Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 00:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180aN.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180aN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180aN.exe
-
Size
1.1MB
-
MD5
a2fd3d3e5cd19e28af71708d97d66d80
-
SHA1
0b66704e46dda2b2e105d4d502fc645ee8935515
-
SHA256
9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180a
-
SHA512
ea77ed4f9f7ba083b8d3f108f17b62c738b9b3483f4b20ed7ad1de540cfc3f2a276b0f189fbe19109a90e908d87e2eb4f5c27f2cbbe15e42a422eb0d4a22fd58
-
SSDEEP
12288:CNHFHRFbeteBFHRFbeWFHRFbeteBFHRFbeN:CZBR7BRjBR7BRE
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdmph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqnjek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkacfiga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goddjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmklak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhcfjnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omiand32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmiolk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afpapcnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chhpgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkolakkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpfbegei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijimli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbbomjnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmddgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llebnfpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfmqigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjedmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeojcmfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoimecmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oodjjign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhoeii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmijajbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Offpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnkhfnck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anadojlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbepkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apnfno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmqffonj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kajiigba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onldqejb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmlecinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpfbegei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhkcnfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpniokan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eclcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhcicf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mokilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofaolcmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkdjglfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaogognm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfmqmgbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiofnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clnehado.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clfhml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkfocaki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ichmgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjohmbpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbojjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbhfajia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeoaffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpaehl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdmepgce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qekbgbpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcichb32.exe -
Executes dropped EXE 64 IoCs
pid Process 1816 Mmdjkhdh.exe 2060 Mcnbhb32.exe 1952 Nmkplgnq.exe 3012 Nfdddm32.exe 2648 Ncnngfna.exe 2812 Nhlgmd32.exe 2212 Odchbe32.exe 2272 Ofadnq32.exe 1640 Oekjjl32.exe 1392 Olebgfao.exe 2872 Pkoicb32.exe 2976 Pmmeon32.exe 2384 Qkfocaki.exe 2492 Qcachc32.exe 1484 Aaimopli.exe 2336 Alnalh32.exe 1864 Abpcooea.exe 1728 Bgllgedi.exe 1892 Bccmmf32.exe 2252 Bkjdndjo.exe 752 Bniajoic.exe 2452 Bceibfgj.exe 1144 Boljgg32.exe 984 Bffbdadk.exe 2440 Bieopm32.exe 1600 Bjdkjpkb.exe 2304 Ccmpce32.exe 2216 Ciihklpj.exe 1992 Cbblda32.exe 2832 Cileqlmg.exe 2840 Cpfmmf32.exe 2556 Cinafkkd.exe 2096 Cchbgi32.exe 1340 Clojhf32.exe 2600 Cmpgpond.exe 2756 Cfhkhd32.exe 1848 Dhhhbg32.exe 1820 Daplkmbg.exe 1948 Dpcmgi32.exe 2964 Dmgmpnhl.exe 1428 Dljmlj32.exe 944 Ddaemh32.exe 3016 Dphfbiem.exe 568 Dbfbnddq.exe 1780 Deenjpcd.exe 1404 Dpjbgh32.exe 1252 Eheglk32.exe 868 Eopphehb.exe 1700 Eanldqgf.exe 824 Ehhdaj32.exe 2244 Eoblnd32.exe 2828 Eeldkonl.exe 2996 Emgioakg.exe 2576 Egonhf32.exe 1596 Ekkjheja.exe 2724 Ephbal32.exe 1592 Ecfnmh32.exe 2428 Fmlbjq32.exe 1644 Fchkbg32.exe 2124 Fmnopp32.exe 2980 Flapkmlj.exe 1696 Foolgh32.exe 736 Fhgppnan.exe 2040 Foahmh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180aN.exe 2412 9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180aN.exe 1816 Mmdjkhdh.exe 1816 Mmdjkhdh.exe 2060 Mcnbhb32.exe 2060 Mcnbhb32.exe 1952 Nmkplgnq.exe 1952 Nmkplgnq.exe 3012 Nfdddm32.exe 3012 Nfdddm32.exe 2648 Ncnngfna.exe 2648 Ncnngfna.exe 2812 Nhlgmd32.exe 2812 Nhlgmd32.exe 2212 Odchbe32.exe 2212 Odchbe32.exe 2272 Ofadnq32.exe 2272 Ofadnq32.exe 1640 Oekjjl32.exe 1640 Oekjjl32.exe 1392 Olebgfao.exe 1392 Olebgfao.exe 2872 Pkoicb32.exe 2872 Pkoicb32.exe 2976 Pmmeon32.exe 2976 Pmmeon32.exe 2384 Qkfocaki.exe 2384 Qkfocaki.exe 2492 Qcachc32.exe 2492 Qcachc32.exe 1484 Aaimopli.exe 1484 Aaimopli.exe 2336 Alnalh32.exe 2336 Alnalh32.exe 1864 Abpcooea.exe 1864 Abpcooea.exe 1728 Bgllgedi.exe 1728 Bgllgedi.exe 1892 Bccmmf32.exe 1892 Bccmmf32.exe 2252 Bkjdndjo.exe 2252 Bkjdndjo.exe 752 Bniajoic.exe 752 Bniajoic.exe 2452 Bceibfgj.exe 2452 Bceibfgj.exe 1144 Boljgg32.exe 1144 Boljgg32.exe 984 Bffbdadk.exe 984 Bffbdadk.exe 2440 Bieopm32.exe 2440 Bieopm32.exe 1600 Bjdkjpkb.exe 1600 Bjdkjpkb.exe 2304 Ccmpce32.exe 2304 Ccmpce32.exe 2216 Ciihklpj.exe 2216 Ciihklpj.exe 1992 Cbblda32.exe 1992 Cbblda32.exe 2832 Cileqlmg.exe 2832 Cileqlmg.exe 2840 Cpfmmf32.exe 2840 Cpfmmf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nkclkl32.exe Nffccejb.exe File created C:\Windows\SysWOW64\Oddphp32.exe Ofaolcmh.exe File created C:\Windows\SysWOW64\Dbmkfh32.exe Dkbbinig.exe File created C:\Windows\SysWOW64\Ehpcehcj.exe Ebckmaec.exe File opened for modification C:\Windows\SysWOW64\Jpbcek32.exe Jmdgipkk.exe File created C:\Windows\SysWOW64\Apmcefmf.exe Anogijnb.exe File created C:\Windows\SysWOW64\Npneccok.dll Ijaaae32.exe File created C:\Windows\SysWOW64\Diodocki.dll Ikqnlh32.exe File created C:\Windows\SysWOW64\Cfleblle.dll Lpaehl32.exe File opened for modification C:\Windows\SysWOW64\Qcachc32.exe Qkfocaki.exe File created C:\Windows\SysWOW64\Gagkjbaf.exe Ggagmjbq.exe File opened for modification C:\Windows\SysWOW64\Dcghkf32.exe Dahkok32.exe File created C:\Windows\SysWOW64\Pehbqi32.dll Kenhopmf.exe File created C:\Windows\SysWOW64\Bimphc32.exe Bogljj32.exe File opened for modification C:\Windows\SysWOW64\Kjmoeo32.exe Kepgmh32.exe File opened for modification C:\Windows\SysWOW64\Aicfgn32.exe Anmbje32.exe File opened for modification C:\Windows\SysWOW64\Mloiec32.exe Mjqmig32.exe File created C:\Windows\SysWOW64\Mfgnnhkc.exe Mblbnj32.exe File opened for modification C:\Windows\SysWOW64\Cfknhi32.exe Ckfjjqhd.exe File opened for modification C:\Windows\SysWOW64\Fdqiiaih.exe Fpbqcb32.exe File created C:\Windows\SysWOW64\Ankedf32.exe Aebakp32.exe File created C:\Windows\SysWOW64\Onkckhkp.dll Lpqlemaj.exe File opened for modification C:\Windows\SysWOW64\Bjpdhifk.exe Bdckobhd.exe File created C:\Windows\SysWOW64\Goocenaa.exe Gplcia32.exe File created C:\Windows\SysWOW64\Nikkkn32.exe Mcacochk.exe File created C:\Windows\SysWOW64\Odcimipf.exe Oqgmmk32.exe File created C:\Windows\SysWOW64\Igpfoieh.dll Ofgbkacb.exe File created C:\Windows\SysWOW64\Gielfcfg.dll Lohelidp.exe File created C:\Windows\SysWOW64\Qncfphff.exe Qekbgbpf.exe File created C:\Windows\SysWOW64\Jnbpqb32.exe Imacijjb.exe File created C:\Windows\SysWOW64\Kecfmlgq.dll Cojeomee.exe File created C:\Windows\SysWOW64\Fappgflg.exe Fmddgg32.exe File opened for modification C:\Windows\SysWOW64\Ikjjda32.exe Ijimli32.exe File created C:\Windows\SysWOW64\Pnifdmnc.dll Nloachkf.exe File opened for modification C:\Windows\SysWOW64\Ofadnq32.exe Odchbe32.exe File opened for modification C:\Windows\SysWOW64\Mdendpbg.exe Lohelidp.exe File opened for modification C:\Windows\SysWOW64\Hjddaj32.exe Hcjldp32.exe File created C:\Windows\SysWOW64\Aeelon32.dll Baclaf32.exe File created C:\Windows\SysWOW64\Gkbokl32.dll Ecjgio32.exe File opened for modification C:\Windows\SysWOW64\Bimphc32.exe Bogljj32.exe File created C:\Windows\SysWOW64\Himocb32.dll Nakikpin.exe File created C:\Windows\SysWOW64\Lecaooal.dll Ankedf32.exe File created C:\Windows\SysWOW64\Okbapi32.exe Ockinl32.exe File created C:\Windows\SysWOW64\Lldpji32.dll Pcpbik32.exe File opened for modification C:\Windows\SysWOW64\Oekehomj.exe Okbapi32.exe File opened for modification C:\Windows\SysWOW64\Gaeqmk32.exe Fogdap32.exe File created C:\Windows\SysWOW64\Jailfk32.dll Jmlfmn32.exe File created C:\Windows\SysWOW64\Bjpdhifk.exe Bdckobhd.exe File opened for modification C:\Windows\SysWOW64\Dgqion32.exe Ddbmcb32.exe File created C:\Windows\SysWOW64\Hmmdin32.exe Hjohmbpd.exe File created C:\Windows\SysWOW64\Lpqlemaj.exe Llepen32.exe File created C:\Windows\SysWOW64\Qaacem32.dll Piliii32.exe File opened for modification C:\Windows\SysWOW64\Halcmn32.exe Hnpgloog.exe File created C:\Windows\SysWOW64\Eoeffhea.dll Hnbcaome.exe File opened for modification C:\Windows\SysWOW64\Gbmlkl32.exe Glbdnbpk.exe File created C:\Windows\SysWOW64\Kilgoe32.exe Keqkofno.exe File created C:\Windows\SysWOW64\Nflchkii.exe Npbklabl.exe File created C:\Windows\SysWOW64\Jdidmf32.exe Ijdppm32.exe File created C:\Windows\SysWOW64\Mcnbhb32.exe Mmdjkhdh.exe File created C:\Windows\SysWOW64\Cmbfdl32.dll Cbblda32.exe File opened for modification C:\Windows\SysWOW64\Bkknac32.exe Bacihmoo.exe File created C:\Windows\SysWOW64\Lpdankjg.exe Lmeebpkd.exe File opened for modification C:\Windows\SysWOW64\Oodjjign.exe Omfnnnhj.exe File created C:\Windows\SysWOW64\Blniinac.exe Bhbmip32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcdkef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpfbegei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpohhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbpekam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdaojbjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaflgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfnmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnochnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnkicen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnladjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnkopeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njmfhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpicbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beggec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemldifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojnql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqjqehd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ankedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofafgipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmcefmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfnajed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlgid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okhgod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhimji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apnfno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clnehado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbfnjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgdgpfnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaapa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbobkol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbgageq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hganjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfmjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofiopaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlgmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikagogco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbqcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjnhhjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdchneko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmeebpkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bggjjlnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onldqejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pchbmigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qaqlbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicfgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcggef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphaglgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chhpgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkifaen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igpaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nakikpin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebakp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alaccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlbdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlifadkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcokpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfebhmbm.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddjmnoki.dll" Ingkdeak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eckfklnl.dll" Dppigchi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pndalkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckpmmabh.dll" Cdpdnpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nchipb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olebgfao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kenoifpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifmcp32.dll" Mhcfjnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckfjjqhd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cniajdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faijggao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colldggd.dll" Llebnfpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edidqf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qghgigkn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fadndbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agpeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngjlpmnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jckenobm.dll" Npkdnnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Faonom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imogcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkhaooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghldgj32.dll" Ihpgce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpcgbhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelnlcjj.dll" Gjdldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dilfgala.dll" Gfnjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bemkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqbnn32.dll" Fchkbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieibdnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmjkjk32.dll" Nohaklfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Piimanjg.dll" Ifbkgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geoghd32.dll" Imgnjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnapnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ombddbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mffdnf32.dll" Jijacjnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqgmmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnklgkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njohaaaf.dll" Aocbokia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjcap32.dll" Hmpaom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kenhopmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aanibhoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keango32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcmoie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmobfna.dll" Gcmamj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjcjog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndfnecgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daagjapn.dll" Nggipg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahmefdcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahqkocmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pcieol32.dll" Cnklgkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibibfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iaaekl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhaanh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofiopaap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqdhpbib.dll" Modlbmmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adfbpega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npepblac.dll" Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qccnpi32.dll" Fopnpaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbcien32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gimkklpe.dll" Pkjqcg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 1816 2412 9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180aN.exe 31 PID 2412 wrote to memory of 1816 2412 9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180aN.exe 31 PID 2412 wrote to memory of 1816 2412 9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180aN.exe 31 PID 2412 wrote to memory of 1816 2412 9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180aN.exe 31 PID 1816 wrote to memory of 2060 1816 Mmdjkhdh.exe 32 PID 1816 wrote to memory of 2060 1816 Mmdjkhdh.exe 32 PID 1816 wrote to memory of 2060 1816 Mmdjkhdh.exe 32 PID 1816 wrote to memory of 2060 1816 Mmdjkhdh.exe 32 PID 2060 wrote to memory of 1952 2060 Mcnbhb32.exe 33 PID 2060 wrote to memory of 1952 2060 Mcnbhb32.exe 33 PID 2060 wrote to memory of 1952 2060 Mcnbhb32.exe 33 PID 2060 wrote to memory of 1952 2060 Mcnbhb32.exe 33 PID 1952 wrote to memory of 3012 1952 Nmkplgnq.exe 34 PID 1952 wrote to memory of 3012 1952 Nmkplgnq.exe 34 PID 1952 wrote to memory of 3012 1952 Nmkplgnq.exe 34 PID 1952 wrote to memory of 3012 1952 Nmkplgnq.exe 34 PID 3012 wrote to memory of 2648 3012 Nfdddm32.exe 35 PID 3012 wrote to memory of 2648 3012 Nfdddm32.exe 35 PID 3012 wrote to memory of 2648 3012 Nfdddm32.exe 35 PID 3012 wrote to memory of 2648 3012 Nfdddm32.exe 35 PID 2648 wrote to memory of 2812 2648 Ncnngfna.exe 36 PID 2648 wrote to memory of 2812 2648 Ncnngfna.exe 36 PID 2648 wrote to memory of 2812 2648 Ncnngfna.exe 36 PID 2648 wrote to memory of 2812 2648 Ncnngfna.exe 36 PID 2812 wrote to memory of 2212 2812 Nhlgmd32.exe 37 PID 2812 wrote to memory of 2212 2812 Nhlgmd32.exe 37 PID 2812 wrote to memory of 2212 2812 Nhlgmd32.exe 37 PID 2812 wrote to memory of 2212 2812 Nhlgmd32.exe 37 PID 2212 wrote to memory of 2272 2212 Odchbe32.exe 38 PID 2212 wrote to memory of 2272 2212 Odchbe32.exe 38 PID 2212 wrote to memory of 2272 2212 Odchbe32.exe 38 PID 2212 wrote to memory of 2272 2212 Odchbe32.exe 38 PID 2272 wrote to memory of 1640 2272 Ofadnq32.exe 39 PID 2272 wrote to memory of 1640 2272 Ofadnq32.exe 39 PID 2272 wrote to memory of 1640 2272 Ofadnq32.exe 39 PID 2272 wrote to memory of 1640 2272 Ofadnq32.exe 39 PID 1640 wrote to memory of 1392 1640 Oekjjl32.exe 40 PID 1640 wrote to memory of 1392 1640 Oekjjl32.exe 40 PID 1640 wrote to memory of 1392 1640 Oekjjl32.exe 40 PID 1640 wrote to memory of 1392 1640 Oekjjl32.exe 40 PID 1392 wrote to memory of 2872 1392 Olebgfao.exe 41 PID 1392 wrote to memory of 2872 1392 Olebgfao.exe 41 PID 1392 wrote to memory of 2872 1392 Olebgfao.exe 41 PID 1392 wrote to memory of 2872 1392 Olebgfao.exe 41 PID 2872 wrote to memory of 2976 2872 Pkoicb32.exe 42 PID 2872 wrote to memory of 2976 2872 Pkoicb32.exe 42 PID 2872 wrote to memory of 2976 2872 Pkoicb32.exe 42 PID 2872 wrote to memory of 2976 2872 Pkoicb32.exe 42 PID 2976 wrote to memory of 2384 2976 Pmmeon32.exe 43 PID 2976 wrote to memory of 2384 2976 Pmmeon32.exe 43 PID 2976 wrote to memory of 2384 2976 Pmmeon32.exe 43 PID 2976 wrote to memory of 2384 2976 Pmmeon32.exe 43 PID 2384 wrote to memory of 2492 2384 Qkfocaki.exe 44 PID 2384 wrote to memory of 2492 2384 Qkfocaki.exe 44 PID 2384 wrote to memory of 2492 2384 Qkfocaki.exe 44 PID 2384 wrote to memory of 2492 2384 Qkfocaki.exe 44 PID 2492 wrote to memory of 1484 2492 Qcachc32.exe 45 PID 2492 wrote to memory of 1484 2492 Qcachc32.exe 45 PID 2492 wrote to memory of 1484 2492 Qcachc32.exe 45 PID 2492 wrote to memory of 1484 2492 Qcachc32.exe 45 PID 1484 wrote to memory of 2336 1484 Aaimopli.exe 46 PID 1484 wrote to memory of 2336 1484 Aaimopli.exe 46 PID 1484 wrote to memory of 2336 1484 Aaimopli.exe 46 PID 1484 wrote to memory of 2336 1484 Aaimopli.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180aN.exe"C:\Users\Admin\AppData\Local\Temp\9d141dd90482e4e15a62380b97da07bd92886b1cf2d0716e1ec630e9f2cd180aN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Mmdjkhdh.exeC:\Windows\system32\Mmdjkhdh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ofadnq32.exeC:\Windows\system32\Ofadnq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Oekjjl32.exeC:\Windows\system32\Oekjjl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\Pkoicb32.exeC:\Windows\system32\Pkoicb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Pmmeon32.exeC:\Windows\system32\Pmmeon32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Qkfocaki.exeC:\Windows\system32\Qkfocaki.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Aaimopli.exeC:\Windows\system32\Aaimopli.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Abpcooea.exeC:\Windows\system32\Abpcooea.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1728 -
C:\Windows\SysWOW64\Bccmmf32.exeC:\Windows\system32\Bccmmf32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1892 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:752 -
C:\Windows\SysWOW64\Bceibfgj.exeC:\Windows\system32\Bceibfgj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Bieopm32.exeC:\Windows\system32\Bieopm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Bjdkjpkb.exeC:\Windows\system32\Bjdkjpkb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe33⤵
- Executes dropped EXE
PID:2556 -
C:\Windows\SysWOW64\Cchbgi32.exeC:\Windows\system32\Cchbgi32.exe34⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Clojhf32.exeC:\Windows\system32\Clojhf32.exe35⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Cmpgpond.exeC:\Windows\system32\Cmpgpond.exe36⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Cfhkhd32.exeC:\Windows\system32\Cfhkhd32.exe37⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe38⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Daplkmbg.exeC:\Windows\system32\Daplkmbg.exe39⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe40⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Dmgmpnhl.exeC:\Windows\system32\Dmgmpnhl.exe41⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Dljmlj32.exeC:\Windows\system32\Dljmlj32.exe42⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Ddaemh32.exeC:\Windows\system32\Ddaemh32.exe43⤵
- Executes dropped EXE
PID:944 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe44⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Dbfbnddq.exeC:\Windows\system32\Dbfbnddq.exe45⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Deenjpcd.exeC:\Windows\system32\Deenjpcd.exe46⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe47⤵
- Executes dropped EXE
PID:1404 -
C:\Windows\SysWOW64\Eheglk32.exeC:\Windows\system32\Eheglk32.exe48⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Eopphehb.exeC:\Windows\system32\Eopphehb.exe49⤵
- Executes dropped EXE
PID:868 -
C:\Windows\SysWOW64\Eanldqgf.exeC:\Windows\system32\Eanldqgf.exe50⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Ehhdaj32.exeC:\Windows\system32\Ehhdaj32.exe51⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe52⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe53⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Emgioakg.exeC:\Windows\system32\Emgioakg.exe54⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe55⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe56⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ephbal32.exeC:\Windows\system32\Ephbal32.exe57⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Fmlbjq32.exeC:\Windows\system32\Fmlbjq32.exe59⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Fchkbg32.exeC:\Windows\system32\Fchkbg32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1644 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe61⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Flapkmlj.exeC:\Windows\system32\Flapkmlj.exe62⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe63⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Fhgppnan.exeC:\Windows\system32\Fhgppnan.exe64⤵
- Executes dropped EXE
PID:736 -
C:\Windows\SysWOW64\Foahmh32.exeC:\Windows\system32\Foahmh32.exe65⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe66⤵PID:2248
-
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe67⤵PID:2968
-
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe68⤵PID:3036
-
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe69⤵PID:1316
-
C:\Windows\SysWOW64\Fadndbci.exeC:\Windows\system32\Fadndbci.exe70⤵
- Modifies registry class
PID:1724 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe71⤵PID:2316
-
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe72⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe73⤵PID:2688
-
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe74⤵PID:836
-
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe75⤵PID:1532
-
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe76⤵PID:976
-
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe77⤵PID:2068
-
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe78⤵
- Modifies registry class
PID:1336 -
C:\Windows\SysWOW64\Gqodqodl.exeC:\Windows\system32\Gqodqodl.exe79⤵PID:396
-
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe80⤵
- Modifies registry class
PID:2956 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe81⤵PID:1300
-
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe82⤵PID:2952
-
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe83⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe84⤵PID:2056
-
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe85⤵PID:1752
-
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe86⤵
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe87⤵PID:2288
-
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe88⤵PID:2680
-
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe89⤵PID:2664
-
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2856 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe91⤵PID:2584
-
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe92⤵PID:1784
-
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe93⤵PID:1228
-
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe94⤵PID:1060
-
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe95⤵PID:2924
-
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe96⤵PID:1440
-
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe97⤵PID:680
-
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe98⤵PID:3032
-
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe99⤵
- Modifies registry class
PID:1536 -
C:\Windows\SysWOW64\Ifpcchai.exeC:\Windows\system32\Ifpcchai.exe100⤵PID:2208
-
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe101⤵PID:2128
-
C:\Windows\SysWOW64\Ingkdeak.exeC:\Windows\system32\Ingkdeak.exe102⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe103⤵PID:1496
-
C:\Windows\SysWOW64\Igoomk32.exeC:\Windows\system32\Igoomk32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe105⤵PID:2736
-
C:\Windows\SysWOW64\Iahceq32.exeC:\Windows\system32\Iahceq32.exe106⤵PID:2580
-
C:\Windows\SysWOW64\Ibipmiek.exeC:\Windows\system32\Ibipmiek.exe107⤵PID:2880
-
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe108⤵PID:1264
-
C:\Windows\SysWOW64\Ipmqgmcd.exeC:\Windows\system32\Ipmqgmcd.exe109⤵PID:1052
-
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe111⤵PID:1244
-
C:\Windows\SysWOW64\Imaapa32.exeC:\Windows\system32\Imaapa32.exe112⤵
- System Location Discovery: System Language Discovery
PID:3028 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe113⤵PID:2432
-
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe114⤵PID:1912
-
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe115⤵PID:1584
-
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe116⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe117⤵PID:1572
-
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe118⤵PID:2788
-
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe119⤵PID:560
-
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe120⤵PID:2620
-
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe121⤵
- System Location Discovery: System Language Discovery
PID:2512
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-