Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 19:25
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6N.exe
Resource
win7-20241010-en
windows7-x64
11 signatures
120 seconds
Behavioral task
behavioral2
Sample
4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6N.exe
-
Size
91KB
-
MD5
5ebe6d48f07ac9b8f870f135dabcdc70
-
SHA1
5dbbdcdc09f29b4169815b22c42a25d7b3c8eafc
-
SHA256
4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6
-
SHA512
bd2398db5779726708685cd150f3d66b9fd0970d6cfad396a2c730887f4888c945fde565c07a4c3ddc83dab5639d26e332915b5bfb36b5ff158dbe26002dabff
-
SSDEEP
1536:OfuEhdGBS7JoHNKbBdU8hp0hetSD9ZjVCiNXR00s5fZeZQLD0:guiwcbBdUC6hetSDLVCiVR0d5fZeZwD0
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecnmpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elkmmodo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgmdjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cheido32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjcmap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imoilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jofejpmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcdfnehp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Befmfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olebgfao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfnopfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgjednf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcdfnehp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pejmfqan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbojmmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghlndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgffhkoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlkiepd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qflhbhgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgkbeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghiaof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfgafadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdqlajbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdcifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihfgp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjaimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbhmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oionacqo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfbngfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecploipa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnkjnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imoilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbpnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcgdom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fchijone.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhkkbmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpceidcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekjgpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqjdgmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Difnaqih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgehno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeckfndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqomci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hihjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlheehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cielhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdocl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeaoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpphhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbokgpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnpeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nefbga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pejmfqan.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2488 Ohhkjp32.exe 2872 Ojigbhlp.exe 2932 Pjldghjm.exe 1928 Pfbelipa.exe 700 Pgbafl32.exe 1720 Pomfkndo.exe 2108 Pkdgpo32.exe 3020 Pdlkiepd.exe 2920 Qflhbhgg.exe 2664 Qgmdjp32.exe 2508 Qqeicede.exe 1440 Qkkmqnck.exe 2144 Aganeoip.exe 1680 Achojp32.exe 668 Ajbggjfq.exe 1140 Afiglkle.exe 1240 Aigchgkh.exe 2652 Acmhepko.exe 672 Amelne32.exe 2388 Afnagk32.exe 1724 Bmhideol.exe 2448 Bpfeppop.exe 1056 Bajomhbl.exe 2616 Bbikgk32.exe 2792 Bhfcpb32.exe 2836 Bmclhi32.exe 2816 Bfkpqn32.exe 2688 Cpceidcn.exe 2080 Cilibi32.exe 2720 Cdanpb32.exe 2560 Cinfhigl.exe 2356 Cddjebgb.exe 2656 Cmlong32.exe 3060 Conkepdq.exe 3032 Cicpch32.exe 780 Cckdlnjg.exe 2104 Cielhh32.exe 1136 Daqamj32.exe 1988 Dkiefp32.exe 2060 Dhmfod32.exe 1308 Dnjngk32.exe 2324 Dgbcpq32.exe 1068 Dnlkmkpn.exe 1804 Dgdpfp32.exe 1992 Egglkp32.exe 1448 Eobapbbg.exe 880 Ecnmpa32.exe 2800 Ehjehh32.exe 2984 Eodnebpd.exe 2724 Ehmbng32.exe 2692 Ecbfkpfk.exe 2220 Efqbglen.exe 580 Eoigpa32.exe 2640 Efcomkcl.exe 2924 Egdlec32.exe 3052 Fbjpblip.exe 2780 Fidhof32.exe 2260 Fjeefofk.exe 2096 Fqomci32.exe 2152 Fgiepced.exe 552 Fjgalndh.exe 872 Femeig32.exe 2484 Fgkbeb32.exe 892 Fnejbmko.exe -
Loads dropped DLL 64 IoCs
pid Process 2956 4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6N.exe 2956 4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6N.exe 2488 Ohhkjp32.exe 2488 Ohhkjp32.exe 2872 Ojigbhlp.exe 2872 Ojigbhlp.exe 2932 Pjldghjm.exe 2932 Pjldghjm.exe 1928 Pfbelipa.exe 1928 Pfbelipa.exe 700 Pgbafl32.exe 700 Pgbafl32.exe 1720 Pomfkndo.exe 1720 Pomfkndo.exe 2108 Pkdgpo32.exe 2108 Pkdgpo32.exe 3020 Pdlkiepd.exe 3020 Pdlkiepd.exe 2920 Qflhbhgg.exe 2920 Qflhbhgg.exe 2664 Qgmdjp32.exe 2664 Qgmdjp32.exe 2508 Qqeicede.exe 2508 Qqeicede.exe 1440 Qkkmqnck.exe 1440 Qkkmqnck.exe 2144 Aganeoip.exe 2144 Aganeoip.exe 1680 Achojp32.exe 1680 Achojp32.exe 668 Ajbggjfq.exe 668 Ajbggjfq.exe 1140 Afiglkle.exe 1140 Afiglkle.exe 1240 Aigchgkh.exe 1240 Aigchgkh.exe 2652 Acmhepko.exe 2652 Acmhepko.exe 672 Amelne32.exe 672 Amelne32.exe 2388 Afnagk32.exe 2388 Afnagk32.exe 1724 Bmhideol.exe 1724 Bmhideol.exe 2448 Bpfeppop.exe 2448 Bpfeppop.exe 1056 Bajomhbl.exe 1056 Bajomhbl.exe 2616 Bbikgk32.exe 2616 Bbikgk32.exe 2792 Bhfcpb32.exe 2792 Bhfcpb32.exe 2836 Bmclhi32.exe 2836 Bmclhi32.exe 2816 Bfkpqn32.exe 2816 Bfkpqn32.exe 2688 Cpceidcn.exe 2688 Cpceidcn.exe 2080 Cilibi32.exe 2080 Cilibi32.exe 2720 Cdanpb32.exe 2720 Cdanpb32.exe 2560 Cinfhigl.exe 2560 Cinfhigl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kofaicon.exe Klhemhpk.exe File opened for modification C:\Windows\SysWOW64\Klbdgb32.exe Jbjpom32.exe File created C:\Windows\SysWOW64\Qgejemnf.dll Cbblda32.exe File created C:\Windows\SysWOW64\Gcenaf32.dll Giahhj32.exe File created C:\Windows\SysWOW64\Mjekfd32.exe Meicnm32.exe File created C:\Windows\SysWOW64\Dpegcq32.exe Dmgkgeah.exe File created C:\Windows\SysWOW64\Hbknkl32.exe Hibjbgbh.exe File created C:\Windows\SysWOW64\Kndoim32.dll Jkchmo32.exe File created C:\Windows\SysWOW64\Binlfn32.dll Gblifo32.exe File created C:\Windows\SysWOW64\Ddiibc32.exe Domqjm32.exe File opened for modification C:\Windows\SysWOW64\Jdhgnf32.exe Jnnnalph.exe File opened for modification C:\Windows\SysWOW64\Gneijien.exe Gkglnm32.exe File opened for modification C:\Windows\SysWOW64\Bchfhfeh.exe Bqijljfd.exe File opened for modification C:\Windows\SysWOW64\Dllhhaep.exe Dgoopkgh.exe File created C:\Windows\SysWOW64\Mkdfahce.dll Endjaief.exe File created C:\Windows\SysWOW64\Lcdgejhm.dll Ackmih32.exe File created C:\Windows\SysWOW64\Jliaac32.exe Jfliim32.exe File created C:\Windows\SysWOW64\Fkecij32.exe Fdkklp32.exe File opened for modification C:\Windows\SysWOW64\Ijclol32.exe Iakgefqe.exe File created C:\Windows\SysWOW64\Dafqii32.dll Oidiekdn.exe File opened for modification C:\Windows\SysWOW64\Bmhideol.exe Afnagk32.exe File created C:\Windows\SysWOW64\Cjeapkom.dll Ihfjognl.exe File created C:\Windows\SysWOW64\Mdbiji32.exe Mlkail32.exe File created C:\Windows\SysWOW64\Lpfhgcpi.dll Nkhdkgnj.exe File created C:\Windows\SysWOW64\Jabfljee.dll Dpegcq32.exe File created C:\Windows\SysWOW64\Jinafidh.dll Nfnneb32.exe File created C:\Windows\SysWOW64\Fqalaa32.exe Fkecij32.exe File opened for modification C:\Windows\SysWOW64\Poklngnf.exe Plmpblnb.exe File created C:\Windows\SysWOW64\Cheido32.exe Ckahkk32.exe File opened for modification C:\Windows\SysWOW64\Ndkhngdd.exe Nallalep.exe File opened for modification C:\Windows\SysWOW64\Npdfhhhe.exe Nijnln32.exe File created C:\Windows\SysWOW64\Pljcllqe.exe Pkifdd32.exe File created C:\Windows\SysWOW64\Dfocegkg.dll Eggndi32.exe File created C:\Windows\SysWOW64\Oggfcl32.dll Hakkgc32.exe File created C:\Windows\SysWOW64\Qflhbhgg.exe Pdlkiepd.exe File created C:\Windows\SysWOW64\Iamabm32.exe Idiaii32.exe File created C:\Windows\SysWOW64\Bbejeo32.dll Nlnnnk32.exe File opened for modification C:\Windows\SysWOW64\Nkjapglg.exe Ndpicm32.exe File opened for modification C:\Windows\SysWOW64\Aboaff32.exe Ajhiei32.exe File opened for modification C:\Windows\SysWOW64\Nijnln32.exe Ndmecgba.exe File opened for modification C:\Windows\SysWOW64\Oanefo32.exe Ohfqmi32.exe File created C:\Windows\SysWOW64\Ogknoe32.exe Oanefo32.exe File created C:\Windows\SysWOW64\Blkahecm.dll Pkdgpo32.exe File created C:\Windows\SysWOW64\Nkoielgg.dll Daqamj32.exe File created C:\Windows\SysWOW64\Hicqmmfc.exe Hhbdee32.exe File opened for modification C:\Windows\SysWOW64\Ledibnco.exe Lpgajgeg.exe File opened for modification C:\Windows\SysWOW64\Dmjqpdje.exe Dfphcj32.exe File opened for modification C:\Windows\SysWOW64\Mjaddn32.exe Lqipkhbj.exe File opened for modification C:\Windows\SysWOW64\Mggabaea.exe Mqnifg32.exe File created C:\Windows\SysWOW64\Dllhoqlh.dll Iamabm32.exe File created C:\Windows\SysWOW64\Kbaglpee.exe Khiccj32.exe File opened for modification C:\Windows\SysWOW64\Qgmdjp32.exe Qflhbhgg.exe File created C:\Windows\SysWOW64\Fagigd32.dll Ogqaehak.exe File created C:\Windows\SysWOW64\Opnbbe32.exe Oidiekdn.exe File opened for modification C:\Windows\SysWOW64\Nefdpjkl.exe Nnmlcp32.exe File opened for modification C:\Windows\SysWOW64\Nehomq32.exe Nplfdj32.exe File opened for modification C:\Windows\SysWOW64\Qogbdl32.exe Qinjgbpg.exe File created C:\Windows\SysWOW64\Ibfmbhnd.dll Jkmeoa32.exe File created C:\Windows\SysWOW64\Dfphcj32.exe Deollamj.exe File created C:\Windows\SysWOW64\Hfgafadm.exe Hpmiig32.exe File created C:\Windows\SysWOW64\Kalpeaik.dll Jlbboiip.exe File opened for modification C:\Windows\SysWOW64\Hbnbkbja.exe Hmaick32.exe File created C:\Windows\SysWOW64\Gapfdgmi.dll Hibjbgbh.exe File created C:\Windows\SysWOW64\Fhjboh32.dll Lnbdko32.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dfkhndca.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dfkhndca.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2616 2124 WerFault.exe 582 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlgmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbfiaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaimk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iakgefqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achojp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkail32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akncimmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihniioc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhmfod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgiepced.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnolfon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcjnnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlbboiip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leammn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdnhoac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglehp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcoqdoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkmmodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpicle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbknkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklcadfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgbipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjjdacik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmibgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgqcjlhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnnko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plmpblnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgclio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkcbnanl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehmbng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgodl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanefo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhdggom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bibpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnneb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agljom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dedlag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcaiiejc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbicoamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnifja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gneijien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbjpblip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fafcdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnmlcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaompi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfahomfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjobffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmogmjmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biolanld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijnln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcifi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamabm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkddnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnckjddd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhfcpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfhoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphecepe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknajh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgdnnl32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipjahd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plmpblnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnldjekl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkigoimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqhdl32.dll" Hcdnhoac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oggfcl32.dll" Hakkgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeganon.dll" Plgolf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogknoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Poklngnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkahecm.dll" Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndpicm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofnjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nigafnck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gqdefddb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjaddn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohncbdbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acfgoj32.dll" Dnlkmkpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jcbhee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lihobnap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ledibnco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dobgihgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldglp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnheohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhadao32.dll" Qjhmfekp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekomolag.dll" Pcdkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pejmfqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afhgaocl.dll" Fkecij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpdaj32.dll" Fqalaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcogbdkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojigbhlp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpdkii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcaiiejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baleem32.dll" Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnljlm32.dll" Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbndia32.dll" Dnjngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgbcpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmjqpdje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hahnac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnbojmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ioilkblq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgbipf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqbecp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmqmci32.dll" Fheabelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjndlebb.dll" Jofejpmc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbkpeake.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkglnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njjcip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkfnfjpg.dll" Bjallg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blchcpko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddiibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipfeceln.dll" Eoompl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldkkdd32.dll" Afjjed32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klbdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmlong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gchfle32.dll" Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afiglkle.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2956 wrote to memory of 2488 2956 4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6N.exe 30 PID 2956 wrote to memory of 2488 2956 4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6N.exe 30 PID 2956 wrote to memory of 2488 2956 4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6N.exe 30 PID 2956 wrote to memory of 2488 2956 4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6N.exe 30 PID 2488 wrote to memory of 2872 2488 Ohhkjp32.exe 31 PID 2488 wrote to memory of 2872 2488 Ohhkjp32.exe 31 PID 2488 wrote to memory of 2872 2488 Ohhkjp32.exe 31 PID 2488 wrote to memory of 2872 2488 Ohhkjp32.exe 31 PID 2872 wrote to memory of 2932 2872 Ojigbhlp.exe 32 PID 2872 wrote to memory of 2932 2872 Ojigbhlp.exe 32 PID 2872 wrote to memory of 2932 2872 Ojigbhlp.exe 32 PID 2872 wrote to memory of 2932 2872 Ojigbhlp.exe 32 PID 2932 wrote to memory of 1928 2932 Pjldghjm.exe 33 PID 2932 wrote to memory of 1928 2932 Pjldghjm.exe 33 PID 2932 wrote to memory of 1928 2932 Pjldghjm.exe 33 PID 2932 wrote to memory of 1928 2932 Pjldghjm.exe 33 PID 1928 wrote to memory of 700 1928 Pfbelipa.exe 34 PID 1928 wrote to memory of 700 1928 Pfbelipa.exe 34 PID 1928 wrote to memory of 700 1928 Pfbelipa.exe 34 PID 1928 wrote to memory of 700 1928 Pfbelipa.exe 34 PID 700 wrote to memory of 1720 700 Pgbafl32.exe 35 PID 700 wrote to memory of 1720 700 Pgbafl32.exe 35 PID 700 wrote to memory of 1720 700 Pgbafl32.exe 35 PID 700 wrote to memory of 1720 700 Pgbafl32.exe 35 PID 1720 wrote to memory of 2108 1720 Pomfkndo.exe 36 PID 1720 wrote to memory of 2108 1720 Pomfkndo.exe 36 PID 1720 wrote to memory of 2108 1720 Pomfkndo.exe 36 PID 1720 wrote to memory of 2108 1720 Pomfkndo.exe 36 PID 2108 wrote to memory of 3020 2108 Pkdgpo32.exe 37 PID 2108 wrote to memory of 3020 2108 Pkdgpo32.exe 37 PID 2108 wrote to memory of 3020 2108 Pkdgpo32.exe 37 PID 2108 wrote to memory of 3020 2108 Pkdgpo32.exe 37 PID 3020 wrote to memory of 2920 3020 Pdlkiepd.exe 38 PID 3020 wrote to memory of 2920 3020 Pdlkiepd.exe 38 PID 3020 wrote to memory of 2920 3020 Pdlkiepd.exe 38 PID 3020 wrote to memory of 2920 3020 Pdlkiepd.exe 38 PID 2920 wrote to memory of 2664 2920 Qflhbhgg.exe 39 PID 2920 wrote to memory of 2664 2920 Qflhbhgg.exe 39 PID 2920 wrote to memory of 2664 2920 Qflhbhgg.exe 39 PID 2920 wrote to memory of 2664 2920 Qflhbhgg.exe 39 PID 2664 wrote to memory of 2508 2664 Qgmdjp32.exe 40 PID 2664 wrote to memory of 2508 2664 Qgmdjp32.exe 40 PID 2664 wrote to memory of 2508 2664 Qgmdjp32.exe 40 PID 2664 wrote to memory of 2508 2664 Qgmdjp32.exe 40 PID 2508 wrote to memory of 1440 2508 Qqeicede.exe 41 PID 2508 wrote to memory of 1440 2508 Qqeicede.exe 41 PID 2508 wrote to memory of 1440 2508 Qqeicede.exe 41 PID 2508 wrote to memory of 1440 2508 Qqeicede.exe 41 PID 1440 wrote to memory of 2144 1440 Qkkmqnck.exe 42 PID 1440 wrote to memory of 2144 1440 Qkkmqnck.exe 42 PID 1440 wrote to memory of 2144 1440 Qkkmqnck.exe 42 PID 1440 wrote to memory of 2144 1440 Qkkmqnck.exe 42 PID 2144 wrote to memory of 1680 2144 Aganeoip.exe 43 PID 2144 wrote to memory of 1680 2144 Aganeoip.exe 43 PID 2144 wrote to memory of 1680 2144 Aganeoip.exe 43 PID 2144 wrote to memory of 1680 2144 Aganeoip.exe 43 PID 1680 wrote to memory of 668 1680 Achojp32.exe 44 PID 1680 wrote to memory of 668 1680 Achojp32.exe 44 PID 1680 wrote to memory of 668 1680 Achojp32.exe 44 PID 1680 wrote to memory of 668 1680 Achojp32.exe 44 PID 668 wrote to memory of 1140 668 Ajbggjfq.exe 45 PID 668 wrote to memory of 1140 668 Ajbggjfq.exe 45 PID 668 wrote to memory of 1140 668 Ajbggjfq.exe 45 PID 668 wrote to memory of 1140 668 Ajbggjfq.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6N.exe"C:\Users\Admin\AppData\Local\Temp\4e1991b37ee6958085c6dc2a01487e987ba9432682f02234d3bdf70eb5ad9bc6N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Ohhkjp32.exeC:\Windows\system32\Ohhkjp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\SysWOW64\Ojigbhlp.exeC:\Windows\system32\Ojigbhlp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Pgbafl32.exeC:\Windows\system32\Pgbafl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:700 -
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508 -
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:668 -
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1140 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:672 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2448 -
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1056 -
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2616 -
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Bmclhi32.exeC:\Windows\system32\Bmclhi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2688 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2080 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Cddjebgb.exeC:\Windows\system32\Cddjebgb.exe33⤵
- Executes dropped EXE
PID:2356 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe35⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe36⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Cckdlnjg.exeC:\Windows\system32\Cckdlnjg.exe37⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Cielhh32.exeC:\Windows\system32\Cielhh32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe40⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2060 -
C:\Windows\SysWOW64\Dnjngk32.exeC:\Windows\system32\Dnjngk32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1308 -
C:\Windows\SysWOW64\Dgbcpq32.exeC:\Windows\system32\Dgbcpq32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe45⤵
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Egglkp32.exeC:\Windows\system32\Egglkp32.exe46⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe47⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:880 -
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe49⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Eodnebpd.exeC:\Windows\system32\Eodnebpd.exe50⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Ehmbng32.exeC:\Windows\system32\Ehmbng32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2724 -
C:\Windows\SysWOW64\Ecbfkpfk.exeC:\Windows\system32\Ecbfkpfk.exe52⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Efqbglen.exeC:\Windows\system32\Efqbglen.exe53⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Eoigpa32.exeC:\Windows\system32\Eoigpa32.exe54⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Efcomkcl.exeC:\Windows\system32\Efcomkcl.exe55⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe56⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Fbjpblip.exeC:\Windows\system32\Fbjpblip.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe58⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Fjeefofk.exeC:\Windows\system32\Fjeefofk.exe59⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Fqomci32.exeC:\Windows\system32\Fqomci32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Fgiepced.exeC:\Windows\system32\Fgiepced.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2152 -
C:\Windows\SysWOW64\Fjgalndh.exeC:\Windows\system32\Fjgalndh.exe62⤵
- Executes dropped EXE
PID:552 -
C:\Windows\SysWOW64\Femeig32.exeC:\Windows\system32\Femeig32.exe63⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Fgkbeb32.exeC:\Windows\system32\Fgkbeb32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe65⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Ffqofohj.exeC:\Windows\system32\Ffqofohj.exe66⤵PID:748
-
C:\Windows\SysWOW64\Fmjgcipg.exeC:\Windows\system32\Fmjgcipg.exe67⤵PID:2684
-
C:\Windows\SysWOW64\Fafcdh32.exeC:\Windows\system32\Fafcdh32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Fbgpkpnn.exeC:\Windows\system32\Fbgpkpnn.exe69⤵PID:2748
-
C:\Windows\SysWOW64\Giahhj32.exeC:\Windows\system32\Giahhj32.exe70⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe71⤵PID:2912
-
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe72⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Ghiaof32.exeC:\Windows\system32\Ghiaof32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1268 -
C:\Windows\SysWOW64\Gnbjlpom.exeC:\Windows\system32\Gnbjlpom.exe74⤵PID:2520
-
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe75⤵
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2276 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe77⤵PID:2428
-
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe78⤵PID:2196
-
C:\Windows\SysWOW64\Ghmkjedk.exeC:\Windows\system32\Ghmkjedk.exe79⤵PID:2052
-
C:\Windows\SysWOW64\Gjlgfaco.exeC:\Windows\system32\Gjlgfaco.exe80⤵PID:1244
-
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe81⤵PID:1652
-
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe82⤵PID:1816
-
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe83⤵PID:1620
-
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe84⤵PID:2968
-
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe85⤵
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe86⤵PID:2844
-
C:\Windows\SysWOW64\Hpmiig32.exeC:\Windows\system32\Hpmiig32.exe87⤵
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Hfgafadm.exeC:\Windows\system32\Hfgafadm.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1768 -
C:\Windows\SysWOW64\Hmaick32.exeC:\Windows\system32\Hmaick32.exe89⤵
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Hbnbkbja.exeC:\Windows\system32\Hbnbkbja.exe90⤵PID:1900
-
C:\Windows\SysWOW64\Hihjhl32.exeC:\Windows\system32\Hihjhl32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe92⤵PID:2432
-
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe93⤵PID:2312
-
C:\Windows\SysWOW64\Ipdojfgh.exeC:\Windows\system32\Ipdojfgh.exe94⤵PID:2264
-
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe95⤵PID:944
-
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe96⤵PID:2632
-
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe97⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Iahhgnkd.exeC:\Windows\system32\Iahhgnkd.exe98⤵PID:1576
-
C:\Windows\SysWOW64\Ihbqdh32.exeC:\Windows\system32\Ihbqdh32.exe99⤵PID:2568
-
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe101⤵
- Drops file in System32 directory
PID:2076 -
C:\Windows\SysWOW64\Iamabm32.exeC:\Windows\system32\Iamabm32.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1284 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe103⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Iihfgp32.exeC:\Windows\system32\Iihfgp32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1040 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe105⤵PID:2292
-
C:\Windows\SysWOW64\Jglgpdcc.exeC:\Windows\system32\Jglgpdcc.exe106⤵PID:1848
-
C:\Windows\SysWOW64\Jpdkii32.exeC:\Windows\system32\Jpdkii32.exe107⤵
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Jcbhee32.exeC:\Windows\system32\Jcbhee32.exe108⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Jjmpbopd.exeC:\Windows\system32\Jjmpbopd.exe109⤵PID:2604
-
C:\Windows\SysWOW64\Jpfhoi32.exeC:\Windows\system32\Jpfhoi32.exe110⤵
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Jfcqgpfi.exeC:\Windows\system32\Jfcqgpfi.exe111⤵PID:2208
-
C:\Windows\SysWOW64\Jpiedieo.exeC:\Windows\system32\Jpiedieo.exe112⤵PID:2364
-
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe113⤵PID:2544
-
C:\Windows\SysWOW64\Jjaimn32.exeC:\Windows\system32\Jjaimn32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe115⤵PID:2552
-
C:\Windows\SysWOW64\Jlbboiip.exeC:\Windows\system32\Jlbboiip.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1376 -
C:\Windows\SysWOW64\Khiccj32.exeC:\Windows\system32\Khiccj32.exe118⤵
- Drops file in System32 directory
PID:2584 -
C:\Windows\SysWOW64\Kbaglpee.exeC:\Windows\system32\Kbaglpee.exe119⤵PID:2368
-
C:\Windows\SysWOW64\Kgnpeg32.exeC:\Windows\system32\Kgnpeg32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2056 -
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe121⤵PID:536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-