnigb32.exe80⤵PID:2288
-
C:\Windows\SysWOW64\Gbeaip32.exeC:\Windows\system32\Gbeaip32.exe81⤵PID:2312
-
C:\Windows\SysWOW64\Gednek32.exeC:\Windows\system32\Gednek32.exe82⤵PID:1952
-
C:\Windows\SysWOW64\Gknfaehi.exeC:\Windows\system32\Gknfaehi.exe83⤵PID:2280
-
C:\Windows\SysWOW64\Gqknjlfp.exeC:\Windows\system32\Gqknjlfp.exe84⤵PID:1592
-
C:\Windows\SysWOW64\Gcikfhed.exeC:\Windows\system32\Gcikfhed.exe85⤵PID:2800
-
C:\Windows\SysWOW64\Gfggbcdg.exeC:\Windows\system32\Gfggbcdg.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2936 -
C:\Windows\SysWOW64\Gmaoomld.exeC:\Windows\system32\Gmaoomld.exe87⤵PID:2352
-
C:\Windows\SysWOW64\Gppkkikh.exeC:\Windows\system32\Gppkkikh.exe88⤵PID:1624
-
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe89⤵
- System Location Discovery: System Language Discovery
PID:2636 -
C:\Windows\SysWOW64\Gihpcn32.exeC:\Windows\system32\Gihpcn32.exe90⤵PID:2864
-
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe91⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Hbqdldhi.exeC:\Windows\system32\Hbqdldhi.exe92⤵PID:1040
-
C:\Windows\SysWOW64\Hjhlnahk.exeC:\Windows\system32\Hjhlnahk.exe93⤵PID:1564
-
C:\Windows\SysWOW64\Hliieioi.exeC:\Windows\system32\Hliieioi.exe94⤵PID:1736
-
C:\Windows\SysWOW64\Hfnmbbnp.exeC:\Windows\system32\Hfnmbbnp.exe95⤵PID:1052
-
C:\Windows\SysWOW64\Himionmc.exeC:\Windows\system32\Himionmc.exe96⤵PID:2328
-
C:\Windows\SysWOW64\Hfajhblm.exeC:\Windows\system32\Hfajhblm.exe97⤵PID:1628
-
C:\Windows\SysWOW64\Hecjco32.exeC:\Windows\system32\Hecjco32.exe98⤵PID:2808
-
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe99⤵PID:2716
-
C:\Windows\SysWOW64\Hbgjmcba.exeC:\Windows\system32\Hbgjmcba.exe100⤵PID:2740
-
C:\Windows\SysWOW64\Hiabjm32.exeC:\Windows\system32\Hiabjm32.exe101⤵PID:1356
-
C:\Windows\SysWOW64\Hlpofh32.exeC:\Windows\system32\Hlpofh32.exe102⤵PID:1144
-
C:\Windows\SysWOW64\Hamgno32.exeC:\Windows\system32\Hamgno32.exe103⤵PID:2056
-
C:\Windows\SysWOW64\Idkcjk32.exeC:\Windows\system32\Idkcjk32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Ihgpkinf.exeC:\Windows\system32\Ihgpkinf.exe105⤵PID:2364
-
C:\Windows\SysWOW64\Inqhhc32.exeC:\Windows\system32\Inqhhc32.exe106⤵PID:2248
-
C:\Windows\SysWOW64\Imchcplm.exeC:\Windows\system32\Imchcplm.exe107⤵PID:2448
-
C:\Windows\SysWOW64\Idnppjcj.exeC:\Windows\system32\Idnppjcj.exe108⤵PID:1752
-
C:\Windows\SysWOW64\Iflmlfcn.exeC:\Windows\system32\Iflmlfcn.exe109⤵PID:352
-
C:\Windows\SysWOW64\Imfeip32.exeC:\Windows\system32\Imfeip32.exe110⤵PID:2228
-
C:\Windows\SysWOW64\Ihkifi32.exeC:\Windows\system32\Ihkifi32.exe111⤵PID:2700
-
C:\Windows\SysWOW64\Ijjebd32.exeC:\Windows\system32\Ijjebd32.exe112⤵PID:1336
-
C:\Windows\SysWOW64\Ipfnjkgk.exeC:\Windows\system32\Ipfnjkgk.exe113⤵PID:2880
-
C:\Windows\SysWOW64\Ipijpkei.exeC:\Windows\system32\Ipijpkei.exe114⤵PID:1452
-
C:\Windows\SysWOW64\Iiaoip32.exeC:\Windows\system32\Iiaoip32.exe115⤵PID:2608
-
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe116⤵PID:1192
-
C:\Windows\SysWOW64\Ipkgejcf.exeC:\Windows\system32\Ipkgejcf.exe117⤵PID:1712
-
C:\Windows\SysWOW64\Jbjcaf32.exeC:\Windows\system32\Jbjcaf32.exe118⤵
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Jiclnpjg.exeC:\Windows\system32\Jiclnpjg.exe119⤵PID:1580
-
C:\Windows\SysWOW64\Jlbhjkij.exeC:\Windows\system32\Jlbhjkij.exe120⤵PID:2036
-
C:\Windows\SysWOW64\Jaopcbga.exeC:\Windows\system32\Jaopcbga.exe121⤵PID:2108
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-