Analysis
-
max time kernel
27s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/11/2024, 15:32
Static task
static1
Behavioral task
behavioral1
Sample
a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe
Resource
win10v2004-20241007-en
General
-
Target
a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe
-
Size
113KB
-
MD5
fc6e336c77c428ff7571d41d733bd150
-
SHA1
f7091a50cf196a22556de6e35b94ebf0d15f8c53
-
SHA256
a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14
-
SHA512
8c895667bb9f8f12a2e8746a3fad4c97d07c3676cf95c49cd7ba4d4608754c2349631241d96111115207b4e9e47f86a5f5d903fc314e5637f4ac282fb3152412
-
SSDEEP
3072:nEMKnomLHg+dvZOuGkZFfFSebHWrH8wTW0:SnVBg7otSeWrP
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnpbjnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mchoid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nagbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbepdhgc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqfemqod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paknelgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbfepmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhafhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqejbiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfdkoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdfhhhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajeeeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biaign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhdlad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciifbchf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofpoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqiimfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okpcoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecbhdi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iflmjihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijqoilii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfhmqhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dobgihgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neknki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjihalag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcahoqhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlelhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hibjbgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgkhdddo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcljmdmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibmgpoia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqklqhpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eejopecj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iimfld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqnifg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcokiaji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjahd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcbncfjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcjnnpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agolnbok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aciqcifh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbgqjdce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgclio32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 3012 Bgqcjlhp.exe 2964 Bmnlbcfg.exe 2712 Bcgdom32.exe 2980 Bmphhc32.exe 2640 Bcjqdmla.exe 2660 Bfhmqhkd.exe 2680 Bncaekhp.exe 2728 Ciifbchf.exe 1632 Clgbno32.exe 2672 Chnbcpmn.exe 1748 Cjmopkla.exe 2428 Cmmhaf32.exe 2516 Cdgpnqpo.exe 2084 Cffljlpc.exe 2208 Cheido32.exe 3000 Dpqnhadq.exe 984 Dgjfek32.exe 1356 Diibag32.exe 1732 Ddnfop32.exe 916 Depbfhpe.exe 2140 Dpegcq32.exe 1648 Dcccpl32.exe 2360 Dhplhc32.exe 564 Daipqhdg.exe 824 Dedlag32.exe 1608 Dlndnacm.exe 236 Degiggjm.exe 2752 Elqaca32.exe 2872 Eamilh32.exe 2724 Egjbdo32.exe 2628 Epbfmd32.exe 2636 Ekhkjm32.exe 1652 Epecbd32.exe 1488 Ekjgpm32.exe 2024 Eniclh32.exe 532 Efdhpjok.exe 2952 Eqjmncna.exe 1928 Fjbafi32.exe 392 Flqmbd32.exe 1808 Fcjeon32.exe 2204 Fhgnge32.exe 712 Ffkoai32.exe 2316 Fhikme32.exe 1700 Fkhgip32.exe 908 Fnfcel32.exe 1984 Ffmkfifa.exe 2076 Filgbdfd.exe 1280 Fofpoo32.exe 2544 Fnipkkdl.exe 2340 Fqglggcp.exe 3032 Fkmqdpce.exe 1028 Gnkmqkbi.exe 2844 Gqiimfam.exe 2780 Gcheib32.exe 2620 Gkomjo32.exe 1796 Gmpjagfa.exe 2708 Gqlebf32.exe 1612 Gcjbna32.exe 2784 Gfhnjm32.exe 2028 Gnpflj32.exe 576 Gqnbhf32.exe 2508 Gcmoda32.exe 680 Gfkkpmko.exe 1780 Giiglhjb.exe -
Loads dropped DLL 64 IoCs
pid Process 1860 a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe 1860 a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe 3012 Bgqcjlhp.exe 3012 Bgqcjlhp.exe 2964 Bmnlbcfg.exe 2964 Bmnlbcfg.exe 2712 Bcgdom32.exe 2712 Bcgdom32.exe 2980 Bmphhc32.exe 2980 Bmphhc32.exe 2640 Bcjqdmla.exe 2640 Bcjqdmla.exe 2660 Bfhmqhkd.exe 2660 Bfhmqhkd.exe 2680 Bncaekhp.exe 2680 Bncaekhp.exe 2728 Ciifbchf.exe 2728 Ciifbchf.exe 1632 Clgbno32.exe 1632 Clgbno32.exe 2672 Chnbcpmn.exe 2672 Chnbcpmn.exe 1748 Cjmopkla.exe 1748 Cjmopkla.exe 2428 Cmmhaf32.exe 2428 Cmmhaf32.exe 2516 Cdgpnqpo.exe 2516 Cdgpnqpo.exe 2084 Cffljlpc.exe 2084 Cffljlpc.exe 2208 Cheido32.exe 2208 Cheido32.exe 3000 Dpqnhadq.exe 3000 Dpqnhadq.exe 984 Dgjfek32.exe 984 Dgjfek32.exe 1356 Diibag32.exe 1356 Diibag32.exe 1732 Ddnfop32.exe 1732 Ddnfop32.exe 916 Depbfhpe.exe 916 Depbfhpe.exe 2140 Dpegcq32.exe 2140 Dpegcq32.exe 1648 Dcccpl32.exe 1648 Dcccpl32.exe 2360 Dhplhc32.exe 2360 Dhplhc32.exe 564 Daipqhdg.exe 564 Daipqhdg.exe 824 Dedlag32.exe 824 Dedlag32.exe 1608 Dlndnacm.exe 1608 Dlndnacm.exe 236 Degiggjm.exe 236 Degiggjm.exe 2752 Elqaca32.exe 2752 Elqaca32.exe 2872 Eamilh32.exe 2872 Eamilh32.exe 2724 Egjbdo32.exe 2724 Egjbdo32.exe 2628 Epbfmd32.exe 2628 Epbfmd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mfihkoal.exe Mbnljqic.exe File created C:\Windows\SysWOW64\Eoepnk32.exe Elfcbo32.exe File created C:\Windows\SysWOW64\Jfofol32.exe Jbcjnnpl.exe File created C:\Windows\SysWOW64\Dpegcq32.exe Depbfhpe.exe File created C:\Windows\SysWOW64\Calcpm32.exe Cnmfdb32.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Mjaddn32.exe File created C:\Windows\SysWOW64\Nbngca32.dll Palepb32.exe File opened for modification C:\Windows\SysWOW64\Kpkpadnl.exe Klpdaf32.exe File created C:\Windows\SysWOW64\Gkclcjqj.dll Nlefhcnc.exe File created C:\Windows\SysWOW64\Meabakda.exe Mngjeamd.exe File created C:\Windows\SysWOW64\Ndmecgba.exe Nmcmgm32.exe File created C:\Windows\SysWOW64\Jfmacf32.dll Hnpbjnpo.exe File opened for modification C:\Windows\SysWOW64\Pmkhjncg.exe Pkmlmbcd.exe File opened for modification C:\Windows\SysWOW64\Pghfnc32.exe Pcljmdmj.exe File created C:\Windows\SysWOW64\Mfakaoam.dll Boogmgkl.exe File opened for modification C:\Windows\SysWOW64\Kjglkm32.exe Kfkpknkq.exe File created C:\Windows\SysWOW64\Ihniaa32.exe Ieomef32.exe File created C:\Windows\SysWOW64\Pfebhg32.dll Nhgnaehm.exe File created C:\Windows\SysWOW64\Klqahn32.dll Anlhkbhq.exe File opened for modification C:\Windows\SysWOW64\Gqdefddb.exe Gbadjg32.exe File created C:\Windows\SysWOW64\Fnddef32.dll Ifjlcmmj.exe File created C:\Windows\SysWOW64\Jedcpi32.exe Jbefcm32.exe File created C:\Windows\SysWOW64\Micklk32.exe Mfdopp32.exe File created C:\Windows\SysWOW64\Hemqpf32.exe Hfjpdjjo.exe File opened for modification C:\Windows\SysWOW64\Oabkom32.exe Obokcqhk.exe File created C:\Windows\SysWOW64\Cnkjnb32.exe Cjonncab.exe File created C:\Windows\SysWOW64\Pnjofo32.exe Pincfpoo.exe File created C:\Windows\SysWOW64\Iajfhi32.dll Gjjmijme.exe File created C:\Windows\SysWOW64\Hfegij32.exe Hgbfnngi.exe File created C:\Windows\SysWOW64\Chdndgcj.dll Lcofio32.exe File created C:\Windows\SysWOW64\Lkjjma32.exe Lhknaf32.exe File opened for modification C:\Windows\SysWOW64\Clojhf32.exe Cchbgi32.exe File created C:\Windows\SysWOW64\Cbpjfb32.dll Gcokiaji.exe File created C:\Windows\SysWOW64\Cpfmmf32.exe Cileqlmg.exe File created C:\Windows\SysWOW64\Dljdnm32.dll Kncaojfb.exe File opened for modification C:\Windows\SysWOW64\Ldjpbign.exe Lomgjb32.exe File opened for modification C:\Windows\SysWOW64\Lohjnf32.exe Lqejbiim.exe File opened for modification C:\Windows\SysWOW64\Hnpbjnpo.exe Hlafnbal.exe File created C:\Windows\SysWOW64\Khcomhbi.exe Kbigpn32.exe File created C:\Windows\SysWOW64\Mgjebg32.exe Mihdgkpp.exe File created C:\Windows\SysWOW64\Oajlkojn.exe Okpcoe32.exe File opened for modification C:\Windows\SysWOW64\Ihpfgalh.exe Iimfld32.exe File created C:\Windows\SysWOW64\Elqaca32.exe Degiggjm.exe File created C:\Windows\SysWOW64\Jpefpo32.dll Qlgkki32.exe File created C:\Windows\SysWOW64\Akkoig32.exe Qdaglmcb.exe File created C:\Windows\SysWOW64\Cpiqmlfm.exe Ciohqa32.exe File created C:\Windows\SysWOW64\Hgpjhn32.exe Hebnlb32.exe File opened for modification C:\Windows\SysWOW64\Plgolf32.exe Piicpk32.exe File created C:\Windows\SysWOW64\Dgkjaa32.dll Amcbankf.exe File opened for modification C:\Windows\SysWOW64\Bofgii32.exe Bimoloog.exe File opened for modification C:\Windows\SysWOW64\Hmalldcn.exe Hfhcoj32.exe File opened for modification C:\Windows\SysWOW64\Cffljlpc.exe Cdgpnqpo.exe File opened for modification C:\Windows\SysWOW64\Epmfgo32.exe Elajgpmj.exe File opened for modification C:\Windows\SysWOW64\Ehpalp32.exe Eaeipfei.exe File created C:\Windows\SysWOW64\Jbqmhnbo.exe Jdnmma32.exe File created C:\Windows\SysWOW64\Hlmgamof.dll Jbcjnnpl.exe File created C:\Windows\SysWOW64\Cacldi32.dll Mfmndn32.exe File created C:\Windows\SysWOW64\Gpelnb32.exe Gildahhp.exe File created C:\Windows\SysWOW64\Aplpbjee.dll Iimfld32.exe File created C:\Windows\SysWOW64\Hllmcc32.exe Hebdfind.exe File created C:\Windows\SysWOW64\Bfdmobkp.dll Mgmahg32.exe File created C:\Windows\SysWOW64\Ooahll32.dll Gaqomeke.exe File created C:\Windows\SysWOW64\Kbgjkn32.exe Kohnoc32.exe File opened for modification C:\Windows\SysWOW64\Miehak32.exe Mfglep32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Djfdob32.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Djfdob32.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6676 6616 WerFault.exe 642 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplnnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omioekbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmopkla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njdqka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cepipm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffkoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmeen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdaglmcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnofjfhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoepnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicgopd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcqombic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkplgnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebdfind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaeegh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oalhqohl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbeofpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmmfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behilopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecbhdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpcgace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfofol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpegcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhnjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpbdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biaign32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmnnkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdiefffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbfagca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aomnhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eniclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpganf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkfocaki.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfqgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdjgoha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hemqpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcofio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqmbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcjbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giiglhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfpifm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjaddn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjpdjjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihiphln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhelbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfglep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mihdgkpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgffhkoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegoqlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhplhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmoda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpelnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpapaj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aflfjc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdqdddf.dll" Jgfcja32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcamjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mndmoaog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oabkom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hbfepmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmglf32.dll" Mgjebg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajqljc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phqmgg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmbcen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcokiaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlafnbal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miehak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfkbadh.dll" Lnhgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkbfgoak.dll" Hnmeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iaeegh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgigbp32.dll" Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piicpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoggnnm.dll" Ffmkfifa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmlael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnlpo32.dll" Jaoqqflp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfihkoal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifhckf32.dll" Mjcaimgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hapklimq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfdkoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkehipd.dll" Fcbecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmdjkhdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jiepeo32.dll" Hgpjhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjahej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcojqm32.dll" Bjkhdacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahbj32.dll" Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfklboi.dll" Mhonngce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccbphk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Baojapfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqdiga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccfbaelk.dll" Bcjqdmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfkkpmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpjfb32.dll" Gcokiaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qackpado.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbgjkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njdqka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfelmo32.dll" Gildahhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbopmnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njoocijc.dll" Imiigiab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnofjfhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbicoamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlbfien.dll" Anjlebjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qdaglmcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dicnkdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfnin32.dll" Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieljfpdl.dll" Cjmopkla.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1860 wrote to memory of 3012 1860 a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe 30 PID 1860 wrote to memory of 3012 1860 a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe 30 PID 1860 wrote to memory of 3012 1860 a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe 30 PID 1860 wrote to memory of 3012 1860 a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe 30 PID 3012 wrote to memory of 2964 3012 Bgqcjlhp.exe 31 PID 3012 wrote to memory of 2964 3012 Bgqcjlhp.exe 31 PID 3012 wrote to memory of 2964 3012 Bgqcjlhp.exe 31 PID 3012 wrote to memory of 2964 3012 Bgqcjlhp.exe 31 PID 2964 wrote to memory of 2712 2964 Bmnlbcfg.exe 32 PID 2964 wrote to memory of 2712 2964 Bmnlbcfg.exe 32 PID 2964 wrote to memory of 2712 2964 Bmnlbcfg.exe 32 PID 2964 wrote to memory of 2712 2964 Bmnlbcfg.exe 32 PID 2712 wrote to memory of 2980 2712 Bcgdom32.exe 33 PID 2712 wrote to memory of 2980 2712 Bcgdom32.exe 33 PID 2712 wrote to memory of 2980 2712 Bcgdom32.exe 33 PID 2712 wrote to memory of 2980 2712 Bcgdom32.exe 33 PID 2980 wrote to memory of 2640 2980 Bmphhc32.exe 34 PID 2980 wrote to memory of 2640 2980 Bmphhc32.exe 34 PID 2980 wrote to memory of 2640 2980 Bmphhc32.exe 34 PID 2980 wrote to memory of 2640 2980 Bmphhc32.exe 34 PID 2640 wrote to memory of 2660 2640 Bcjqdmla.exe 35 PID 2640 wrote to memory of 2660 2640 Bcjqdmla.exe 35 PID 2640 wrote to memory of 2660 2640 Bcjqdmla.exe 35 PID 2640 wrote to memory of 2660 2640 Bcjqdmla.exe 35 PID 2660 wrote to memory of 2680 2660 Bfhmqhkd.exe 36 PID 2660 wrote to memory of 2680 2660 Bfhmqhkd.exe 36 PID 2660 wrote to memory of 2680 2660 Bfhmqhkd.exe 36 PID 2660 wrote to memory of 2680 2660 Bfhmqhkd.exe 36 PID 2680 wrote to memory of 2728 2680 Bncaekhp.exe 37 PID 2680 wrote to memory of 2728 2680 Bncaekhp.exe 37 PID 2680 wrote to memory of 2728 2680 Bncaekhp.exe 37 PID 2680 wrote to memory of 2728 2680 Bncaekhp.exe 37 PID 2728 wrote to memory of 1632 2728 Ciifbchf.exe 38 PID 2728 wrote to memory of 1632 2728 Ciifbchf.exe 38 PID 2728 wrote to memory of 1632 2728 Ciifbchf.exe 38 PID 2728 wrote to memory of 1632 2728 Ciifbchf.exe 38 PID 1632 wrote to memory of 2672 1632 Clgbno32.exe 39 PID 1632 wrote to memory of 2672 1632 Clgbno32.exe 39 PID 1632 wrote to memory of 2672 1632 Clgbno32.exe 39 PID 1632 wrote to memory of 2672 1632 Clgbno32.exe 39 PID 2672 wrote to memory of 1748 2672 Chnbcpmn.exe 40 PID 2672 wrote to memory of 1748 2672 Chnbcpmn.exe 40 PID 2672 wrote to memory of 1748 2672 Chnbcpmn.exe 40 PID 2672 wrote to memory of 1748 2672 Chnbcpmn.exe 40 PID 1748 wrote to memory of 2428 1748 Cjmopkla.exe 41 PID 1748 wrote to memory of 2428 1748 Cjmopkla.exe 41 PID 1748 wrote to memory of 2428 1748 Cjmopkla.exe 41 PID 1748 wrote to memory of 2428 1748 Cjmopkla.exe 41 PID 2428 wrote to memory of 2516 2428 Cmmhaf32.exe 42 PID 2428 wrote to memory of 2516 2428 Cmmhaf32.exe 42 PID 2428 wrote to memory of 2516 2428 Cmmhaf32.exe 42 PID 2428 wrote to memory of 2516 2428 Cmmhaf32.exe 42 PID 2516 wrote to memory of 2084 2516 Cdgpnqpo.exe 43 PID 2516 wrote to memory of 2084 2516 Cdgpnqpo.exe 43 PID 2516 wrote to memory of 2084 2516 Cdgpnqpo.exe 43 PID 2516 wrote to memory of 2084 2516 Cdgpnqpo.exe 43 PID 2084 wrote to memory of 2208 2084 Cffljlpc.exe 44 PID 2084 wrote to memory of 2208 2084 Cffljlpc.exe 44 PID 2084 wrote to memory of 2208 2084 Cffljlpc.exe 44 PID 2084 wrote to memory of 2208 2084 Cffljlpc.exe 44 PID 2208 wrote to memory of 3000 2208 Cheido32.exe 45 PID 2208 wrote to memory of 3000 2208 Cheido32.exe 45 PID 2208 wrote to memory of 3000 2208 Cheido32.exe 45 PID 2208 wrote to memory of 3000 2208 Cheido32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe"C:\Users\Admin\AppData\Local\Temp\a0d58b14bd544a9878b8a67e7782d5dc34d68dc714e8337ebee012fa18f24e14N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Bmnlbcfg.exeC:\Windows\system32\Bmnlbcfg.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Bmphhc32.exeC:\Windows\system32\Bmphhc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Cmmhaf32.exeC:\Windows\system32\Cmmhaf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3000 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Ddnfop32.exeC:\Windows\system32\Ddnfop32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\Daipqhdg.exeC:\Windows\system32\Daipqhdg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:236 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Eamilh32.exeC:\Windows\system32\Eamilh32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2724 -
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Ekhkjm32.exeC:\Windows\system32\Ekhkjm32.exe33⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe34⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe35⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe37⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe38⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Fjbafi32.exeC:\Windows\system32\Fjbafi32.exe39⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Flqmbd32.exeC:\Windows\system32\Flqmbd32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:392 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe41⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Fhgnge32.exeC:\Windows\system32\Fhgnge32.exe42⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:712 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe44⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe45⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe46⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe48⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Fnipkkdl.exeC:\Windows\system32\Fnipkkdl.exe50⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe51⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Fkmqdpce.exeC:\Windows\system32\Fkmqdpce.exe52⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe53⤵
- Executes dropped EXE
PID:1028 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe55⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe56⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe57⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe58⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Gcjbna32.exeC:\Windows\system32\Gcjbna32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Gfhnjm32.exeC:\Windows\system32\Gfhnjm32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe61⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe62⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:680 -
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1780 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe66⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe68⤵PID:1876
-
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe69⤵
- Drops file in System32 directory
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe70⤵
- System Location Discovery: System Language Discovery
PID:2264 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2880 -
C:\Windows\SysWOW64\Hebdfind.exeC:\Windows\system32\Hebdfind.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Hllmcc32.exeC:\Windows\system32\Hllmcc32.exe73⤵PID:2776
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe74⤵PID:2216
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1316 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe76⤵PID:2704
-
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe77⤵PID:1332
-
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe78⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe79⤵PID:1636
-
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1156 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1564 -
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe83⤵PID:1788
-
C:\Windows\SysWOW64\Hhhgcc32.exeC:\Windows\system32\Hhhgcc32.exe84⤵PID:2156
-
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe85⤵
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe86⤵
- Modifies registry class
PID:1596 -
C:\Windows\SysWOW64\Hdoghdmd.exeC:\Windows\system32\Hdoghdmd.exe87⤵PID:2284
-
C:\Windows\SysWOW64\Hjipenda.exeC:\Windows\system32\Hjipenda.exe88⤵PID:2864
-
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2816 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe90⤵PID:2648
-
C:\Windows\SysWOW64\Ifoqjo32.exeC:\Windows\system32\Ifoqjo32.exe91⤵PID:1992
-
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe92⤵
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe93⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2692 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe94⤵PID:3004
-
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe95⤵PID:1088
-
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe96⤵PID:1844
-
C:\Windows\SysWOW64\Ipjahd32.exeC:\Windows\system32\Ipjahd32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Ifdjeoep.exeC:\Windows\system32\Ifdjeoep.exe98⤵PID:1056
-
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe99⤵PID:2968
-
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe100⤵
- System Location Discovery: System Language Discovery
PID:2896 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe101⤵PID:2852
-
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe102⤵PID:2676
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe103⤵PID:1272
-
C:\Windows\SysWOW64\Ipokcdjn.exeC:\Windows\system32\Ipokcdjn.exe104⤵PID:2948
-
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1716 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Jbpdeogo.exeC:\Windows\system32\Jbpdeogo.exe107⤵PID:1036
-
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe108⤵PID:2004
-
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe109⤵PID:584
-
C:\Windows\SysWOW64\Jniefm32.exeC:\Windows\system32\Jniefm32.exe110⤵PID:988
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe111⤵PID:1948
-
C:\Windows\SysWOW64\Jhoice32.exeC:\Windows\system32\Jhoice32.exe112⤵PID:3044
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe113⤵PID:2732
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe114⤵PID:1444
-
C:\Windows\SysWOW64\Jagnlkjd.exeC:\Windows\system32\Jagnlkjd.exe115⤵PID:3048
-
C:\Windows\SysWOW64\Jhafhe32.exeC:\Windows\system32\Jhafhe32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2932 -
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe117⤵
- System Location Discovery: System Language Discovery
PID:764 -
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe118⤵PID:1428
-
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe119⤵PID:1364
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe120⤵
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe121⤵PID:1792
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe122⤵PID:2356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-