Analysis
-
max time kernel
52s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
07/11/2024, 03:56
Static task
static1
Behavioral task
behavioral1
Sample
9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113fN.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113fN.exe
Resource
win10v2004-20241007-en
General
-
Target
9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113fN.exe
-
Size
45KB
-
MD5
643d934198bbee90214f79a4d6907890
-
SHA1
7ddf6b2392437f0081afccb51f989e540440f7df
-
SHA256
9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113f
-
SHA512
65fd2db82fea0d7aa8be2548ed488abe6b08b14c6ef49c8ca8f4288c1f906057224eccc56a2473c4d975c0fb6ceb42712c4140924acbc39c97c1915c1ad2a8d2
-
SSDEEP
768:3/Y3uesKNTg6N6qADKPBWyDLB5cLHVkZvUphcf8Q/1H5o:Q3uesKxMDEBWy3BqjVWC7Wq
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idknoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkpijma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciddedl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdojgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eogmcjef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gifclb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lngnfnji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngealejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qndkpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Figmjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbnflo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjlgfaco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmqdpce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klbdgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biojif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieofkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imjkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnefapmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjnla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqjdgmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjlioj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfkhndca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnmdgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnopldgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdpkbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmfqgbmm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acekjjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcjqdmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcldhnkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpfeppop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgmahg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felajbpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbohehoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ippdgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edlhqlfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epeekmjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjgcipg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjoofhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckajebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onfoin32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2960 Bpfeppop.exe 2828 Biojif32.exe 2840 Blmfea32.exe 2740 Bbgnak32.exe 320 Bjbcfn32.exe 1504 Balkchpi.exe 2908 Boplllob.exe 1676 Bdmddc32.exe 2340 Bfkpqn32.exe 2068 Baadng32.exe 1908 Ckiigmcd.exe 756 Cpfaocal.exe 1532 Cgpjlnhh.exe 1836 Cmjbhh32.exe 2416 Cddjebgb.exe 2296 Cgbfamff.exe 1788 Ccigfn32.exe 772 Cicpch32.exe 1776 Cckdlnjg.exe 2644 Cielhh32.exe 3060 Dkgippgb.exe 2036 Delmmigh.exe 1644 Dkiefp32.exe 884 Dodafoni.exe 1668 Ddajoelp.exe 2800 Dgpfkakd.exe 2352 Dnjngk32.exe 2832 Dphjcf32.exe 2668 Dnlkmkpn.exe 2696 Dpjgifpa.exe 1164 Dnnhbjnk.exe 1844 Ddhpod32.exe 568 Eckpkamb.exe 2880 Elcdcgcc.exe 2356 Epoqde32.exe 2060 Eflill32.exe 1692 Ecpjfq32.exe 1564 Elhnof32.exe 1276 Ecbfkpfk.exe 2180 Efqbglen.exe 2456 Ekpheb32.exe 2232 Fqmpni32.exe 1588 Fidhof32.exe 1864 Fjeefofk.exe 1752 Fblmglgm.exe 2004 Fjgalndh.exe 1632 Fncmmmma.exe 1712 Femeig32.exe 1896 Fcpfedki.exe 2932 Ffnbaojm.exe 1612 Fnejbmko.exe 2716 Fmhjni32.exe 2720 Fcbbjcif.exe 712 Ffqofohj.exe 2872 Fmjgcipg.exe 3068 Fcdopc32.exe 2432 Gjngmmnp.exe 1812 Glpdde32.exe 1852 Gpkpedmh.exe 2276 Gcglec32.exe 2224 Gehhmkko.exe 1808 Glbqje32.exe 2912 Gpnmjd32.exe 1592 Ghiaof32.exe -
Loads dropped DLL 64 IoCs
pid Process 2244 9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113fN.exe 2244 9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113fN.exe 2960 Bpfeppop.exe 2960 Bpfeppop.exe 2828 Biojif32.exe 2828 Biojif32.exe 2840 Blmfea32.exe 2840 Blmfea32.exe 2740 Bbgnak32.exe 2740 Bbgnak32.exe 320 Bjbcfn32.exe 320 Bjbcfn32.exe 1504 Balkchpi.exe 1504 Balkchpi.exe 2908 Boplllob.exe 2908 Boplllob.exe 1676 Bdmddc32.exe 1676 Bdmddc32.exe 2340 Bfkpqn32.exe 2340 Bfkpqn32.exe 2068 Baadng32.exe 2068 Baadng32.exe 1908 Ckiigmcd.exe 1908 Ckiigmcd.exe 756 Cpfaocal.exe 756 Cpfaocal.exe 1532 Cgpjlnhh.exe 1532 Cgpjlnhh.exe 1836 Cmjbhh32.exe 1836 Cmjbhh32.exe 2416 Cddjebgb.exe 2416 Cddjebgb.exe 2296 Cgbfamff.exe 2296 Cgbfamff.exe 1788 Ccigfn32.exe 1788 Ccigfn32.exe 772 Cicpch32.exe 772 Cicpch32.exe 1776 Cckdlnjg.exe 1776 Cckdlnjg.exe 2644 Cielhh32.exe 2644 Cielhh32.exe 3060 Dkgippgb.exe 3060 Dkgippgb.exe 2036 Delmmigh.exe 2036 Delmmigh.exe 1644 Dkiefp32.exe 1644 Dkiefp32.exe 884 Dodafoni.exe 884 Dodafoni.exe 1668 Ddajoelp.exe 1668 Ddajoelp.exe 2800 Dgpfkakd.exe 2800 Dgpfkakd.exe 2352 Dnjngk32.exe 2352 Dnjngk32.exe 2832 Dphjcf32.exe 2832 Dphjcf32.exe 2668 Dnlkmkpn.exe 2668 Dnlkmkpn.exe 2696 Dpjgifpa.exe 2696 Dpjgifpa.exe 1164 Dnnhbjnk.exe 1164 Dnnhbjnk.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cpiqmlfm.exe Ciohqa32.exe File created C:\Windows\SysWOW64\Njmokcbh.dll Process not Found File created C:\Windows\SysWOW64\Jamgla32.dll Process not Found File created C:\Windows\SysWOW64\Lpeqncja.dll Hcdnhoac.exe File opened for modification C:\Windows\SysWOW64\Pleofj32.exe Pnbojmmp.exe File created C:\Windows\SysWOW64\Pebncn32.dll Process not Found File created C:\Windows\SysWOW64\Acicla32.exe Process not Found File created C:\Windows\SysWOW64\Alqnah32.exe Afffenbp.exe File opened for modification C:\Windows\SysWOW64\Epeekmjk.exe Emgioakg.exe File opened for modification C:\Windows\SysWOW64\Fchkbg32.exe Flocfmnl.exe File opened for modification C:\Windows\SysWOW64\Ciagojda.exe Process not Found File created C:\Windows\SysWOW64\Ggapbcne.exe Process not Found File created C:\Windows\SysWOW64\Chdkak32.dll Ielclkhe.exe File opened for modification C:\Windows\SysWOW64\Opnbbe32.exe Oeindm32.exe File opened for modification C:\Windows\SysWOW64\Momfan32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bbjmpcab.exe Bjbeofpp.exe File opened for modification C:\Windows\SysWOW64\Ijaaae32.exe Process not Found File created C:\Windows\SysWOW64\Jjaimn32.exe Jcgapdeb.exe File created C:\Windows\SysWOW64\Apmhbiaf.dll Bbgqjdce.exe File created C:\Windows\SysWOW64\Phkckneq.dll Mcjhmcok.exe File created C:\Windows\SysWOW64\Ecinnn32.dll Pdbdqh32.exe File opened for modification C:\Windows\SysWOW64\Hdfhdfgl.exe Hahlhkhi.exe File opened for modification C:\Windows\SysWOW64\Imahkg32.exe Ijclol32.exe File created C:\Windows\SysWOW64\Lhfefgkg.exe Lgehno32.exe File created C:\Windows\SysWOW64\Fpkjkkdg.dll Qdojgmfe.exe File created C:\Windows\SysWOW64\Cmfmojcb.exe Process not Found File created C:\Windows\SysWOW64\Qiekgbjc.dll Process not Found File created C:\Windows\SysWOW64\Ooclji32.exe Oldpnn32.exe File opened for modification C:\Windows\SysWOW64\Pjcckf32.exe Phbgcnig.exe File created C:\Windows\SysWOW64\Flbkkpfc.dll Hmeolj32.exe File opened for modification C:\Windows\SysWOW64\Jedcpi32.exe Jbefcm32.exe File created C:\Windows\SysWOW64\Iggned32.exe Idiaii32.exe File opened for modification C:\Windows\SysWOW64\Pmgbao32.exe Pkifdd32.exe File created C:\Windows\SysWOW64\Hmkeke32.exe Hjlioj32.exe File created C:\Windows\SysWOW64\Fbonbipa.dll Dilapopb.exe File created C:\Windows\SysWOW64\Kbjbge32.exe Process not Found File created C:\Windows\SysWOW64\Nmoadk32.dll Fjbafi32.exe File created C:\Windows\SysWOW64\Nlhhkjkc.dll Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Bcmfmlen.exe Bnqned32.exe File created C:\Windows\SysWOW64\Kkfmcc32.dll Gneijien.exe File created C:\Windows\SysWOW64\Onfoin32.exe Nfoghakb.exe File created C:\Windows\SysWOW64\Ckmnbg32.exe Cebeem32.exe File created C:\Windows\SysWOW64\Aqjkda32.dll Igijkd32.exe File opened for modification C:\Windows\SysWOW64\Dbojdmcd.exe Cmbalfem.exe File opened for modification C:\Windows\SysWOW64\Gfmgelil.exe Gpcoib32.exe File created C:\Windows\SysWOW64\Fdakoaln.dll Pdgmlhha.exe File created C:\Windows\SysWOW64\Ljldnhid.exe Process not Found File opened for modification C:\Windows\SysWOW64\Picojhcm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ebqngb32.exe Process not Found File created C:\Windows\SysWOW64\Nbjcqe32.exe Nlpkdkkd.exe File created C:\Windows\SysWOW64\Jbpdeogo.exe Jlelhe32.exe File opened for modification C:\Windows\SysWOW64\Palepb32.exe Pciddedl.exe File created C:\Windows\SysWOW64\Ghanagbo.dll Process not Found File opened for modification C:\Windows\SysWOW64\Pddjlb32.exe Process not Found File created C:\Windows\SysWOW64\Cpfaocal.exe Ckiigmcd.exe File opened for modification C:\Windows\SysWOW64\Eiekpd32.exe Eggndi32.exe File opened for modification C:\Windows\SysWOW64\Iikifegp.exe Ieomef32.exe File created C:\Windows\SysWOW64\Dllgcqbk.dll Fgohna32.exe File opened for modification C:\Windows\SysWOW64\Cblfdg32.exe Copjdhib.exe File opened for modification C:\Windows\SysWOW64\Cceogcfj.exe Process not Found File created C:\Windows\SysWOW64\Gcjmmdbf.exe Process not Found File created C:\Windows\SysWOW64\Iplkimih.dll Nbbbdcgi.exe File opened for modification C:\Windows\SysWOW64\Bkmhnjlh.exe Bgblmk32.exe File created C:\Windows\SysWOW64\Lcblan32.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 3160 4396 Process not Found 1378 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghiaof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogqaehak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifdbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjhmfekp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjeefofk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfedqagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqjmncna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfcijf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofngkga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqfemqod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngkfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedpbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpabcbdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaeafklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmeiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiakgcnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdgkco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmojnlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhgnaehm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpcmgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdkcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnpeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaebeoan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Affdle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqncaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lghlndfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peanbblf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcoce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippdgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leopgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhplhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elqaca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cielhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gehhmkko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iahhgnkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciifbchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efqbglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idebfofe.dll" Fkhgip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieomef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flclam32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Felajbpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmbnqfg.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijdbodng.dll" Cafgle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkmqdpce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpmhc32.dll" Danpemej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cohkpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modcdaml.dll" Fdbhge32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clojhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghlndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liqbnn32.dll" Fgdgcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbleeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmdkcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnpkephg.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lahmbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbdhfp32.dll" Jnnnalph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hahmbk32.dll" Jdpgjhbm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlklnjoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjaimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbnmienj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebfkilbo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbfcnc32.dll" Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqcngnae.dll" Ckiigmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpefpo32.dll" Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfmcc32.dll" Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Domccejd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgpjlnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfiadlm.dll" Ooqpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihdjpd32.dll" Qhjfgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elqaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghdgfbkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knekla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdhjoc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kedime32.dll" Eckpkamb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooqpdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcclhg32.dll" Ohhmcinf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acqnnndl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djdgic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgcdeo32.dll" Dbaice32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogqaehak.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kokjdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfihkoal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedamakn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcgmoggn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocmbnbgf.dll" Qkibcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emagacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjfgqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbepdhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idhdck32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdpeiada.dll" Llgjaeoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnopldgn.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2960 2244 9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113fN.exe 30 PID 2244 wrote to memory of 2960 2244 9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113fN.exe 30 PID 2244 wrote to memory of 2960 2244 9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113fN.exe 30 PID 2244 wrote to memory of 2960 2244 9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113fN.exe 30 PID 2960 wrote to memory of 2828 2960 Bpfeppop.exe 31 PID 2960 wrote to memory of 2828 2960 Bpfeppop.exe 31 PID 2960 wrote to memory of 2828 2960 Bpfeppop.exe 31 PID 2960 wrote to memory of 2828 2960 Bpfeppop.exe 31 PID 2828 wrote to memory of 2840 2828 Biojif32.exe 32 PID 2828 wrote to memory of 2840 2828 Biojif32.exe 32 PID 2828 wrote to memory of 2840 2828 Biojif32.exe 32 PID 2828 wrote to memory of 2840 2828 Biojif32.exe 32 PID 2840 wrote to memory of 2740 2840 Blmfea32.exe 33 PID 2840 wrote to memory of 2740 2840 Blmfea32.exe 33 PID 2840 wrote to memory of 2740 2840 Blmfea32.exe 33 PID 2840 wrote to memory of 2740 2840 Blmfea32.exe 33 PID 2740 wrote to memory of 320 2740 Bbgnak32.exe 34 PID 2740 wrote to memory of 320 2740 Bbgnak32.exe 34 PID 2740 wrote to memory of 320 2740 Bbgnak32.exe 34 PID 2740 wrote to memory of 320 2740 Bbgnak32.exe 34 PID 320 wrote to memory of 1504 320 Bjbcfn32.exe 35 PID 320 wrote to memory of 1504 320 Bjbcfn32.exe 35 PID 320 wrote to memory of 1504 320 Bjbcfn32.exe 35 PID 320 wrote to memory of 1504 320 Bjbcfn32.exe 35 PID 1504 wrote to memory of 2908 1504 Balkchpi.exe 36 PID 1504 wrote to memory of 2908 1504 Balkchpi.exe 36 PID 1504 wrote to memory of 2908 1504 Balkchpi.exe 36 PID 1504 wrote to memory of 2908 1504 Balkchpi.exe 36 PID 2908 wrote to memory of 1676 2908 Boplllob.exe 37 PID 2908 wrote to memory of 1676 2908 Boplllob.exe 37 PID 2908 wrote to memory of 1676 2908 Boplllob.exe 37 PID 2908 wrote to memory of 1676 2908 Boplllob.exe 37 PID 1676 wrote to memory of 2340 1676 Bdmddc32.exe 38 PID 1676 wrote to memory of 2340 1676 Bdmddc32.exe 38 PID 1676 wrote to memory of 2340 1676 Bdmddc32.exe 38 PID 1676 wrote to memory of 2340 1676 Bdmddc32.exe 38 PID 2340 wrote to memory of 2068 2340 Bfkpqn32.exe 39 PID 2340 wrote to memory of 2068 2340 Bfkpqn32.exe 39 PID 2340 wrote to memory of 2068 2340 Bfkpqn32.exe 39 PID 2340 wrote to memory of 2068 2340 Bfkpqn32.exe 39 PID 2068 wrote to memory of 1908 2068 Baadng32.exe 40 PID 2068 wrote to memory of 1908 2068 Baadng32.exe 40 PID 2068 wrote to memory of 1908 2068 Baadng32.exe 40 PID 2068 wrote to memory of 1908 2068 Baadng32.exe 40 PID 1908 wrote to memory of 756 1908 Ckiigmcd.exe 41 PID 1908 wrote to memory of 756 1908 Ckiigmcd.exe 41 PID 1908 wrote to memory of 756 1908 Ckiigmcd.exe 41 PID 1908 wrote to memory of 756 1908 Ckiigmcd.exe 41 PID 756 wrote to memory of 1532 756 Cpfaocal.exe 42 PID 756 wrote to memory of 1532 756 Cpfaocal.exe 42 PID 756 wrote to memory of 1532 756 Cpfaocal.exe 42 PID 756 wrote to memory of 1532 756 Cpfaocal.exe 42 PID 1532 wrote to memory of 1836 1532 Cgpjlnhh.exe 43 PID 1532 wrote to memory of 1836 1532 Cgpjlnhh.exe 43 PID 1532 wrote to memory of 1836 1532 Cgpjlnhh.exe 43 PID 1532 wrote to memory of 1836 1532 Cgpjlnhh.exe 43 PID 1836 wrote to memory of 2416 1836 Cmjbhh32.exe 44 PID 1836 wrote to memory of 2416 1836 Cmjbhh32.exe 44 PID 1836 wrote to memory of 2416 1836 Cmjbhh32.exe 44 PID 1836 wrote to memory of 2416 1836 Cmjbhh32.exe 44 PID 2416 wrote to memory of 2296 2416 Cddjebgb.exe 45 PID 2416 wrote to memory of 2296 2416 Cddjebgb.exe 45 PID 2416 wrote to memory of 2296 2416 Cddjebgb.exe 45 PID 2416 wrote to memory of 2296 2416 Cddjebgb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113fN.exe"C:\Users\Admin\AppData\Local\Temp\9bc789bb80cc97c04354d5624870ebc72141ded1bfb0bf3ef14aee5d536d113fN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Blmfea32.exeC:\Windows\system32\Blmfea32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:320 -
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Baadng32.exeC:\Windows\system32\Baadng32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Cgpjlnhh.exeC:\Windows\system32\Cgpjlnhh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1532 -
C:\Windows\SysWOW64\Cmjbhh32.exeC:\Windows\system32\Cmjbhh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2036 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Dodafoni.exeC:\Windows\system32\Dodafoni.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:884 -
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Ddhpod32.exeC:\Windows\system32\Ddhpod32.exe33⤵
- Executes dropped EXE
PID:1844 -
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe35⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\Epoqde32.exeC:\Windows\system32\Epoqde32.exe36⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Eflill32.exeC:\Windows\system32\Eflill32.exe37⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe38⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe39⤵
- Executes dropped EXE
PID:1564 -
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe40⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2180 -
C:\Windows\SysWOW64\Ekpheb32.exeC:\Windows\system32\Ekpheb32.exe42⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe43⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe44⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Fblmglgm.exeC:\Windows\system32\Fblmglgm.exe46⤵
- Executes dropped EXE
PID:1752 -
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe47⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe48⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe49⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe50⤵
- Executes dropped EXE
PID:1896 -
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe51⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe52⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe53⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe54⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe55⤵
- Executes dropped EXE
PID:712 -
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe57⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe58⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe59⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Gpkpedmh.exeC:\Windows\system32\Gpkpedmh.exe60⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Gcglec32.exeC:\Windows\system32\Gcglec32.exe61⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2224 -
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe63⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Gpnmjd32.exeC:\Windows\system32\Gpnmjd32.exe64⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe66⤵PID:2080
-
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1656 -
C:\Windows\SysWOW64\Gembhj32.exeC:\Windows\system32\Gembhj32.exe68⤵PID:2388
-
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe69⤵PID:2072
-
C:\Windows\SysWOW64\Gnefapmj.exeC:\Windows\system32\Gnefapmj.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2496 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe71⤵PID:2672
-
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe72⤵PID:2516
-
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:352 -
C:\Windows\SysWOW64\Heakcjcd.exeC:\Windows\system32\Heakcjcd.exe74⤵PID:808
-
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe75⤵PID:2864
-
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe76⤵PID:2568
-
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe77⤵PID:2032
-
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe78⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Hdfhdfgl.exeC:\Windows\system32\Hdfhdfgl.exe79⤵PID:3036
-
C:\Windows\SysWOW64\Hfedqagp.exeC:\Windows\system32\Hfedqagp.exe80⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe81⤵PID:656
-
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe82⤵PID:1700
-
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe83⤵
- Modifies registry class
PID:688 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe84⤵PID:2124
-
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe85⤵PID:2900
-
C:\Windows\SysWOW64\Hdkape32.exeC:\Windows\system32\Hdkape32.exe86⤵PID:3024
-
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe88⤵PID:2788
-
C:\Windows\SysWOW64\Hlffdh32.exeC:\Windows\system32\Hlffdh32.exe89⤵PID:1496
-
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe90⤵PID:2884
-
C:\Windows\SysWOW64\Hflkaq32.exeC:\Windows\system32\Hflkaq32.exe91⤵PID:2020
-
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe92⤵PID:848
-
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe93⤵PID:2736
-
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe94⤵PID:2856
-
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe95⤵PID:2248
-
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe96⤵PID:1872
-
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe97⤵PID:2468
-
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe98⤵PID:1760
-
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe99⤵
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe100⤵PID:2600
-
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe101⤵PID:2784
-
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe103⤵PID:2404
-
C:\Windows\SysWOW64\Ioliqbjn.exeC:\Windows\system32\Ioliqbjn.exe104⤵PID:2780
-
C:\Windows\SysWOW64\Iajemnia.exeC:\Windows\system32\Iajemnia.exe105⤵PID:1784
-
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe106⤵PID:2200
-
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe107⤵
- Drops file in System32 directory
PID:1248 -
C:\Windows\SysWOW64\Iggned32.exeC:\Windows\system32\Iggned32.exe108⤵PID:620
-
C:\Windows\SysWOW64\Ikbifcpb.exeC:\Windows\system32\Ikbifcpb.exe109⤵PID:888
-
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe110⤵PID:2460
-
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe111⤵PID:1772
-
C:\Windows\SysWOW64\Idknoi32.exeC:\Windows\system32\Idknoi32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1156 -
C:\Windows\SysWOW64\Igijkd32.exeC:\Windows\system32\Igijkd32.exe113⤵
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Ikefkcmo.exeC:\Windows\system32\Ikefkcmo.exe114⤵PID:1616
-
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe115⤵PID:2952
-
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe116⤵PID:480
-
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe117⤵PID:2332
-
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe118⤵
- Modifies registry class
PID:1800 -
C:\Windows\SysWOW64\Jgncfcaa.exeC:\Windows\system32\Jgncfcaa.exe119⤵PID:304
-
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe120⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe121⤵PID:2480
-
C:\Windows\SysWOW64\Jcedkd32.exeC:\Windows\system32\Jcedkd32.exe122⤵PID:2436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-