Analysis
-
max time kernel
74s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 03:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681.exe
-
Size
45KB
-
MD5
5413edc335aee150e192dff77c7d0e7d
-
SHA1
a8edafb183c1500933545793bc4e7f3ca5f8420d
-
SHA256
fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681
-
SHA512
730741450e1136e72a4d4c4304f3baa5b71bdc80db95c8ec0ae1986cb5c954bdb703c57718a45387a5fa4034096fc21fa0c5f550f8706cff0d1303d43b1f73f2
-
SSDEEP
768:hEPI8jlvZcHt8cMr4TifNx/ep9QKr09ImIbB8ABEKfS8DVC/1H5wi:hOjlRcHt8zbdSmcB8ABEKq8DVIv
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amdmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhjejai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmdig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimpnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofmiea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeenb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkancm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmldji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bncboo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhbgkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmhljip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opicgenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hphljkfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocfkaone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdbgia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiffbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbokkagk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmobin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enijcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eagdgaoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqoqlfkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggekhhle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okecak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjnllbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnffnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kefmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eccdmmpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hafdbmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpaceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dajlhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhfbmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdailaib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbhfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekncjfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhpeem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkgdbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Medligko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qkcbpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnkmakbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbqekhmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihcakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akmgoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiahpkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lneghd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pceqfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbmggp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hocmbjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjplj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkekilg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdkfic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhgaan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgclpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljhngfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kacakgip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liqcei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kppmpmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flcjjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eibgbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aodqok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnlqemal.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 928 Mfkebkjk.exe 1632 Miiaogio.exe 2760 Mlhmkbhb.exe 2736 Nilndfgl.exe 2792 Ninjjf32.exe 2832 Nokcbm32.exe 2688 Nlocka32.exe 2864 Neghdg32.exe 2972 Noplmlok.exe 236 Omjbihpn.exe 2240 Ocfkaone.exe 1992 Oibpdico.exe 560 Peiaij32.exe 1952 Papank32.exe 1628 Pdajpf32.exe 2088 Pgacaaij.exe 1736 Pqjhjf32.exe 588 Qckalamk.exe 1860 Ajgfnk32.exe 1556 Abbjbnoq.exe 2472 Acbglq32.exe 604 Aioodg32.exe 2584 Akphfbbl.exe 944 Abiqcm32.exe 2404 Akbelbpi.exe 1504 Ablmilgf.exe 2384 Bnbnnm32.exe 2940 Bacgohjk.exe 2712 Baecehhh.exe 1028 Bjnhnn32.exe 2892 Bmldji32.exe 2176 Biceoj32.exe 2768 Cejfckie.exe 2628 Cobjmq32.exe 2232 Cbpcbo32.exe 2944 Cligkdlm.exe 1800 Cogdhpkp.exe 308 Chohqebq.exe 2432 Cdfief32.exe 1776 Dfdeab32.exe 2700 Dggbgadf.exe 2420 Dmajdl32.exe 2172 Dpaceg32.exe 2380 Dmecokhm.exe 384 Eoimlc32.exe 2524 Elpjkgip.exe 2440 Edkopifk.exe 2288 Ekgcbcke.exe 860 Edohki32.exe 580 Fnhlcn32.exe 876 Fdaephpc.exe 2248 Fokfqflb.exe 2100 Fbloba32.exe 1608 Fhfgokap.exe 2852 Fbnkha32.exe 2788 Fdmgdl32.exe 2976 Fmdpejgf.exe 2664 Fnelmb32.exe 2968 Gfldno32.exe 2824 Gikpjk32.exe 2020 Gkimff32.exe 1912 Gbcecpck.exe 1944 Gimmpj32.exe 2344 Gkkilfjk.exe -
Loads dropped DLL 64 IoCs
pid Process 2220 fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681.exe 2220 fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681.exe 928 Mfkebkjk.exe 928 Mfkebkjk.exe 1632 Miiaogio.exe 1632 Miiaogio.exe 2760 Mlhmkbhb.exe 2760 Mlhmkbhb.exe 2736 Nilndfgl.exe 2736 Nilndfgl.exe 2792 Ninjjf32.exe 2792 Ninjjf32.exe 2832 Nokcbm32.exe 2832 Nokcbm32.exe 2688 Nlocka32.exe 2688 Nlocka32.exe 2864 Neghdg32.exe 2864 Neghdg32.exe 2972 Noplmlok.exe 2972 Noplmlok.exe 236 Omjbihpn.exe 236 Omjbihpn.exe 2240 Ocfkaone.exe 2240 Ocfkaone.exe 1992 Oibpdico.exe 1992 Oibpdico.exe 560 Peiaij32.exe 560 Peiaij32.exe 1952 Papank32.exe 1952 Papank32.exe 1628 Pdajpf32.exe 1628 Pdajpf32.exe 2088 Pgacaaij.exe 2088 Pgacaaij.exe 1736 Pqjhjf32.exe 1736 Pqjhjf32.exe 588 Qckalamk.exe 588 Qckalamk.exe 1860 Ajgfnk32.exe 1860 Ajgfnk32.exe 1556 Abbjbnoq.exe 1556 Abbjbnoq.exe 2472 Acbglq32.exe 2472 Acbglq32.exe 604 Aioodg32.exe 604 Aioodg32.exe 2584 Akphfbbl.exe 2584 Akphfbbl.exe 944 Abiqcm32.exe 944 Abiqcm32.exe 2404 Akbelbpi.exe 2404 Akbelbpi.exe 1504 Ablmilgf.exe 1504 Ablmilgf.exe 2384 Bnbnnm32.exe 2384 Bnbnnm32.exe 2940 Bacgohjk.exe 2940 Bacgohjk.exe 2712 Baecehhh.exe 2712 Baecehhh.exe 1028 Bjnhnn32.exe 1028 Bjnhnn32.exe 2892 Bmldji32.exe 2892 Bmldji32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Djfagjai.exe Dpnmoe32.exe File opened for modification C:\Windows\SysWOW64\Dhmchljg.exe Denglpkc.exe File created C:\Windows\SysWOW64\Fhfbmn32.exe Fgffck32.exe File created C:\Windows\SysWOW64\Pnminkof.exe Oeeeeehe.exe File opened for modification C:\Windows\SysWOW64\Egobfdpi.exe Engnno32.exe File created C:\Windows\SysWOW64\Pomcgf32.dll Flhnqf32.exe File created C:\Windows\SysWOW64\Infnmf32.dll Ffahgn32.exe File opened for modification C:\Windows\SysWOW64\Mbhlgg32.exe Mpipkl32.exe File opened for modification C:\Windows\SysWOW64\Nebgoa32.exe Nljcflbd.exe File created C:\Windows\SysWOW64\Blonkf32.dll Edmnnakm.exe File created C:\Windows\SysWOW64\Ofibcj32.exe Nnnmoh32.exe File opened for modification C:\Windows\SysWOW64\Dcijmhdj.exe Dddmkkpb.exe File created C:\Windows\SysWOW64\Bmigep32.dll Kplhfo32.exe File opened for modification C:\Windows\SysWOW64\Pgkqeo32.exe Pemdic32.exe File opened for modification C:\Windows\SysWOW64\Fimclh32.exe Emfbgg32.exe File created C:\Windows\SysWOW64\Anbicp32.dll Jmhpfl32.exe File opened for modification C:\Windows\SysWOW64\Lafekm32.exe Kikpgk32.exe File created C:\Windows\SysWOW64\Ghifhnnl.dll Qdlialfb.exe File created C:\Windows\SysWOW64\Onqaonnc.exe Ngfhbd32.exe File opened for modification C:\Windows\SysWOW64\Lohkhjcj.exe Likbpceb.exe File created C:\Windows\SysWOW64\Cbbfhncl.dll Lakqoe32.exe File opened for modification C:\Windows\SysWOW64\Bbmggp32.exe Bplofekp.exe File created C:\Windows\SysWOW64\Igomoadd.dll Dhggdcgh.exe File created C:\Windows\SysWOW64\Dabicikf.exe Dekhnh32.exe File created C:\Windows\SysWOW64\Kennjb32.dll Bhfhnofg.exe File created C:\Windows\SysWOW64\Pjkegjeg.dll Ofmiea32.exe File created C:\Windows\SysWOW64\Fjpggb32.exe Fhakkg32.exe File created C:\Windows\SysWOW64\Pedokpcm.exe Plljbkml.exe File created C:\Windows\SysWOW64\Dcecef32.dll Akjjifji.exe File created C:\Windows\SysWOW64\Jmmnpc32.dll Epmahmcm.exe File created C:\Windows\SysWOW64\Feppqc32.exe Fbbcdh32.exe File created C:\Windows\SysWOW64\Bnagimbb.dll Iklbhdga.exe File opened for modification C:\Windows\SysWOW64\Ljeabf32.exe Lkcqfifp.exe File created C:\Windows\SysWOW64\Ijegmepm.dll Mogcelgm.exe File opened for modification C:\Windows\SysWOW64\Omjeba32.exe Ohmljj32.exe File created C:\Windows\SysWOW64\Hdegpplg.dll Bdbfpafn.exe File opened for modification C:\Windows\SysWOW64\Ffokan32.exe Fmffhi32.exe File created C:\Windows\SysWOW64\Plnbai32.dll Jjbgok32.exe File created C:\Windows\SysWOW64\Ncbfcq32.exe Njjbjk32.exe File created C:\Windows\SysWOW64\Cblniaii.exe Blmikkle.exe File created C:\Windows\SysWOW64\Heedbbdb.exe Hphljkfk.exe File opened for modification C:\Windows\SysWOW64\Ibbioilj.exe Iflhjh32.exe File created C:\Windows\SysWOW64\Ocmbmnio.exe Ofibcj32.exe File opened for modification C:\Windows\SysWOW64\Heedbbdb.exe Hphljkfk.exe File opened for modification C:\Windows\SysWOW64\Nifjnd32.exe Nblaajbd.exe File opened for modification C:\Windows\SysWOW64\Adhohapp.exe Abjcleqm.exe File created C:\Windows\SysWOW64\Kebdmn32.dll Ldikbhfh.exe File created C:\Windows\SysWOW64\Djpmocdn.dll Lghgocek.exe File created C:\Windows\SysWOW64\Nkfpmm32.dll Fmffhi32.exe File created C:\Windows\SysWOW64\Adbbfabn.dll Jjbbmmih.exe File created C:\Windows\SysWOW64\Edljdb32.dll Neghdg32.exe File created C:\Windows\SysWOW64\Fnelmb32.exe Fmdpejgf.exe File opened for modification C:\Windows\SysWOW64\Khjkiikl.exe Kpcbhlki.exe File opened for modification C:\Windows\SysWOW64\Qfbahldf.exe Pllmkcdp.exe File created C:\Windows\SysWOW64\Hhjfod32.dll Necqbp32.exe File created C:\Windows\SysWOW64\Kiamql32.exe Jafilj32.exe File created C:\Windows\SysWOW64\Hbaeanda.dll Feppqc32.exe File opened for modification C:\Windows\SysWOW64\Kplhfo32.exe Kjopnh32.exe File opened for modification C:\Windows\SysWOW64\Mpcjfa32.exe Lkfbmj32.exe File opened for modification C:\Windows\SysWOW64\Fbebcp32.exe Fjnkac32.exe File created C:\Windows\SysWOW64\Apfamf32.dll Acbglq32.exe File created C:\Windows\SysWOW64\Bhimgpgk.dll Fdekigip.exe File created C:\Windows\SysWOW64\Qmabnhbo.dll Mgdmeh32.exe File created C:\Windows\SysWOW64\Meojkide.exe Macnjk32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4464 288 WerFault.exe 943 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njlopkmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cldolj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggekhhle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdjmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biceoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhfcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbokoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqijmkfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccaipaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napfihmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oojhfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldikbhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccdmmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Necqbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnjehaio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhdgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpphipbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipecndab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knldaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibpdico.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goodpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdiaqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqjhjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcapckod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckdcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kofnbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abiqcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pclolakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkiooocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbbmmih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amdmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foqadnpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnfeep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpcbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpbfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emfbgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koeeoljm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onacgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfldno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjifpdib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poddphee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aioppl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmoone32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioonfaed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joenaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekhnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldkeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okecak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eigpmjqg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcllmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiheok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genkhidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Biakbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnqcaffa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakcan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjbihpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdmljln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifkfap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opicgenj.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpkocpjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kehgkgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cblniaii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmndafic.dll" Jdlcnkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogcobo32.dll" Epbamc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lghgocek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeoglnab.dll" Djffihmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfnfjblc.dll" Cidhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpnmoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkafoflh.dll" Gnfoao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idchbb32.dll" Ppiapp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biakbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iflhjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afdjmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbmgapgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imjhfl32.dll" Pkebgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deljfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnhfjaph.dll" Fmknko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijhemglp.dll" Ieiegf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lekjbf32.dll" Gebiefle.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elbkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnjlhomc.dll" Knqnmeff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmahbhei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ablmilgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Midqiaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maieqidm.dll" Ikembicd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjhdgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnjlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Choejien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmahbhei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofklpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pllmkcdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbbbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmomag32.dll" Ghagjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbmbeehf.dll" Ijeinphf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apfamf32.dll" Acbglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccpgdcke.dll" Cbqekhmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omjdmfaj.dll" Fgqcel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bepajh32.dll" Igpcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caldepec.dll" Adcobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blpibghg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idiphpjd.dll" Ngcebnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Llloeb32.dll" Gdpfbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnfdlmpf.dll" Hocmbjhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbebcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gekncjfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnelmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phgfko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ankabh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbokkagk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbbndk32.dll" Bclcfnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkocfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afjplj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncbfcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldljqpli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbdobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjmphgbf.dll" Miekhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhbaboaj.dll" Jookedhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpaceg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfqkgc32.dll" Kjakhcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qbhpddbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aednha32.dll" Boainhic.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 928 2220 fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681.exe 29 PID 2220 wrote to memory of 928 2220 fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681.exe 29 PID 2220 wrote to memory of 928 2220 fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681.exe 29 PID 2220 wrote to memory of 928 2220 fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681.exe 29 PID 928 wrote to memory of 1632 928 Mfkebkjk.exe 30 PID 928 wrote to memory of 1632 928 Mfkebkjk.exe 30 PID 928 wrote to memory of 1632 928 Mfkebkjk.exe 30 PID 928 wrote to memory of 1632 928 Mfkebkjk.exe 30 PID 1632 wrote to memory of 2760 1632 Miiaogio.exe 31 PID 1632 wrote to memory of 2760 1632 Miiaogio.exe 31 PID 1632 wrote to memory of 2760 1632 Miiaogio.exe 31 PID 1632 wrote to memory of 2760 1632 Miiaogio.exe 31 PID 2760 wrote to memory of 2736 2760 Mlhmkbhb.exe 32 PID 2760 wrote to memory of 2736 2760 Mlhmkbhb.exe 32 PID 2760 wrote to memory of 2736 2760 Mlhmkbhb.exe 32 PID 2760 wrote to memory of 2736 2760 Mlhmkbhb.exe 32 PID 2736 wrote to memory of 2792 2736 Nilndfgl.exe 33 PID 2736 wrote to memory of 2792 2736 Nilndfgl.exe 33 PID 2736 wrote to memory of 2792 2736 Nilndfgl.exe 33 PID 2736 wrote to memory of 2792 2736 Nilndfgl.exe 33 PID 2792 wrote to memory of 2832 2792 Ninjjf32.exe 34 PID 2792 wrote to memory of 2832 2792 Ninjjf32.exe 34 PID 2792 wrote to memory of 2832 2792 Ninjjf32.exe 34 PID 2792 wrote to memory of 2832 2792 Ninjjf32.exe 34 PID 2832 wrote to memory of 2688 2832 Nokcbm32.exe 35 PID 2832 wrote to memory of 2688 2832 Nokcbm32.exe 35 PID 2832 wrote to memory of 2688 2832 Nokcbm32.exe 35 PID 2832 wrote to memory of 2688 2832 Nokcbm32.exe 35 PID 2688 wrote to memory of 2864 2688 Nlocka32.exe 36 PID 2688 wrote to memory of 2864 2688 Nlocka32.exe 36 PID 2688 wrote to memory of 2864 2688 Nlocka32.exe 36 PID 2688 wrote to memory of 2864 2688 Nlocka32.exe 36 PID 2864 wrote to memory of 2972 2864 Neghdg32.exe 37 PID 2864 wrote to memory of 2972 2864 Neghdg32.exe 37 PID 2864 wrote to memory of 2972 2864 Neghdg32.exe 37 PID 2864 wrote to memory of 2972 2864 Neghdg32.exe 37 PID 2972 wrote to memory of 236 2972 Noplmlok.exe 38 PID 2972 wrote to memory of 236 2972 Noplmlok.exe 38 PID 2972 wrote to memory of 236 2972 Noplmlok.exe 38 PID 2972 wrote to memory of 236 2972 Noplmlok.exe 38 PID 236 wrote to memory of 2240 236 Omjbihpn.exe 39 PID 236 wrote to memory of 2240 236 Omjbihpn.exe 39 PID 236 wrote to memory of 2240 236 Omjbihpn.exe 39 PID 236 wrote to memory of 2240 236 Omjbihpn.exe 39 PID 2240 wrote to memory of 1992 2240 Ocfkaone.exe 40 PID 2240 wrote to memory of 1992 2240 Ocfkaone.exe 40 PID 2240 wrote to memory of 1992 2240 Ocfkaone.exe 40 PID 2240 wrote to memory of 1992 2240 Ocfkaone.exe 40 PID 1992 wrote to memory of 560 1992 Oibpdico.exe 41 PID 1992 wrote to memory of 560 1992 Oibpdico.exe 41 PID 1992 wrote to memory of 560 1992 Oibpdico.exe 41 PID 1992 wrote to memory of 560 1992 Oibpdico.exe 41 PID 560 wrote to memory of 1952 560 Peiaij32.exe 42 PID 560 wrote to memory of 1952 560 Peiaij32.exe 42 PID 560 wrote to memory of 1952 560 Peiaij32.exe 42 PID 560 wrote to memory of 1952 560 Peiaij32.exe 42 PID 1952 wrote to memory of 1628 1952 Papank32.exe 43 PID 1952 wrote to memory of 1628 1952 Papank32.exe 43 PID 1952 wrote to memory of 1628 1952 Papank32.exe 43 PID 1952 wrote to memory of 1628 1952 Papank32.exe 43 PID 1628 wrote to memory of 2088 1628 Pdajpf32.exe 44 PID 1628 wrote to memory of 2088 1628 Pdajpf32.exe 44 PID 1628 wrote to memory of 2088 1628 Pdajpf32.exe 44 PID 1628 wrote to memory of 2088 1628 Pdajpf32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681.exe"C:\Users\Admin\AppData\Local\Temp\fee755f202ef49d20a4ced625e26d60954247d09c1fe16136774c62f668ca681.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Miiaogio.exeC:\Windows\system32\Miiaogio.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Mlhmkbhb.exeC:\Windows\system32\Mlhmkbhb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Nilndfgl.exeC:\Windows\system32\Nilndfgl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Ninjjf32.exeC:\Windows\system32\Ninjjf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Nokcbm32.exeC:\Windows\system32\Nokcbm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Nlocka32.exeC:\Windows\system32\Nlocka32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Neghdg32.exeC:\Windows\system32\Neghdg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Noplmlok.exeC:\Windows\system32\Noplmlok.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Omjbihpn.exeC:\Windows\system32\Omjbihpn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Ocfkaone.exeC:\Windows\system32\Ocfkaone.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Oibpdico.exeC:\Windows\system32\Oibpdico.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Peiaij32.exeC:\Windows\system32\Peiaij32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Papank32.exeC:\Windows\system32\Papank32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Windows\SysWOW64\Pdajpf32.exeC:\Windows\system32\Pdajpf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Pgacaaij.exeC:\Windows\system32\Pgacaaij.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Pqjhjf32.exeC:\Windows\system32\Pqjhjf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Qckalamk.exeC:\Windows\system32\Qckalamk.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:588 -
C:\Windows\SysWOW64\Ajgfnk32.exeC:\Windows\system32\Ajgfnk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Abbjbnoq.exeC:\Windows\system32\Abbjbnoq.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Acbglq32.exeC:\Windows\system32\Acbglq32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Aioodg32.exeC:\Windows\system32\Aioodg32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Akphfbbl.exeC:\Windows\system32\Akphfbbl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2584 -
C:\Windows\SysWOW64\Abiqcm32.exeC:\Windows\system32\Abiqcm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:944 -
C:\Windows\SysWOW64\Akbelbpi.exeC:\Windows\system32\Akbelbpi.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Ablmilgf.exeC:\Windows\system32\Ablmilgf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1504 -
C:\Windows\SysWOW64\Bnbnnm32.exeC:\Windows\system32\Bnbnnm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Bacgohjk.exeC:\Windows\system32\Bacgohjk.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940 -
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Bjnhnn32.exeC:\Windows\system32\Bjnhnn32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Bmldji32.exeC:\Windows\system32\Bmldji32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Biceoj32.exeC:\Windows\system32\Biceoj32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Cejfckie.exeC:\Windows\system32\Cejfckie.exe34⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Cobjmq32.exeC:\Windows\system32\Cobjmq32.exe35⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Cbpcbo32.exeC:\Windows\system32\Cbpcbo32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Cligkdlm.exeC:\Windows\system32\Cligkdlm.exe37⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Cogdhpkp.exeC:\Windows\system32\Cogdhpkp.exe38⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Chohqebq.exeC:\Windows\system32\Chohqebq.exe39⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Cdfief32.exeC:\Windows\system32\Cdfief32.exe40⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Dfdeab32.exeC:\Windows\system32\Dfdeab32.exe41⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Dggbgadf.exeC:\Windows\system32\Dggbgadf.exe42⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Dmajdl32.exeC:\Windows\system32\Dmajdl32.exe43⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Dpaceg32.exeC:\Windows\system32\Dpaceg32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Dmecokhm.exeC:\Windows\system32\Dmecokhm.exe45⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Eoimlc32.exeC:\Windows\system32\Eoimlc32.exe46⤵
- Executes dropped EXE
PID:384 -
C:\Windows\SysWOW64\Elpjkgip.exeC:\Windows\system32\Elpjkgip.exe47⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Edkopifk.exeC:\Windows\system32\Edkopifk.exe48⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Ekgcbcke.exeC:\Windows\system32\Ekgcbcke.exe49⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Edohki32.exeC:\Windows\system32\Edohki32.exe50⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe51⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Fdaephpc.exeC:\Windows\system32\Fdaephpc.exe52⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Fokfqflb.exeC:\Windows\system32\Fokfqflb.exe53⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Fbloba32.exeC:\Windows\system32\Fbloba32.exe54⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Fhfgokap.exeC:\Windows\system32\Fhfgokap.exe55⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Fbnkha32.exeC:\Windows\system32\Fbnkha32.exe56⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Fdmgdl32.exeC:\Windows\system32\Fdmgdl32.exe57⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Fmdpejgf.exeC:\Windows\system32\Fmdpejgf.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Fnelmb32.exeC:\Windows\system32\Fnelmb32.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2664 -
C:\Windows\SysWOW64\Gfldno32.exeC:\Windows\system32\Gfldno32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2968 -
C:\Windows\SysWOW64\Gikpjk32.exeC:\Windows\system32\Gikpjk32.exe61⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Gkimff32.exeC:\Windows\system32\Gkimff32.exe62⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Gbcecpck.exeC:\Windows\system32\Gbcecpck.exe63⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Gimmpj32.exeC:\Windows\system32\Gimmpj32.exe64⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Gkkilfjk.exeC:\Windows\system32\Gkkilfjk.exe65⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Gnjehaio.exeC:\Windows\system32\Gnjehaio.exe66⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Gqhadmhc.exeC:\Windows\system32\Gqhadmhc.exe67⤵PID:2084
-
C:\Windows\SysWOW64\Ggbjag32.exeC:\Windows\system32\Ggbjag32.exe68⤵PID:2312
-
C:\Windows\SysWOW64\Gknfaehi.exeC:\Windows\system32\Gknfaehi.exe69⤵PID:2068
-
C:\Windows\SysWOW64\Gmobin32.exeC:\Windows\system32\Gmobin32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1196 -
C:\Windows\SysWOW64\Gefjjk32.exeC:\Windows\system32\Gefjjk32.exe71⤵PID:2444
-
C:\Windows\SysWOW64\Ggdfff32.exeC:\Windows\system32\Ggdfff32.exe72⤵PID:1032
-
C:\Windows\SysWOW64\Gnoocq32.exeC:\Windows\system32\Gnoocq32.exe73⤵PID:2052
-
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe74⤵PID:2356
-
C:\Windows\SysWOW64\Gjephakn.exeC:\Windows\system32\Gjephakn.exe75⤵PID:2888
-
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe76⤵PID:2900
-
C:\Windows\SysWOW64\Hcndag32.exeC:\Windows\system32\Hcndag32.exe77⤵PID:2680
-
C:\Windows\SysWOW64\Hijmin32.exeC:\Windows\system32\Hijmin32.exe78⤵PID:2752
-
C:\Windows\SysWOW64\Hcpqfgol.exeC:\Windows\system32\Hcpqfgol.exe79⤵PID:2060
-
C:\Windows\SysWOW64\Hlkekilg.exeC:\Windows\system32\Hlkekilg.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1320 -
C:\Windows\SysWOW64\Hnjagdlj.exeC:\Windows\system32\Hnjagdlj.exe81⤵PID:1884
-
C:\Windows\SysWOW64\Hiofdmkq.exeC:\Windows\system32\Hiofdmkq.exe82⤵PID:520
-
C:\Windows\SysWOW64\Hefginae.exeC:\Windows\system32\Hefginae.exe83⤵PID:1980
-
C:\Windows\SysWOW64\Hjcoaeol.exeC:\Windows\system32\Hjcoaeol.exe84⤵PID:2452
-
C:\Windows\SysWOW64\Hbjgbbpn.exeC:\Windows\system32\Hbjgbbpn.exe85⤵PID:2516
-
C:\Windows\SysWOW64\Ihgpkinf.exeC:\Windows\system32\Ihgpkinf.exe86⤵PID:2144
-
C:\Windows\SysWOW64\Imchcplm.exeC:\Windows\system32\Imchcplm.exe87⤵PID:2040
-
C:\Windows\SysWOW64\Iflmlfcn.exeC:\Windows\system32\Iflmlfcn.exe88⤵PID:2184
-
C:\Windows\SysWOW64\Iaaaiobc.exeC:\Windows\system32\Iaaaiobc.exe89⤵PID:112
-
C:\Windows\SysWOW64\Imhanp32.exeC:\Windows\system32\Imhanp32.exe90⤵PID:2388
-
C:\Windows\SysWOW64\Idbjkj32.exeC:\Windows\system32\Idbjkj32.exe91⤵PID:556
-
C:\Windows\SysWOW64\Iklbhdga.exeC:\Windows\system32\Iklbhdga.exe92⤵
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Ilmool32.exeC:\Windows\system32\Ilmool32.exe93⤵PID:2920
-
C:\Windows\SysWOW64\Iddfqi32.exeC:\Windows\system32\Iddfqi32.exe94⤵PID:2224
-
C:\Windows\SysWOW64\Ifcbme32.exeC:\Windows\system32\Ifcbme32.exe95⤵PID:648
-
C:\Windows\SysWOW64\Immkiodb.exeC:\Windows\system32\Immkiodb.exe96⤵PID:3004
-
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe97⤵PID:1924
-
C:\Windows\SysWOW64\Jongag32.exeC:\Windows\system32\Jongag32.exe98⤵PID:1116
-
C:\Windows\SysWOW64\Jhfljm32.exeC:\Windows\system32\Jhfljm32.exe99⤵PID:1804
-
C:\Windows\SysWOW64\Jejlca32.exeC:\Windows\system32\Jejlca32.exe100⤵PID:1296
-
C:\Windows\SysWOW64\Jhihpl32.exeC:\Windows\system32\Jhihpl32.exe101⤵PID:2104
-
C:\Windows\SysWOW64\Jdpidm32.exeC:\Windows\system32\Jdpidm32.exe102⤵PID:2292
-
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe103⤵
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe104⤵PID:3016
-
C:\Windows\SysWOW64\Jgpbfh32.exeC:\Windows\system32\Jgpbfh32.exe105⤵
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\Jgbolhoa.exeC:\Windows\system32\Jgbolhoa.exe106⤵PID:2908
-
C:\Windows\SysWOW64\Kjakhcne.exeC:\Windows\system32\Kjakhcne.exe107⤵
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe108⤵PID:2660
-
C:\Windows\SysWOW64\Klbdiokf.exeC:\Windows\system32\Klbdiokf.exe109⤵PID:564
-
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe110⤵PID:2684
-
C:\Windows\SysWOW64\Kppmpmal.exeC:\Windows\system32\Kppmpmal.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2732 -
C:\Windows\SysWOW64\Kfmehdpc.exeC:\Windows\system32\Kfmehdpc.exe112⤵PID:1756
-
C:\Windows\SysWOW64\Khkadoog.exeC:\Windows\system32\Khkadoog.exe113⤵PID:1964
-
C:\Windows\SysWOW64\Kbcfme32.exeC:\Windows\system32\Kbcfme32.exe114⤵PID:1764
-
C:\Windows\SysWOW64\Kfobmc32.exeC:\Windows\system32\Kfobmc32.exe115⤵PID:428
-
C:\Windows\SysWOW64\Klijjnen.exeC:\Windows\system32\Klijjnen.exe116⤵PID:1744
-
C:\Windows\SysWOW64\Kccbgh32.exeC:\Windows\system32\Kccbgh32.exe117⤵PID:1512
-
C:\Windows\SysWOW64\Lfaocc32.exeC:\Windows\system32\Lfaocc32.exe118⤵PID:2256
-
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe119⤵PID:924
-
C:\Windows\SysWOW64\Lgehpk32.exeC:\Windows\system32\Lgehpk32.exe120⤵PID:264
-
C:\Windows\SysWOW64\Lolpah32.exeC:\Windows\system32\Lolpah32.exe121⤵PID:2964
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-