Analysis
-
max time kernel
100s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-02-2025 08:08
Behavioral task
behavioral1
Sample
f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e.exe
-
Size
422KB
-
MD5
fbfcdfe950554c44e71a8e50e130fc35
-
SHA1
8deec8d8a34b529c7b02a29a53fd50a0c07600ee
-
SHA256
f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e
-
SHA512
00460df009709c825a911d135587c8971d868b767ddacf949fe4f002ba339a3ec04a5a3454359a6df8079b76fd68c4eb170d4e43046e662c64d75cb260e7c395
-
SSDEEP
6144:W5yGktpXUf83babO6FSPnvZU1AF+6FSPnvZhDYsKKo6FSPnvZU1AF+6FSPnvZq:W5PaNUEGaXgA4XfczXgA4XA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afdjmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbdobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mihkoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqncnjan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmidimen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pogede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldgpea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgqigohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfiafk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijofbnlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlojcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qimifn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcnmdend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgqcam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbnmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjiiim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmedck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aieihpgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeqmek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpamnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfnjlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glhjpjok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlqniihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eakmdm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfalecf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kogehdqp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epgabhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgdmkhnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lneghd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieeajmpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmqgmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aocdec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlndfa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmmkao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnjipn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjedk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnnicpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nifmqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdmhhod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjjoob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oheoaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadlio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkfaqkcq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfjjbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpiphmfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igdpoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkeml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dclikp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdchifik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlfahgpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kllodh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcdgei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfednma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbnajcig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peclcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgmglin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfllc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjkiaffj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Babdhlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpmoki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocbnqfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgnnicpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlcmhann.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1508 Ocglmcdp.exe 2936 Plbaafak.exe 2796 Pnbjca32.exe 2704 Aamekk32.exe 2668 Aihjpman.exe 2272 Aflkiapg.exe 2944 Abehcbci.exe 2620 Bdiaqj32.exe 2956 Bhiglh32.exe 3032 Bnhljnhm.exe 540 Bnjipn32.exe 896 Cjcfjoil.exe 1372 Cbokoa32.exe 2112 Cfmceomm.exe 1684 Dklibf32.exe 1280 Dknehe32.exe 2560 Dqmkflcd.exe 2044 Dqpgll32.exe 3064 Djhldahb.exe 1688 Epgabhdg.exe 1740 Elnagijk.exe 1300 Eheblj32.exe 2316 Ehgoaiml.exe 1468 Iolohhpc.exe 2408 Kgqcam32.exe 2228 Kbajci32.exe 2808 Ldgpea32.exe 2464 Legmpdga.exe 2876 Liibigjq.exe 2716 Mkhocj32.exe 2644 Mmigdend.exe 2824 Mlndfa32.exe 2136 Mlqakaqi.exe 2032 Nndjhi32.exe 1196 Nkhkbmco.exe 2692 Ndeifbfj.exe 2232 Nlpmjdce.exe 2400 Oqnfqcjk.exe 2224 Okhgaqfj.exe 2412 Okjdfq32.exe 1796 Ogadkajl.exe 1520 Pjbnmm32.exe 968 Pkajgonp.exe 2984 Pclolakk.exe 612 Pmecdgbk.exe 2392 Pfmgmm32.exe 2964 Pjkpckob.exe 1876 Qeeadi32.exe 2320 Qbiamm32.exe 332 Qpmbgaid.exe 2536 Aanonj32.exe 2768 Abmkhmfe.exe 2960 Adohpe32.exe 2156 Aendjh32.exe 1628 Apheke32.exe 2452 Ajmihn32.exe 1048 Afdjmo32.exe 924 Bffgbo32.exe 2424 Blcokf32.exe 1872 Bpahad32.exe 1820 Babdhlmh.exe 2152 Bhlmef32.exe 2040 Baeanl32.exe 1800 Bljeke32.exe -
Loads dropped DLL 64 IoCs
pid Process 1996 f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e.exe 1996 f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e.exe 1508 Ocglmcdp.exe 1508 Ocglmcdp.exe 2936 Plbaafak.exe 2936 Plbaafak.exe 2796 Pnbjca32.exe 2796 Pnbjca32.exe 2704 Aamekk32.exe 2704 Aamekk32.exe 2668 Aihjpman.exe 2668 Aihjpman.exe 2272 Aflkiapg.exe 2272 Aflkiapg.exe 2944 Abehcbci.exe 2944 Abehcbci.exe 2620 Bdiaqj32.exe 2620 Bdiaqj32.exe 2956 Bhiglh32.exe 2956 Bhiglh32.exe 3032 Bnhljnhm.exe 3032 Bnhljnhm.exe 540 Bnjipn32.exe 540 Bnjipn32.exe 896 Cjcfjoil.exe 896 Cjcfjoil.exe 1372 Cbokoa32.exe 1372 Cbokoa32.exe 2112 Cfmceomm.exe 2112 Cfmceomm.exe 1684 Dklibf32.exe 1684 Dklibf32.exe 1280 Dknehe32.exe 1280 Dknehe32.exe 2560 Dqmkflcd.exe 2560 Dqmkflcd.exe 2044 Dqpgll32.exe 2044 Dqpgll32.exe 3064 Djhldahb.exe 3064 Djhldahb.exe 1688 Epgabhdg.exe 1688 Epgabhdg.exe 1740 Elnagijk.exe 1740 Elnagijk.exe 1300 Eheblj32.exe 1300 Eheblj32.exe 2316 Ehgoaiml.exe 2316 Ehgoaiml.exe 1468 Iolohhpc.exe 1468 Iolohhpc.exe 2408 Kgqcam32.exe 2408 Kgqcam32.exe 2228 Kbajci32.exe 2228 Kbajci32.exe 2808 Ldgpea32.exe 2808 Ldgpea32.exe 2464 Legmpdga.exe 2464 Legmpdga.exe 2876 Liibigjq.exe 2876 Liibigjq.exe 2716 Mkhocj32.exe 2716 Mkhocj32.exe 2644 Mmigdend.exe 2644 Mmigdend.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fpgpjdnf.exe Fglkeaqk.exe File created C:\Windows\SysWOW64\Igpkhjlc.dll Ippkni32.exe File opened for modification C:\Windows\SysWOW64\Bgmjla32.exe Bfdhdj32.exe File created C:\Windows\SysWOW64\Jmbhhl32.exe Jpnhoh32.exe File created C:\Windows\SysWOW64\Ibgcqpkl.dll Hhhmmfgf.exe File created C:\Windows\SysWOW64\Ehgoaiml.exe Eheblj32.exe File created C:\Windows\SysWOW64\Ffccjk32.dll Kgqcam32.exe File created C:\Windows\SysWOW64\Bicffk32.dll Fagcnmie.exe File opened for modification C:\Windows\SysWOW64\Kbhckm32.exe Khonbhch.exe File opened for modification C:\Windows\SysWOW64\Anbcio32.exe Afgoem32.exe File opened for modification C:\Windows\SysWOW64\Mfmpifdf.exe Mkgllndq.exe File created C:\Windows\SysWOW64\Dklibf32.exe Cfmceomm.exe File opened for modification C:\Windows\SysWOW64\Pjbnmm32.exe Ogadkajl.exe File created C:\Windows\SysWOW64\Hfilfc32.dll Oikpbklj.exe File opened for modification C:\Windows\SysWOW64\Damjhhne.exe Diaecf32.exe File opened for modification C:\Windows\SysWOW64\Jkbhjo32.exe Jdfche32.exe File opened for modification C:\Windows\SysWOW64\Ikeldenf.exe Ionlpdha.exe File created C:\Windows\SysWOW64\Meepac32.dll Holcka32.exe File created C:\Windows\SysWOW64\Jijnlnha.dll Mildlmma.exe File created C:\Windows\SysWOW64\Cionkp32.dll Pggcdf32.exe File created C:\Windows\SysWOW64\Pmecdgbk.exe Pclolakk.exe File created C:\Windows\SysWOW64\Hdcgdo32.dll Lhicao32.exe File created C:\Windows\SysWOW64\Kcliqaid.dll Fnhnnc32.exe File created C:\Windows\SysWOW64\Jflhlf32.dll Damjhhne.exe File created C:\Windows\SysWOW64\Bgpjnkoe.dll Iemank32.exe File created C:\Windows\SysWOW64\Jmjidneo.exe Jpfikjfe.exe File created C:\Windows\SysWOW64\Kmfpjb32.exe Jmdcecpp.exe File opened for modification C:\Windows\SysWOW64\Mdnfhldh.exe Mkeapgng.exe File created C:\Windows\SysWOW64\Lmqbqb32.dll Nbacqdem.exe File created C:\Windows\SysWOW64\Gnaffpoi.exe Feiamj32.exe File opened for modification C:\Windows\SysWOW64\Onejljep.exe Oihacbfh.exe File opened for modification C:\Windows\SysWOW64\Leeegj32.exe Leciaj32.exe File opened for modification C:\Windows\SysWOW64\Fcfmacce.exe Fmidimen.exe File created C:\Windows\SysWOW64\Qmohco32.exe Qmlknocg.exe File created C:\Windows\SysWOW64\Bekobn32.exe Bggohi32.exe File created C:\Windows\SysWOW64\Gelonn32.exe Gdlbdken.exe File created C:\Windows\SysWOW64\Emjglkmo.dll Jlofejig.exe File opened for modification C:\Windows\SysWOW64\Dgdoemdi.exe Dmnkgddc.exe File created C:\Windows\SysWOW64\Lbffga32.exe Lbdiabcg.exe File created C:\Windows\SysWOW64\Bpfaqm32.dll Gaghcjhd.exe File opened for modification C:\Windows\SysWOW64\Kkcfbkfj.exe Klniao32.exe File created C:\Windows\SysWOW64\Fdiijm32.dll Mkgllndq.exe File created C:\Windows\SysWOW64\Ibncikac.dll Qnkgnj32.exe File created C:\Windows\SysWOW64\Fdoknb32.dll Ekndpa32.exe File created C:\Windows\SysWOW64\Bicogkal.dll Pjbnmm32.exe File opened for modification C:\Windows\SysWOW64\Jboapc32.exe Jmbhhl32.exe File created C:\Windows\SysWOW64\Hpdngh32.dll Klnljghg.exe File opened for modification C:\Windows\SysWOW64\Ndeifbfj.exe Nkhkbmco.exe File opened for modification C:\Windows\SysWOW64\Oqnfqcjk.exe Nlpmjdce.exe File opened for modification C:\Windows\SysWOW64\Ebkpma32.exe Eqjceidf.exe File created C:\Windows\SysWOW64\Phkohkkh.exe Paagkq32.exe File opened for modification C:\Windows\SysWOW64\Olnnlpqd.exe Nllafq32.exe File created C:\Windows\SysWOW64\Kbajci32.exe Kgqcam32.exe File created C:\Windows\SysWOW64\Mafoal32.exe Mgnjhfbq.exe File created C:\Windows\SysWOW64\Dgpafinh.dll Ppjidkcm.exe File created C:\Windows\SysWOW64\Dbbmaf32.exe Dbpplglj.exe File created C:\Windows\SysWOW64\Dmlnbd32.exe Dgoejm32.exe File created C:\Windows\SysWOW64\Cjhhhnop.dll Hegdkkje.exe File created C:\Windows\SysWOW64\Oqkbbi32.exe Ogbnjd32.exe File created C:\Windows\SysWOW64\Pggcdf32.exe Pjccjblp.exe File created C:\Windows\SysWOW64\Mjoekh32.dll Liaenblm.exe File opened for modification C:\Windows\SysWOW64\Mhmhpm32.exe Macpcccp.exe File opened for modification C:\Windows\SysWOW64\Kjbnlqld.exe Kjpafanf.exe File created C:\Windows\SysWOW64\Nbhjnbgh.dll Fpjmkhbo.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1548 2696 WerFault.exe 795 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdpadg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eenige32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlkggn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhkbmco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglkeaqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmlknocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Angmdoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edpnfjap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pogede32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjbnlqld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdhdcnng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckknqkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aogqihcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkbff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnbpcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojljcjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiaddb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbacqdem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bljeke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmghfio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okoqdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmjbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiiafg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogqlgbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccqedfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnedpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nllafq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgfdmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcfmacce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goojldgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obllai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddgkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dclikp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkoikcaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdegnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjapfamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckddoio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljcnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghemnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Floccbai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbbfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkajgonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehfcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpledf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phkohkkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcnjmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oihacbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmjoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjqlbdog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blfnin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdmhhod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbemjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbajci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbnmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqiohh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfogeamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeaoncjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klnljghg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjidkcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfmgmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbcdfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oehmamnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdkolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegecopf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlomnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhhkkbe.dll" Egbcne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihkkanlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhhbffkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodgeg32.dll" Ocbnqfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeojob32.dll" Kbkgfgam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjillfhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqoamf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qeengo32.dll" Mpkjjofe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnnpdaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Achclf32.dll" Pogede32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iolohhpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cabnokkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaigmoiq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adohpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebbdehmm.dll" Pdhflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmobll32.dll" Hedqke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqeqhlii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jajlck32.dll" Fbchfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djpnkhep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inbbfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kecpipck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmpjel32.dll" Mclghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpgdealm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jboapc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngonpgqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfmpifdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgdhakpb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmidimen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bedeee32.dll" Cjpble32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfbejg32.dll" Fokcjnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Glmckikf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hembfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hodpfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oelcjkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Negffbdi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alpokdmi.dll" Epkgkfmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebkpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdchifik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khdhmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ainhln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpahad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coidpiac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhbdce32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leciaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eafmng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnnejo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnglkgkb.dll" Bddfhjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfncngco.dll" Ejmgjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obpncg32.dll" Bnjipn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bddfhjma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdilbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Leciaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djhldahb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqdigd32.dll" Mlqakaqi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdfche32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aogqihcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igdpoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daghjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgllof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ligldf32.dll" Jbfalecf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fohafo32.dll" Dmqgmcba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afniif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldhcjn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1996 wrote to memory of 1508 1996 f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e.exe 29 PID 1996 wrote to memory of 1508 1996 f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e.exe 29 PID 1996 wrote to memory of 1508 1996 f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e.exe 29 PID 1996 wrote to memory of 1508 1996 f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e.exe 29 PID 1508 wrote to memory of 2936 1508 Ocglmcdp.exe 30 PID 1508 wrote to memory of 2936 1508 Ocglmcdp.exe 30 PID 1508 wrote to memory of 2936 1508 Ocglmcdp.exe 30 PID 1508 wrote to memory of 2936 1508 Ocglmcdp.exe 30 PID 2936 wrote to memory of 2796 2936 Plbaafak.exe 31 PID 2936 wrote to memory of 2796 2936 Plbaafak.exe 31 PID 2936 wrote to memory of 2796 2936 Plbaafak.exe 31 PID 2936 wrote to memory of 2796 2936 Plbaafak.exe 31 PID 2796 wrote to memory of 2704 2796 Pnbjca32.exe 32 PID 2796 wrote to memory of 2704 2796 Pnbjca32.exe 32 PID 2796 wrote to memory of 2704 2796 Pnbjca32.exe 32 PID 2796 wrote to memory of 2704 2796 Pnbjca32.exe 32 PID 2704 wrote to memory of 2668 2704 Aamekk32.exe 33 PID 2704 wrote to memory of 2668 2704 Aamekk32.exe 33 PID 2704 wrote to memory of 2668 2704 Aamekk32.exe 33 PID 2704 wrote to memory of 2668 2704 Aamekk32.exe 33 PID 2668 wrote to memory of 2272 2668 Aihjpman.exe 34 PID 2668 wrote to memory of 2272 2668 Aihjpman.exe 34 PID 2668 wrote to memory of 2272 2668 Aihjpman.exe 34 PID 2668 wrote to memory of 2272 2668 Aihjpman.exe 34 PID 2272 wrote to memory of 2944 2272 Aflkiapg.exe 35 PID 2272 wrote to memory of 2944 2272 Aflkiapg.exe 35 PID 2272 wrote to memory of 2944 2272 Aflkiapg.exe 35 PID 2272 wrote to memory of 2944 2272 Aflkiapg.exe 35 PID 2944 wrote to memory of 2620 2944 Abehcbci.exe 36 PID 2944 wrote to memory of 2620 2944 Abehcbci.exe 36 PID 2944 wrote to memory of 2620 2944 Abehcbci.exe 36 PID 2944 wrote to memory of 2620 2944 Abehcbci.exe 36 PID 2620 wrote to memory of 2956 2620 Bdiaqj32.exe 37 PID 2620 wrote to memory of 2956 2620 Bdiaqj32.exe 37 PID 2620 wrote to memory of 2956 2620 Bdiaqj32.exe 37 PID 2620 wrote to memory of 2956 2620 Bdiaqj32.exe 37 PID 2956 wrote to memory of 3032 2956 Bhiglh32.exe 38 PID 2956 wrote to memory of 3032 2956 Bhiglh32.exe 38 PID 2956 wrote to memory of 3032 2956 Bhiglh32.exe 38 PID 2956 wrote to memory of 3032 2956 Bhiglh32.exe 38 PID 3032 wrote to memory of 540 3032 Bnhljnhm.exe 39 PID 3032 wrote to memory of 540 3032 Bnhljnhm.exe 39 PID 3032 wrote to memory of 540 3032 Bnhljnhm.exe 39 PID 3032 wrote to memory of 540 3032 Bnhljnhm.exe 39 PID 540 wrote to memory of 896 540 Bnjipn32.exe 40 PID 540 wrote to memory of 896 540 Bnjipn32.exe 40 PID 540 wrote to memory of 896 540 Bnjipn32.exe 40 PID 540 wrote to memory of 896 540 Bnjipn32.exe 40 PID 896 wrote to memory of 1372 896 Cjcfjoil.exe 41 PID 896 wrote to memory of 1372 896 Cjcfjoil.exe 41 PID 896 wrote to memory of 1372 896 Cjcfjoil.exe 41 PID 896 wrote to memory of 1372 896 Cjcfjoil.exe 41 PID 1372 wrote to memory of 2112 1372 Cbokoa32.exe 42 PID 1372 wrote to memory of 2112 1372 Cbokoa32.exe 42 PID 1372 wrote to memory of 2112 1372 Cbokoa32.exe 42 PID 1372 wrote to memory of 2112 1372 Cbokoa32.exe 42 PID 2112 wrote to memory of 1684 2112 Cfmceomm.exe 43 PID 2112 wrote to memory of 1684 2112 Cfmceomm.exe 43 PID 2112 wrote to memory of 1684 2112 Cfmceomm.exe 43 PID 2112 wrote to memory of 1684 2112 Cfmceomm.exe 43 PID 1684 wrote to memory of 1280 1684 Dklibf32.exe 44 PID 1684 wrote to memory of 1280 1684 Dklibf32.exe 44 PID 1684 wrote to memory of 1280 1684 Dklibf32.exe 44 PID 1684 wrote to memory of 1280 1684 Dklibf32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e.exe"C:\Users\Admin\AppData\Local\Temp\f9421f0ad674713f6cbeaf2de39c0abaf65c6c3f6ce2a8f24397ebb417aa9a0e.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Ocglmcdp.exeC:\Windows\system32\Ocglmcdp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Pnbjca32.exeC:\Windows\system32\Pnbjca32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Aamekk32.exeC:\Windows\system32\Aamekk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Aihjpman.exeC:\Windows\system32\Aihjpman.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Aflkiapg.exeC:\Windows\system32\Aflkiapg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Abehcbci.exeC:\Windows\system32\Abehcbci.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Bdiaqj32.exeC:\Windows\system32\Bdiaqj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Bhiglh32.exeC:\Windows\system32\Bhiglh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Bnhljnhm.exeC:\Windows\system32\Bnhljnhm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Bnjipn32.exeC:\Windows\system32\Bnjipn32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Cjcfjoil.exeC:\Windows\system32\Cjcfjoil.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Cbokoa32.exeC:\Windows\system32\Cbokoa32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Cfmceomm.exeC:\Windows\system32\Cfmceomm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Dklibf32.exeC:\Windows\system32\Dklibf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1280 -
C:\Windows\SysWOW64\Dqmkflcd.exeC:\Windows\system32\Dqmkflcd.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2560 -
C:\Windows\SysWOW64\Dqpgll32.exeC:\Windows\system32\Dqpgll32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2044 -
C:\Windows\SysWOW64\Djhldahb.exeC:\Windows\system32\Djhldahb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3064 -
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1688 -
C:\Windows\SysWOW64\Elnagijk.exeC:\Windows\system32\Elnagijk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Eheblj32.exeC:\Windows\system32\Eheblj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1300 -
C:\Windows\SysWOW64\Ehgoaiml.exeC:\Windows\system32\Ehgoaiml.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Iolohhpc.exeC:\Windows\system32\Iolohhpc.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Kgqcam32.exeC:\Windows\system32\Kgqcam32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2408 -
C:\Windows\SysWOW64\Kbajci32.exeC:\Windows\system32\Kbajci32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Ldgpea32.exeC:\Windows\system32\Ldgpea32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2808 -
C:\Windows\SysWOW64\Legmpdga.exeC:\Windows\system32\Legmpdga.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Liibigjq.exeC:\Windows\system32\Liibigjq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Mmigdend.exeC:\Windows\system32\Mmigdend.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Mlndfa32.exeC:\Windows\system32\Mlndfa32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Mlqakaqi.exeC:\Windows\system32\Mlqakaqi.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Nndjhi32.exeC:\Windows\system32\Nndjhi32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1196 -
C:\Windows\SysWOW64\Ndeifbfj.exeC:\Windows\system32\Ndeifbfj.exe37⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Nlpmjdce.exeC:\Windows\system32\Nlpmjdce.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Oqnfqcjk.exeC:\Windows\system32\Oqnfqcjk.exe39⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe40⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Okjdfq32.exeC:\Windows\system32\Okjdfq32.exe41⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Ogadkajl.exeC:\Windows\system32\Ogadkajl.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1796 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Pkajgonp.exeC:\Windows\system32\Pkajgonp.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2984 -
C:\Windows\SysWOW64\Pmecdgbk.exeC:\Windows\system32\Pmecdgbk.exe46⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Pfmgmm32.exeC:\Windows\system32\Pfmgmm32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Pjkpckob.exeC:\Windows\system32\Pjkpckob.exe48⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Qeeadi32.exeC:\Windows\system32\Qeeadi32.exe49⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe50⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe51⤵
- Executes dropped EXE
PID:332 -
C:\Windows\SysWOW64\Aanonj32.exeC:\Windows\system32\Aanonj32.exe52⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Abmkhmfe.exeC:\Windows\system32\Abmkhmfe.exe53⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Adohpe32.exeC:\Windows\system32\Adohpe32.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Aendjh32.exeC:\Windows\system32\Aendjh32.exe55⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe56⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Ajmihn32.exeC:\Windows\system32\Ajmihn32.exe57⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Bffgbo32.exeC:\Windows\system32\Bffgbo32.exe59⤵
- Executes dropped EXE
PID:924 -
C:\Windows\SysWOW64\Blcokf32.exeC:\Windows\system32\Blcokf32.exe60⤵
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1872 -
C:\Windows\SysWOW64\Babdhlmh.exeC:\Windows\system32\Babdhlmh.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Bhlmef32.exeC:\Windows\system32\Bhlmef32.exe63⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Baeanl32.exeC:\Windows\system32\Baeanl32.exe64⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Bljeke32.exeC:\Windows\system32\Bljeke32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Windows\SysWOW64\Bagncl32.exeC:\Windows\system32\Bagncl32.exe66⤵PID:860
-
C:\Windows\SysWOW64\Chafpfqp.exeC:\Windows\system32\Chafpfqp.exe67⤵PID:2008
-
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe68⤵PID:2564
-
C:\Windows\SysWOW64\Ckboba32.exeC:\Windows\system32\Ckboba32.exe69⤵PID:2636
-
C:\Windows\SysWOW64\Cdjckfda.exeC:\Windows\system32\Cdjckfda.exe70⤵PID:1568
-
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe71⤵PID:868
-
C:\Windows\SysWOW64\Cjiiim32.exeC:\Windows\system32\Cjiiim32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Dkdhfdnj.exeC:\Windows\system32\Dkdhfdnj.exe73⤵PID:2804
-
C:\Windows\SysWOW64\Dbpmin32.exeC:\Windows\system32\Dbpmin32.exe74⤵PID:2688
-
C:\Windows\SysWOW64\Enijcn32.exeC:\Windows\system32\Enijcn32.exe75⤵PID:2664
-
C:\Windows\SysWOW64\Epkgkfmd.exeC:\Windows\system32\Epkgkfmd.exe76⤵
- Modifies registry class
PID:2036 -
C:\Windows\SysWOW64\Eqjceidf.exeC:\Windows\system32\Eqjceidf.exe77⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Ebkpma32.exeC:\Windows\system32\Ebkpma32.exe78⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Epopff32.exeC:\Windows\system32\Epopff32.exe79⤵PID:1668
-
C:\Windows\SysWOW64\Eelinm32.exeC:\Windows\system32\Eelinm32.exe80⤵PID:2064
-
C:\Windows\SysWOW64\Fbpihafp.exeC:\Windows\system32\Fbpihafp.exe81⤵PID:2504
-
C:\Windows\SysWOW64\Fgmaphdg.exeC:\Windows\system32\Fgmaphdg.exe82⤵PID:948
-
C:\Windows\SysWOW64\Filnjk32.exeC:\Windows\system32\Filnjk32.exe83⤵PID:328
-
C:\Windows\SysWOW64\Fagcnmie.exeC:\Windows\system32\Fagcnmie.exe84⤵
- Drops file in System32 directory
PID:1780 -
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe85⤵PID:1724
-
C:\Windows\SysWOW64\Fajpdmgb.exeC:\Windows\system32\Fajpdmgb.exe86⤵PID:920
-
C:\Windows\SysWOW64\Ffghlcei.exeC:\Windows\system32\Ffghlcei.exe87⤵PID:2020
-
C:\Windows\SysWOW64\Fallil32.exeC:\Windows\system32\Fallil32.exe88⤵PID:2748
-
C:\Windows\SysWOW64\Gigano32.exeC:\Windows\system32\Gigano32.exe89⤵PID:2900
-
C:\Windows\SysWOW64\Gpaikiig.exeC:\Windows\system32\Gpaikiig.exe90⤵PID:2104
-
C:\Windows\SysWOW64\Gjgmhaim.exeC:\Windows\system32\Gjgmhaim.exe91⤵PID:2884
-
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3048 -
C:\Windows\SysWOW64\Gmhfjm32.exeC:\Windows\system32\Gmhfjm32.exe93⤵PID:2296
-
C:\Windows\SysWOW64\Gbdobc32.exeC:\Windows\system32\Gbdobc32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe95⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Gkbplepn.exeC:\Windows\system32\Gkbplepn.exe96⤵PID:2444
-
C:\Windows\SysWOW64\Hdjedk32.exeC:\Windows\system32\Hdjedk32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1812 -
C:\Windows\SysWOW64\Hanenoeh.exeC:\Windows\system32\Hanenoeh.exe98⤵PID:916
-
C:\Windows\SysWOW64\Hhhmki32.exeC:\Windows\system32\Hhhmki32.exe99⤵PID:1756
-
C:\Windows\SysWOW64\Haqbcoce.exeC:\Windows\system32\Haqbcoce.exe100⤵PID:2068
-
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe101⤵PID:2012
-
C:\Windows\SysWOW64\Hkkcbdhc.exeC:\Windows\system32\Hkkcbdhc.exe102⤵PID:2252
-
C:\Windows\SysWOW64\Hddgkj32.exeC:\Windows\system32\Hddgkj32.exe103⤵
- System Location Discovery: System Language Discovery
PID:2312 -
C:\Windows\SysWOW64\Ipkhpk32.exeC:\Windows\system32\Ipkhpk32.exe104⤵PID:2792
-
C:\Windows\SysWOW64\Ihfmdm32.exeC:\Windows\system32\Ihfmdm32.exe105⤵PID:2816
-
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe106⤵PID:692
-
C:\Windows\SysWOW64\Ifljcanj.exeC:\Windows\system32\Ifljcanj.exe107⤵PID:2856
-
C:\Windows\SysWOW64\Ingogcke.exeC:\Windows\system32\Ingogcke.exe108⤵PID:2512
-
C:\Windows\SysWOW64\Ikkoagjo.exeC:\Windows\system32\Ikkoagjo.exe109⤵PID:1640
-
C:\Windows\SysWOW64\Ibehna32.exeC:\Windows\system32\Ibehna32.exe110⤵PID:1076
-
C:\Windows\SysWOW64\Jjqlbdog.exeC:\Windows\system32\Jjqlbdog.exe111⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe112⤵PID:2384
-
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1484 -
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe114⤵PID:1064
-
C:\Windows\SysWOW64\Jobnej32.exeC:\Windows\system32\Jobnej32.exe115⤵PID:2616
-
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe116⤵PID:940
-
C:\Windows\SysWOW64\Jmhkdnfp.exeC:\Windows\system32\Jmhkdnfp.exe117⤵PID:1704
-
C:\Windows\SysWOW64\Kecpipck.exeC:\Windows\system32\Kecpipck.exe118⤵
- Modifies registry class
PID:952 -
C:\Windows\SysWOW64\Kfcmcckn.exeC:\Windows\system32\Kfcmcckn.exe119⤵PID:2060
-
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe120⤵PID:2440
-
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe121⤵PID:1204
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-