Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 21:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe
-
Size
91KB
-
MD5
af00f297635a7721a70b154ce5f49240
-
SHA1
4ee18c3c67f73c6ec0234a9ac972b0ea73d6e668
-
SHA256
11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cb
-
SHA512
6c761cf7f7f0505c9701fb051834cb32812265cc978a9cffeb7b98b63f4e6300b0a53349f68e396c263c962d6f171ba6f822974de797f407e862320c66490465
-
SSDEEP
1536:++cWNDaSZ08Zln7r2IsAFRKFBR9yfwu0hetSD9ZjVCiNXR00s5fZeZQLD0:++vNDaw087n7r2CRKTyfWhetSDLVCiV5
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlnmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nqpmimbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkacfiga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbpbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epcddopf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ogmkne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbgefa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fppaej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgmmfjip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqapnjli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafhff32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcqlkjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njmfhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnokahip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chlgid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhfpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnemfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebialmjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpjaodmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdphjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aedlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akdafn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bapfhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebldo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhicbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgfjggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqbaic32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmkfji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knaeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lepclldc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelhmlgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdpehd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpebidam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eegmhhie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icoepohq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkbmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnhbmpkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koaclfgl.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2724 Bkbdabog.exe 2568 Bnapnm32.exe 2748 Ckeqga32.exe 2560 Cmfmojcb.exe 2316 Cdmepgce.exe 1664 Cjjnhnbl.exe 2284 Cqdfehii.exe 2744 Cjljnn32.exe 2844 Cmkfji32.exe 1468 Cbgobp32.exe 2232 Cjogcm32.exe 1052 Colpld32.exe 2208 Cfehhn32.exe 3024 Ckbpqe32.exe 2956 Dnqlmq32.exe 2384 Dekdikhc.exe 672 Dgiaefgg.exe 888 Dncibp32.exe 1000 Daaenlng.exe 1532 Dgknkf32.exe 1720 Dlgjldnm.exe 1068 Dbabho32.exe 2388 Dadbdkld.exe 1936 Dcbnpgkh.exe 2440 Dlifadkk.exe 2716 Dnhbmpkn.exe 1584 Dcdkef32.exe 2620 Dnjoco32.exe 2616 Dahkok32.exe 1732 Dpklkgoj.exe 1416 Ejaphpnp.exe 2292 Eicpcm32.exe 2952 Edidqf32.exe 2856 Eldiehbk.exe 1316 Edlafebn.exe 2092 Eihjolae.exe 2204 Emdeok32.exe 2140 Ebqngb32.exe 2180 Eeojcmfi.exe 2488 Ehnfpifm.exe 1136 Eogolc32.exe 1708 Eimcjl32.exe 2300 Elkofg32.exe 1744 Eknpadcn.exe 2392 Fbegbacp.exe 1528 Folhgbid.exe 2264 Fmohco32.exe 1964 Fggmldfp.exe 2688 Fkcilc32.exe 2944 Fmaeho32.exe 2792 Fppaej32.exe 2640 Fhgifgnb.exe 1108 Fkefbcmf.exe 2304 Fihfnp32.exe 1580 Fmdbnnlj.exe 2852 Faonom32.exe 1628 Fpbnjjkm.exe 288 Fcqjfeja.exe 2120 Fglfgd32.exe 2132 Fkhbgbkc.exe 2404 Fliook32.exe 272 Fpdkpiik.exe 1612 Fccglehn.exe 2108 Feachqgb.exe -
Loads dropped DLL 64 IoCs
pid Process 1448 11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe 1448 11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe 2724 Bkbdabog.exe 2724 Bkbdabog.exe 2568 Bnapnm32.exe 2568 Bnapnm32.exe 2748 Ckeqga32.exe 2748 Ckeqga32.exe 2560 Cmfmojcb.exe 2560 Cmfmojcb.exe 2316 Cdmepgce.exe 2316 Cdmepgce.exe 1664 Cjjnhnbl.exe 1664 Cjjnhnbl.exe 2284 Cqdfehii.exe 2284 Cqdfehii.exe 2744 Cjljnn32.exe 2744 Cjljnn32.exe 2844 Cmkfji32.exe 2844 Cmkfji32.exe 1468 Cbgobp32.exe 1468 Cbgobp32.exe 2232 Cjogcm32.exe 2232 Cjogcm32.exe 1052 Colpld32.exe 1052 Colpld32.exe 2208 Cfehhn32.exe 2208 Cfehhn32.exe 3024 Ckbpqe32.exe 3024 Ckbpqe32.exe 2956 Dnqlmq32.exe 2956 Dnqlmq32.exe 2384 Dekdikhc.exe 2384 Dekdikhc.exe 672 Dgiaefgg.exe 672 Dgiaefgg.exe 888 Dncibp32.exe 888 Dncibp32.exe 1000 Daaenlng.exe 1000 Daaenlng.exe 1532 Dgknkf32.exe 1532 Dgknkf32.exe 1720 Dlgjldnm.exe 1720 Dlgjldnm.exe 1068 Dbabho32.exe 1068 Dbabho32.exe 2388 Dadbdkld.exe 2388 Dadbdkld.exe 1936 Dcbnpgkh.exe 1936 Dcbnpgkh.exe 2440 Dlifadkk.exe 2440 Dlifadkk.exe 2716 Dnhbmpkn.exe 2716 Dnhbmpkn.exe 1584 Dcdkef32.exe 1584 Dcdkef32.exe 2620 Dnjoco32.exe 2620 Dnjoco32.exe 2616 Dahkok32.exe 2616 Dahkok32.exe 1732 Dpklkgoj.exe 1732 Dpklkgoj.exe 1416 Ejaphpnp.exe 1416 Ejaphpnp.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lcpnpp32.dll Mpkhoj32.exe File created C:\Windows\SysWOW64\Noojdc32.exe Nlanhh32.exe File created C:\Windows\SysWOW64\Igceej32.exe Iediin32.exe File created C:\Windows\SysWOW64\Ngbpehpj.exe Nddcimag.exe File opened for modification C:\Windows\SysWOW64\Nknnnoph.exe Process not Found File created C:\Windows\SysWOW64\Lanmhmjq.dll Blqmid32.exe File created C:\Windows\SysWOW64\Dekqhpoi.dll Emeobj32.exe File created C:\Windows\SysWOW64\Fpemhb32.exe Fmfalg32.exe File opened for modification C:\Windows\SysWOW64\Dcpmijqc.exe Process not Found File created C:\Windows\SysWOW64\Adfifock.dll Deeqch32.exe File created C:\Windows\SysWOW64\Klndom32.dll Hkogpn32.exe File created C:\Windows\SysWOW64\Okfampdd.dll Jndflk32.exe File created C:\Windows\SysWOW64\Akfbdoha.dll Process not Found File created C:\Windows\SysWOW64\Imfopc32.dll Qjddgj32.exe File opened for modification C:\Windows\SysWOW64\Emeobj32.exe Eldbkbop.exe File opened for modification C:\Windows\SysWOW64\Meecaa32.exe Mcggef32.exe File created C:\Windows\SysWOW64\Ojkhjabc.exe Ogmkne32.exe File created C:\Windows\SysWOW64\Pphkcaig.dll Pbblkaea.exe File created C:\Windows\SysWOW64\Dfpnca32.dll Process not Found File created C:\Windows\SysWOW64\Cmojeo32.dll Jpepkk32.exe File created C:\Windows\SysWOW64\Akdafn32.exe Ahedjb32.exe File created C:\Windows\SysWOW64\Qanolm32.exe Qmcclolh.exe File created C:\Windows\SysWOW64\Ommbioja.dll Process not Found File created C:\Windows\SysWOW64\Fppfqpoe.dll Ncfjajma.exe File created C:\Windows\SysWOW64\Hjojpeec.dll Aanibhoh.exe File created C:\Windows\SysWOW64\Ghoijebj.exe Geqlnjcf.exe File created C:\Windows\SysWOW64\Eaflfbko.dll Anhpkg32.exe File opened for modification C:\Windows\SysWOW64\Nommodjj.exe Nloachkf.exe File opened for modification C:\Windows\SysWOW64\Bkhjamcf.exe Bhjneadb.exe File created C:\Windows\SysWOW64\Qlggjlep.exe Qdpohodn.exe File created C:\Windows\SysWOW64\Nelafe32.dll Boobki32.exe File created C:\Windows\SysWOW64\Dpmodqio.dll Mghfdcdi.exe File created C:\Windows\SysWOW64\Eejanc32.dll Qanolm32.exe File created C:\Windows\SysWOW64\Ccekdaeg.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ckomqopi.exe Cgdqpq32.exe File opened for modification C:\Windows\SysWOW64\Nloachkf.exe Nipefmkb.exe File opened for modification C:\Windows\SysWOW64\Bapfhg32.exe Aoaill32.exe File created C:\Windows\SysWOW64\Pkhmod32.dll Kjepaa32.exe File created C:\Windows\SysWOW64\Knaeeo32.exe Kpoejbhe.exe File opened for modification C:\Windows\SysWOW64\Gampaipe.exe Goocenaa.exe File created C:\Windows\SysWOW64\Hmijajbd.exe Hkjnenbp.exe File created C:\Windows\SysWOW64\Bceclhel.dll Idekbgji.exe File created C:\Windows\SysWOW64\Emdeok32.exe Eihjolae.exe File created C:\Windows\SysWOW64\Llpfjomf.exe Libjncnc.exe File created C:\Windows\SysWOW64\Abmgjf32.dll Mjkibehc.exe File created C:\Windows\SysWOW64\Ndlpdbnj.exe Nbmdhfog.exe File opened for modification C:\Windows\SysWOW64\Ndnmialh.exe Nqbaic32.exe File created C:\Windows\SysWOW64\Penihe32.exe Pbomli32.exe File opened for modification C:\Windows\SysWOW64\Pnnmeh32.exe Plpqim32.exe File created C:\Windows\SysWOW64\Kfeaomqq.dll Gehiioaj.exe File opened for modification C:\Windows\SysWOW64\Keioca32.exe Jnofgg32.exe File created C:\Windows\SysWOW64\Fiebnjbg.exe Fejfmk32.exe File created C:\Windows\SysWOW64\Aahimb32.exe Aiaqle32.exe File created C:\Windows\SysWOW64\Lgcciach.dll Lofkoamf.exe File created C:\Windows\SysWOW64\Mbdcepcm.exe Lkmldbcj.exe File created C:\Windows\SysWOW64\Ibaaeg32.dll Mkfojakp.exe File opened for modification C:\Windows\SysWOW64\Nkobpmlo.exe Nhpfdaml.exe File created C:\Windows\SysWOW64\Fhiiop32.dll Afmbak32.exe File created C:\Windows\SysWOW64\Nijjfj32.dll Jmdiahco.exe File created C:\Windows\SysWOW64\Jjqiok32.exe Process not Found File created C:\Windows\SysWOW64\Ckhfpp32.exe Chjjde32.exe File opened for modification C:\Windows\SysWOW64\Qldjdlgb.exe Qifnhaho.exe File created C:\Windows\SysWOW64\Nloachkf.exe Nipefmkb.exe File created C:\Windows\SysWOW64\Gibkmgcj.exe Gefolhja.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 972 3928 Process not Found 1333 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpklkgoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcplien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinpnged.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncnmane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbhkmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbimkpmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjpggkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhqbkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meljbqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdngip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlablaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijlaloaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imjmhkpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdmmhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coafko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enneln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figocipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdoccg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlanhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhehpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbmip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkobpmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjnhnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jihdnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mokkegmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngeljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkdcdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcicf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidhbgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ailqfooi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqjqehd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onamle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paafmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glnkcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibgkjee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnbjpqoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbegbacp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffdilo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiofnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeaelok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihpmnbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chbihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gleqdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qleikgfd.dll" Dbadagln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kapjen32.dll" Ofdclinq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofdclinq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oibohdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnnkldn.dll" Hjlemlnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meecaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hellqgnm.dll" Goqnae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leikbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbphgpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lijiaabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhhehpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Docopbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lekjal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfmden32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aegqok32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgdokbck.dll" Fhgifgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efdmgc32.dll" Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll" Jjfkmdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmgaio32.dll" Jcqlkjae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aaklmhak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmbnam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhenjmbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gehiioaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjilmejf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcichb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcedne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgcnahoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhfkhon.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bllcnega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfjfql32.dll" Fbngfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maldfbjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Onjgkf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aocbokia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eknjoj32.dll" Bbchkime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqcmmc32.dll" Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjojpeec.dll" Aanibhoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmeebpkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghemo32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fglfgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnpobefe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pljnkodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdjljpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boandf32.dll" Jbnlaqhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmpnop32.dll" Fbfjkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kihpmnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkjnenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klndom32.dll" Hkogpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpachc32.dll" Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbmk32.dll" Goiafp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqojhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endbib32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnihd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalcc32.dll" Hjaeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bomlppdb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1448 wrote to memory of 2724 1448 11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe 30 PID 1448 wrote to memory of 2724 1448 11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe 30 PID 1448 wrote to memory of 2724 1448 11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe 30 PID 1448 wrote to memory of 2724 1448 11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe 30 PID 2724 wrote to memory of 2568 2724 Bkbdabog.exe 31 PID 2724 wrote to memory of 2568 2724 Bkbdabog.exe 31 PID 2724 wrote to memory of 2568 2724 Bkbdabog.exe 31 PID 2724 wrote to memory of 2568 2724 Bkbdabog.exe 31 PID 2568 wrote to memory of 2748 2568 Bnapnm32.exe 32 PID 2568 wrote to memory of 2748 2568 Bnapnm32.exe 32 PID 2568 wrote to memory of 2748 2568 Bnapnm32.exe 32 PID 2568 wrote to memory of 2748 2568 Bnapnm32.exe 32 PID 2748 wrote to memory of 2560 2748 Ckeqga32.exe 33 PID 2748 wrote to memory of 2560 2748 Ckeqga32.exe 33 PID 2748 wrote to memory of 2560 2748 Ckeqga32.exe 33 PID 2748 wrote to memory of 2560 2748 Ckeqga32.exe 33 PID 2560 wrote to memory of 2316 2560 Cmfmojcb.exe 34 PID 2560 wrote to memory of 2316 2560 Cmfmojcb.exe 34 PID 2560 wrote to memory of 2316 2560 Cmfmojcb.exe 34 PID 2560 wrote to memory of 2316 2560 Cmfmojcb.exe 34 PID 2316 wrote to memory of 1664 2316 Cdmepgce.exe 35 PID 2316 wrote to memory of 1664 2316 Cdmepgce.exe 35 PID 2316 wrote to memory of 1664 2316 Cdmepgce.exe 35 PID 2316 wrote to memory of 1664 2316 Cdmepgce.exe 35 PID 1664 wrote to memory of 2284 1664 Cjjnhnbl.exe 36 PID 1664 wrote to memory of 2284 1664 Cjjnhnbl.exe 36 PID 1664 wrote to memory of 2284 1664 Cjjnhnbl.exe 36 PID 1664 wrote to memory of 2284 1664 Cjjnhnbl.exe 36 PID 2284 wrote to memory of 2744 2284 Cqdfehii.exe 37 PID 2284 wrote to memory of 2744 2284 Cqdfehii.exe 37 PID 2284 wrote to memory of 2744 2284 Cqdfehii.exe 37 PID 2284 wrote to memory of 2744 2284 Cqdfehii.exe 37 PID 2744 wrote to memory of 2844 2744 Cjljnn32.exe 38 PID 2744 wrote to memory of 2844 2744 Cjljnn32.exe 38 PID 2744 wrote to memory of 2844 2744 Cjljnn32.exe 38 PID 2744 wrote to memory of 2844 2744 Cjljnn32.exe 38 PID 2844 wrote to memory of 1468 2844 Cmkfji32.exe 39 PID 2844 wrote to memory of 1468 2844 Cmkfji32.exe 39 PID 2844 wrote to memory of 1468 2844 Cmkfji32.exe 39 PID 2844 wrote to memory of 1468 2844 Cmkfji32.exe 39 PID 1468 wrote to memory of 2232 1468 Cbgobp32.exe 40 PID 1468 wrote to memory of 2232 1468 Cbgobp32.exe 40 PID 1468 wrote to memory of 2232 1468 Cbgobp32.exe 40 PID 1468 wrote to memory of 2232 1468 Cbgobp32.exe 40 PID 2232 wrote to memory of 1052 2232 Cjogcm32.exe 41 PID 2232 wrote to memory of 1052 2232 Cjogcm32.exe 41 PID 2232 wrote to memory of 1052 2232 Cjogcm32.exe 41 PID 2232 wrote to memory of 1052 2232 Cjogcm32.exe 41 PID 1052 wrote to memory of 2208 1052 Colpld32.exe 42 PID 1052 wrote to memory of 2208 1052 Colpld32.exe 42 PID 1052 wrote to memory of 2208 1052 Colpld32.exe 42 PID 1052 wrote to memory of 2208 1052 Colpld32.exe 42 PID 2208 wrote to memory of 3024 2208 Cfehhn32.exe 43 PID 2208 wrote to memory of 3024 2208 Cfehhn32.exe 43 PID 2208 wrote to memory of 3024 2208 Cfehhn32.exe 43 PID 2208 wrote to memory of 3024 2208 Cfehhn32.exe 43 PID 3024 wrote to memory of 2956 3024 Ckbpqe32.exe 44 PID 3024 wrote to memory of 2956 3024 Ckbpqe32.exe 44 PID 3024 wrote to memory of 2956 3024 Ckbpqe32.exe 44 PID 3024 wrote to memory of 2956 3024 Ckbpqe32.exe 44 PID 2956 wrote to memory of 2384 2956 Dnqlmq32.exe 45 PID 2956 wrote to memory of 2384 2956 Dnqlmq32.exe 45 PID 2956 wrote to memory of 2384 2956 Dnqlmq32.exe 45 PID 2956 wrote to memory of 2384 2956 Dnqlmq32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe"C:\Users\Admin\AppData\Local\Temp\11b78e8f923e037f6150e8f73a505e4eaecf88c3deb3faae291135b9c452b7cbN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\SysWOW64\Bkbdabog.exeC:\Windows\system32\Bkbdabog.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Bnapnm32.exeC:\Windows\system32\Bnapnm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ckeqga32.exeC:\Windows\system32\Ckeqga32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Cmfmojcb.exeC:\Windows\system32\Cmfmojcb.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Cdmepgce.exeC:\Windows\system32\Cdmepgce.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Cjjnhnbl.exeC:\Windows\system32\Cjjnhnbl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Cqdfehii.exeC:\Windows\system32\Cqdfehii.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Cjljnn32.exeC:\Windows\system32\Cjljnn32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Cmkfji32.exeC:\Windows\system32\Cmkfji32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\SysWOW64\Cjogcm32.exeC:\Windows\system32\Cjogcm32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Colpld32.exeC:\Windows\system32\Colpld32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\Cfehhn32.exeC:\Windows\system32\Cfehhn32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Ckbpqe32.exeC:\Windows\system32\Ckbpqe32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Dgiaefgg.exeC:\Windows\system32\Dgiaefgg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:672 -
C:\Windows\SysWOW64\Dncibp32.exeC:\Windows\system32\Dncibp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Daaenlng.exeC:\Windows\system32\Daaenlng.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Dgknkf32.exeC:\Windows\system32\Dgknkf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Dlgjldnm.exeC:\Windows\system32\Dlgjldnm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1720 -
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1068 -
C:\Windows\SysWOW64\Dadbdkld.exeC:\Windows\system32\Dadbdkld.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Dcbnpgkh.exeC:\Windows\system32\Dcbnpgkh.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1936 -
C:\Windows\SysWOW64\Dlifadkk.exeC:\Windows\system32\Dlifadkk.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Dnhbmpkn.exeC:\Windows\system32\Dnhbmpkn.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Dcdkef32.exeC:\Windows\system32\Dcdkef32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Dahkok32.exeC:\Windows\system32\Dahkok32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Ejaphpnp.exeC:\Windows\system32\Ejaphpnp.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1416 -
C:\Windows\SysWOW64\Eicpcm32.exeC:\Windows\system32\Eicpcm32.exe33⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Edidqf32.exeC:\Windows\system32\Edidqf32.exe34⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe35⤵
- Executes dropped EXE
PID:2856 -
C:\Windows\SysWOW64\Edlafebn.exeC:\Windows\system32\Edlafebn.exe36⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Eihjolae.exeC:\Windows\system32\Eihjolae.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2092 -
C:\Windows\SysWOW64\Emdeok32.exeC:\Windows\system32\Emdeok32.exe38⤵
- Executes dropped EXE
PID:2204 -
C:\Windows\SysWOW64\Ebqngb32.exeC:\Windows\system32\Ebqngb32.exe39⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Eeojcmfi.exeC:\Windows\system32\Eeojcmfi.exe40⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Ehnfpifm.exeC:\Windows\system32\Ehnfpifm.exe41⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Eogolc32.exeC:\Windows\system32\Eogolc32.exe42⤵
- Executes dropped EXE
PID:1136 -
C:\Windows\SysWOW64\Eimcjl32.exeC:\Windows\system32\Eimcjl32.exe43⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Elkofg32.exeC:\Windows\system32\Elkofg32.exe44⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Eknpadcn.exeC:\Windows\system32\Eknpadcn.exe45⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Fbegbacp.exeC:\Windows\system32\Fbegbacp.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Folhgbid.exeC:\Windows\system32\Folhgbid.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Fmohco32.exeC:\Windows\system32\Fmohco32.exe48⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Fggmldfp.exeC:\Windows\system32\Fggmldfp.exe49⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Fkcilc32.exeC:\Windows\system32\Fkcilc32.exe50⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Fmaeho32.exeC:\Windows\system32\Fmaeho32.exe51⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Fppaej32.exeC:\Windows\system32\Fppaej32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Fhgifgnb.exeC:\Windows\system32\Fhgifgnb.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2640 -
C:\Windows\SysWOW64\Fkefbcmf.exeC:\Windows\system32\Fkefbcmf.exe54⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Fihfnp32.exeC:\Windows\system32\Fihfnp32.exe55⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Fmdbnnlj.exeC:\Windows\system32\Fmdbnnlj.exe56⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Faonom32.exeC:\Windows\system32\Faonom32.exe57⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Fpbnjjkm.exeC:\Windows\system32\Fpbnjjkm.exe58⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Fcqjfeja.exeC:\Windows\system32\Fcqjfeja.exe59⤵
- Executes dropped EXE
PID:288 -
C:\Windows\SysWOW64\Fglfgd32.exeC:\Windows\system32\Fglfgd32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe61⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Fliook32.exeC:\Windows\system32\Fliook32.exe62⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Fpdkpiik.exeC:\Windows\system32\Fpdkpiik.exe63⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Fccglehn.exeC:\Windows\system32\Fccglehn.exe64⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Feachqgb.exeC:\Windows\system32\Feachqgb.exe65⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Gmhkin32.exeC:\Windows\system32\Gmhkin32.exe66⤵PID:636
-
C:\Windows\SysWOW64\Glklejoo.exeC:\Windows\system32\Glklejoo.exe67⤵PID:1856
-
C:\Windows\SysWOW64\Gojhafnb.exeC:\Windows\system32\Gojhafnb.exe68⤵PID:1192
-
C:\Windows\SysWOW64\Gcedad32.exeC:\Windows\system32\Gcedad32.exe69⤵PID:2680
-
C:\Windows\SysWOW64\Ggapbcne.exeC:\Windows\system32\Ggapbcne.exe70⤵PID:2868
-
C:\Windows\SysWOW64\Giolnomh.exeC:\Windows\system32\Giolnomh.exe71⤵PID:2592
-
C:\Windows\SysWOW64\Ghbljk32.exeC:\Windows\system32\Ghbljk32.exe72⤵PID:2824
-
C:\Windows\SysWOW64\Gpidki32.exeC:\Windows\system32\Gpidki32.exe73⤵PID:1900
-
C:\Windows\SysWOW64\Gcgqgd32.exeC:\Windows\system32\Gcgqgd32.exe74⤵PID:892
-
C:\Windows\SysWOW64\Gajqbakc.exeC:\Windows\system32\Gajqbakc.exe75⤵PID:2924
-
C:\Windows\SysWOW64\Giaidnkf.exeC:\Windows\system32\Giaidnkf.exe76⤵
- Modifies registry class
PID:480 -
C:\Windows\SysWOW64\Ghdiokbq.exeC:\Windows\system32\Ghdiokbq.exe77⤵PID:1864
-
C:\Windows\SysWOW64\Gkcekfad.exeC:\Windows\system32\Gkcekfad.exe78⤵PID:404
-
C:\Windows\SysWOW64\Gcjmmdbf.exeC:\Windows\system32\Gcjmmdbf.exe79⤵PID:3052
-
C:\Windows\SysWOW64\Gehiioaj.exeC:\Windows\system32\Gehiioaj.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1080 -
C:\Windows\SysWOW64\Gdkjdl32.exeC:\Windows\system32\Gdkjdl32.exe81⤵PID:3060
-
C:\Windows\SysWOW64\Glbaei32.exeC:\Windows\system32\Glbaei32.exe82⤵PID:2700
-
C:\Windows\SysWOW64\Goqnae32.exeC:\Windows\system32\Goqnae32.exe83⤵
- Modifies registry class
PID:308 -
C:\Windows\SysWOW64\Gncnmane.exeC:\Windows\system32\Gncnmane.exe84⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Gaojnq32.exeC:\Windows\system32\Gaojnq32.exe85⤵PID:1748
-
C:\Windows\SysWOW64\Gdnfjl32.exeC:\Windows\system32\Gdnfjl32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2736 -
C:\Windows\SysWOW64\Ghibjjnk.exeC:\Windows\system32\Ghibjjnk.exe87⤵PID:532
-
C:\Windows\SysWOW64\Gkgoff32.exeC:\Windows\system32\Gkgoff32.exe88⤵PID:2064
-
C:\Windows\SysWOW64\Gaagcpdl.exeC:\Windows\system32\Gaagcpdl.exe89⤵PID:2840
-
C:\Windows\SysWOW64\Gqdgom32.exeC:\Windows\system32\Gqdgom32.exe90⤵PID:968
-
C:\Windows\SysWOW64\Hgnokgcc.exeC:\Windows\system32\Hgnokgcc.exe91⤵PID:2200
-
C:\Windows\SysWOW64\Hkjkle32.exeC:\Windows\system32\Hkjkle32.exe92⤵PID:860
-
C:\Windows\SysWOW64\Hnhgha32.exeC:\Windows\system32\Hnhgha32.exe93⤵PID:352
-
C:\Windows\SysWOW64\Hqgddm32.exeC:\Windows\system32\Hqgddm32.exe94⤵PID:2100
-
C:\Windows\SysWOW64\Hdbpekam.exeC:\Windows\system32\Hdbpekam.exe95⤵PID:1684
-
C:\Windows\SysWOW64\Hgqlafap.exeC:\Windows\system32\Hgqlafap.exe96⤵PID:1976
-
C:\Windows\SysWOW64\Hklhae32.exeC:\Windows\system32\Hklhae32.exe97⤵PID:748
-
C:\Windows\SysWOW64\Hnkdnqhm.exeC:\Windows\system32\Hnkdnqhm.exe98⤵PID:2888
-
C:\Windows\SysWOW64\Hqiqjlga.exeC:\Windows\system32\Hqiqjlga.exe99⤵PID:2576
-
C:\Windows\SysWOW64\Hddmjk32.exeC:\Windows\system32\Hddmjk32.exe100⤵PID:2848
-
C:\Windows\SysWOW64\Hgciff32.exeC:\Windows\system32\Hgciff32.exe101⤵PID:936
-
C:\Windows\SysWOW64\Hffibceh.exeC:\Windows\system32\Hffibceh.exe102⤵PID:2428
-
C:\Windows\SysWOW64\Hjaeba32.exeC:\Windows\system32\Hjaeba32.exe103⤵
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Hmpaom32.exeC:\Windows\system32\Hmpaom32.exe104⤵PID:1620
-
C:\Windows\SysWOW64\Honnki32.exeC:\Windows\system32\Honnki32.exe105⤵PID:1376
-
C:\Windows\SysWOW64\Hcjilgdb.exeC:\Windows\system32\Hcjilgdb.exe106⤵PID:1536
-
C:\Windows\SysWOW64\Hfhfhbce.exeC:\Windows\system32\Hfhfhbce.exe107⤵PID:1212
-
C:\Windows\SysWOW64\Hjcaha32.exeC:\Windows\system32\Hjcaha32.exe108⤵PID:2328
-
C:\Windows\SysWOW64\Hifbdnbi.exeC:\Windows\system32\Hifbdnbi.exe109⤵PID:2444
-
C:\Windows\SysWOW64\Hqnjek32.exeC:\Windows\system32\Hqnjek32.exe110⤵PID:2408
-
C:\Windows\SysWOW64\Hoqjqhjf.exeC:\Windows\system32\Hoqjqhjf.exe111⤵PID:2836
-
C:\Windows\SysWOW64\Hbofmcij.exeC:\Windows\system32\Hbofmcij.exe112⤵PID:2252
-
C:\Windows\SysWOW64\Hiioin32.exeC:\Windows\system32\Hiioin32.exe113⤵PID:2052
-
C:\Windows\SysWOW64\Iocgfhhc.exeC:\Windows\system32\Iocgfhhc.exe114⤵PID:2932
-
C:\Windows\SysWOW64\Icncgf32.exeC:\Windows\system32\Icncgf32.exe115⤵PID:2652
-
C:\Windows\SysWOW64\Ifmocb32.exeC:\Windows\system32\Ifmocb32.exe116⤵PID:2520
-
C:\Windows\SysWOW64\Iikkon32.exeC:\Windows\system32\Iikkon32.exe117⤵PID:2240
-
C:\Windows\SysWOW64\Imggplgm.exeC:\Windows\system32\Imggplgm.exe118⤵PID:1592
-
C:\Windows\SysWOW64\Inhdgdmk.exeC:\Windows\system32\Inhdgdmk.exe119⤵PID:2820
-
C:\Windows\SysWOW64\Ifolhann.exeC:\Windows\system32\Ifolhann.exe120⤵PID:2628
-
C:\Windows\SysWOW64\Iebldo32.exeC:\Windows\system32\Iebldo32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1452
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-