Analysis
-
max time kernel
114s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21-09-2024 16:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2N.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2N.exe
-
Size
94KB
-
MD5
83cd9fe840f66158a6f50f09f2514380
-
SHA1
ff9218dd56b41e672e2ade53383c6a3cbfba518d
-
SHA256
e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2
-
SHA512
ec60b5bfece910770eea9290186ad47615ac8b5602df39378afacf1cac514ecbf1ad2738cee5599da2e18d8a7ff888488981bab1b6802c37be648b49305a5f4a
-
SSDEEP
1536:IkO2d0/V1RG93GbNqqOPYowemn1oP+kPCzGTaLLmOmC2LHNMQ262AjCsQ2PCZZr2:fOY0/t/OWGTaGOuHNMQH2qC7ZQOlzSLd
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apdodc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdbibmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ichmclja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeajcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afaieb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlaqba32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcooinfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kqlgikcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahlgkgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmjnlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpiinfbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glhjpjok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oigmbagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfflnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbkgfgam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkbecc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apoonnac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dglbjgff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qklfqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icadpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnlcoage.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoeflamd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jedeea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klkmkoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojkcfdgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eilamd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jggiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcchb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcgqoech.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdljaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbgaahgl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppnpfagc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcaqdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkkicfik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iejkel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckklfoah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paelcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocbnqfln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nndkdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cahbem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eobenc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doflofbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eonhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhcankf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmnnblmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgdgaflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkbnpaln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enijek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2904 Dhhhphmc.exe 2972 Dndahokk.exe 2372 Dcaiqfib.exe 2876 Emjnikpc.exe 2900 Epmcqf32.exe 2708 Ebnlba32.exe 2652 Fijadk32.exe 3044 Filnjk32.exe 2524 Fmnccn32.exe 2684 Gpaikiig.exe 1128 Glhjpjok.exe 820 Gonlld32.exe 1772 Hanenoeh.exe 2276 Hkifld32.exe 1612 Heedbbdb.exe 2176 Ilaieljl.exe 1680 Iejnna32.exe 1548 Ilfbpk32.exe 1696 Igpcpi32.exe 2152 Jknlfg32.exe 2980 Jgdmkhnp.exe 824 Jggiah32.exe 2676 Jnqanbcj.exe 2200 Jcmjfiab.exe 2532 Jbbgge32.exe 1600 Kiaiooja.exe 2428 Kbjmhd32.exe 2720 Kaagnp32.exe 2628 Kfnpgg32.exe 2648 Lfpllg32.exe 2592 Moecghdl.exe 2564 Mkqnghfk.exe 2380 Mpmfoodb.exe 2376 Ndkoemji.exe 1272 Nihgndip.exe 2580 Noepfkgh.exe 656 Nijdcdgn.exe 1556 Nogmkk32.exe 1956 Nhpadpke.exe 2228 Nahemf32.exe 2236 Nhbnjpic.exe 1944 Ndhooaog.exe 1104 Ooncljom.exe 2496 Okecak32.exe 752 Oaolne32.exe 1360 Okgpfjbo.exe 600 Ocbekmpi.exe 532 Ojlmgg32.exe 932 Oceaql32.exe 1640 Polbemck.exe 344 Pjafbfca.exe 1700 Ponokmah.exe 2752 Pdkgcd32.exe 2600 Pncllifp.exe 2616 Pfjdmggb.exe 2608 Pneiaidn.exe 2604 Pikmob32.exe 2216 Pbcahgjd.exe 2424 Qklfqm32.exe 1312 Qcgkeonp.exe 2928 Qmoone32.exe 1448 Afhcgjkq.exe 2064 Apphpp32.exe 2212 Algida32.exe -
Loads dropped DLL 64 IoCs
pid Process 1480 e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2N.exe 1480 e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2N.exe 2904 Dhhhphmc.exe 2904 Dhhhphmc.exe 2972 Dndahokk.exe 2972 Dndahokk.exe 2372 Dcaiqfib.exe 2372 Dcaiqfib.exe 2876 Emjnikpc.exe 2876 Emjnikpc.exe 2900 Epmcqf32.exe 2900 Epmcqf32.exe 2708 Ebnlba32.exe 2708 Ebnlba32.exe 2652 Fijadk32.exe 2652 Fijadk32.exe 3044 Filnjk32.exe 3044 Filnjk32.exe 2524 Fmnccn32.exe 2524 Fmnccn32.exe 2684 Gpaikiig.exe 2684 Gpaikiig.exe 1128 Glhjpjok.exe 1128 Glhjpjok.exe 820 Gonlld32.exe 820 Gonlld32.exe 1772 Hanenoeh.exe 1772 Hanenoeh.exe 2276 Hkifld32.exe 2276 Hkifld32.exe 1612 Heedbbdb.exe 1612 Heedbbdb.exe 2176 Ilaieljl.exe 2176 Ilaieljl.exe 1680 Iejnna32.exe 1680 Iejnna32.exe 1548 Ilfbpk32.exe 1548 Ilfbpk32.exe 1696 Igpcpi32.exe 1696 Igpcpi32.exe 2152 Jknlfg32.exe 2152 Jknlfg32.exe 2980 Jgdmkhnp.exe 2980 Jgdmkhnp.exe 824 Jggiah32.exe 824 Jggiah32.exe 2676 Jnqanbcj.exe 2676 Jnqanbcj.exe 2200 Jcmjfiab.exe 2200 Jcmjfiab.exe 2532 Jbbgge32.exe 2532 Jbbgge32.exe 1600 Kiaiooja.exe 1600 Kiaiooja.exe 2428 Kbjmhd32.exe 2428 Kbjmhd32.exe 2720 Kaagnp32.exe 2720 Kaagnp32.exe 2628 Kfnpgg32.exe 2628 Kfnpgg32.exe 2648 Lfpllg32.exe 2648 Lfpllg32.exe 2592 Moecghdl.exe 2592 Moecghdl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Gcpfbhof.exe Ggifmgia.exe File opened for modification C:\Windows\SysWOW64\Dcaiqfib.exe Dndahokk.exe File opened for modification C:\Windows\SysWOW64\Cnnpdaeb.exe Ccikghel.exe File created C:\Windows\SysWOW64\Cqfcngpa.dll Bainld32.exe File opened for modification C:\Windows\SysWOW64\Bkdokjdd.exe Bpnkmadn.exe File created C:\Windows\SysWOW64\Bmlkbpno.dll Dlfnlofp.exe File opened for modification C:\Windows\SysWOW64\Nelgkhdp.exe Nieffgok.exe File created C:\Windows\SysWOW64\Nkjgiiln.exe Nbacqdem.exe File created C:\Windows\SysWOW64\Mjqofc32.dll Pqhblm32.exe File created C:\Windows\SysWOW64\Hiqfoble.exe Process not Found File opened for modification C:\Windows\SysWOW64\Iplpfi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hepdml32.exe Hlgodgnk.exe File created C:\Windows\SysWOW64\Fbddne32.exe Process not Found File created C:\Windows\SysWOW64\Kiponlic.exe Kpgkef32.exe File created C:\Windows\SysWOW64\Elmoqlmh.exe Ecdkgg32.exe File created C:\Windows\SysWOW64\Mandkeki.dll Alglin32.exe File created C:\Windows\SysWOW64\Cjakplfl.dll Process not Found File created C:\Windows\SysWOW64\Lljcdqfm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ihphofpg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jpbmhf32.exe Jcnloa32.exe File opened for modification C:\Windows\SysWOW64\Nifhop32.exe Nblpbeob.exe File opened for modification C:\Windows\SysWOW64\Gjffphpc.exe Gmbffc32.exe File created C:\Windows\SysWOW64\Qmigpe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hfofca32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hmjagh32.exe Hfpijngn.exe File created C:\Windows\SysWOW64\Qcield32.dll Ggicdo32.exe File created C:\Windows\SysWOW64\Chndkeam.exe Process not Found File opened for modification C:\Windows\SysWOW64\Noepfkgh.exe Nihgndip.exe File created C:\Windows\SysWOW64\Afaieb32.exe Ainhln32.exe File created C:\Windows\SysWOW64\Gfpnol32.dll Oeloin32.exe File created C:\Windows\SysWOW64\Jajgam32.dll Djpnkhep.exe File created C:\Windows\SysWOW64\Bnppmjkf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fpmdngln.exe Process not Found File created C:\Windows\SysWOW64\Afhcgjkq.exe Qmoone32.exe File created C:\Windows\SysWOW64\Aejlqe32.dll Cckhlhcj.exe File opened for modification C:\Windows\SysWOW64\Fqanif32.exe Process not Found File created C:\Windows\SysWOW64\Bbbedqcc.exe Bfldopno.exe File created C:\Windows\SysWOW64\Hnonab32.dll Foencfda.exe File created C:\Windows\SysWOW64\Ieeajmpo.exe Iohiafag.exe File created C:\Windows\SysWOW64\Benifg32.dll Olijen32.exe File opened for modification C:\Windows\SysWOW64\Bjefcgpo.exe Bclnfm32.exe File created C:\Windows\SysWOW64\Fmqhgh32.dll Mpgccm32.exe File opened for modification C:\Windows\SysWOW64\Bomneh32.exe Bainld32.exe File created C:\Windows\SysWOW64\Hldopgbl.dll Jcjffc32.exe File opened for modification C:\Windows\SysWOW64\Bnmpcmpi.exe Bfbknkbn.exe File opened for modification C:\Windows\SysWOW64\Gdklje32.exe Gifgml32.exe File created C:\Windows\SysWOW64\Kbanfbfk.exe Klgeih32.exe File created C:\Windows\SysWOW64\Kcnmep32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Oagqmeqp.exe Process not Found File created C:\Windows\SysWOW64\Llomka32.dll Qmoone32.exe File created C:\Windows\SysWOW64\Ediaia32.dll Bflghh32.exe File opened for modification C:\Windows\SysWOW64\Lmfnbohm.exe Lglfed32.exe File opened for modification C:\Windows\SysWOW64\Ongijbja.exe Ododal32.exe File opened for modification C:\Windows\SysWOW64\Daoeeo32.exe Dlblmh32.exe File opened for modification C:\Windows\SysWOW64\Ijipbchn.exe Imepio32.exe File created C:\Windows\SysWOW64\Oimlbe32.dll Process not Found File created C:\Windows\SysWOW64\Njpapm32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Dlfika32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dmnhok32.exe Dhapfd32.exe File created C:\Windows\SysWOW64\Gcaqle32.dll Hfmfjh32.exe File created C:\Windows\SysWOW64\Dhbhloho.exe Dlkggn32.exe File opened for modification C:\Windows\SysWOW64\Egdmlhni.exe Process not Found File created C:\Windows\SysWOW64\Hmmjhgce.dll Dljdcqek.exe File opened for modification C:\Windows\SysWOW64\Epnkfq32.exe Ehbgbngm.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfioha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhehnlqf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chbkmkec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhpdbmgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeqobld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faanibeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goojldgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhogj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdnggq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklgjbca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilaieljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppogahko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakmdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmcgdlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnhhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbnpdnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmdamojp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlgaedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgdonkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleqkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhnhcnkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdciej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nghbpfin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okamjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomneh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gabohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlleni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmllf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdemegf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahdjfqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Campbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcanahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeemol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fommfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opgjfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijdggc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamahn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephihbnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdcahdib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkafofde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkdclgpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekohac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqamcbcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bndhle32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Algida32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghlhpiia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajkjij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbpendha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibjing32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pabkmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcbmah32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgkbjb32.dll" Fdcahdib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecfckn32.dll" Inecnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknahbdc.dll" Oddhho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfilfc32.dll" Ododal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggfqlkla.dll" Ifchhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkcfikea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iopqoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njlqpp32.dll" Hoofkgib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibjkfpih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icngpe32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cahbem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fojjfogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nenokaeg.dll" Cddcgmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flgfhmdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odqiaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjeppb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmcdb32.dll" Oohoeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfeqgikk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Johmhhhj.dll" Gjpodhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdcahdib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Khdjfpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qknlnp32.dll" Klaojm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kiepca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjbbbgql.dll" Mcjmkdpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganolajk.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phgcib32.dll" Jdlcnkfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phpkjoim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqicfdjc.dll" Dkkhdbdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmcgia32.dll" Efeblnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohifch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eipgonjl.dll" Ikfokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncgfohq.dll" Mnefpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aipfoh32.dll" Khdjfpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkmjkh32.dll" Ojkcfdgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilfbpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doigah32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poakaj32.dll" Iacojc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1480 wrote to memory of 2904 1480 e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2N.exe 29 PID 1480 wrote to memory of 2904 1480 e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2N.exe 29 PID 1480 wrote to memory of 2904 1480 e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2N.exe 29 PID 1480 wrote to memory of 2904 1480 e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2N.exe 29 PID 2904 wrote to memory of 2972 2904 Dhhhphmc.exe 30 PID 2904 wrote to memory of 2972 2904 Dhhhphmc.exe 30 PID 2904 wrote to memory of 2972 2904 Dhhhphmc.exe 30 PID 2904 wrote to memory of 2972 2904 Dhhhphmc.exe 30 PID 2972 wrote to memory of 2372 2972 Dndahokk.exe 31 PID 2972 wrote to memory of 2372 2972 Dndahokk.exe 31 PID 2972 wrote to memory of 2372 2972 Dndahokk.exe 31 PID 2972 wrote to memory of 2372 2972 Dndahokk.exe 31 PID 2372 wrote to memory of 2876 2372 Dcaiqfib.exe 32 PID 2372 wrote to memory of 2876 2372 Dcaiqfib.exe 32 PID 2372 wrote to memory of 2876 2372 Dcaiqfib.exe 32 PID 2372 wrote to memory of 2876 2372 Dcaiqfib.exe 32 PID 2876 wrote to memory of 2900 2876 Emjnikpc.exe 33 PID 2876 wrote to memory of 2900 2876 Emjnikpc.exe 33 PID 2876 wrote to memory of 2900 2876 Emjnikpc.exe 33 PID 2876 wrote to memory of 2900 2876 Emjnikpc.exe 33 PID 2900 wrote to memory of 2708 2900 Epmcqf32.exe 34 PID 2900 wrote to memory of 2708 2900 Epmcqf32.exe 34 PID 2900 wrote to memory of 2708 2900 Epmcqf32.exe 34 PID 2900 wrote to memory of 2708 2900 Epmcqf32.exe 34 PID 2708 wrote to memory of 2652 2708 Ebnlba32.exe 35 PID 2708 wrote to memory of 2652 2708 Ebnlba32.exe 35 PID 2708 wrote to memory of 2652 2708 Ebnlba32.exe 35 PID 2708 wrote to memory of 2652 2708 Ebnlba32.exe 35 PID 2652 wrote to memory of 3044 2652 Fijadk32.exe 36 PID 2652 wrote to memory of 3044 2652 Fijadk32.exe 36 PID 2652 wrote to memory of 3044 2652 Fijadk32.exe 36 PID 2652 wrote to memory of 3044 2652 Fijadk32.exe 36 PID 3044 wrote to memory of 2524 3044 Filnjk32.exe 37 PID 3044 wrote to memory of 2524 3044 Filnjk32.exe 37 PID 3044 wrote to memory of 2524 3044 Filnjk32.exe 37 PID 3044 wrote to memory of 2524 3044 Filnjk32.exe 37 PID 2524 wrote to memory of 2684 2524 Fmnccn32.exe 38 PID 2524 wrote to memory of 2684 2524 Fmnccn32.exe 38 PID 2524 wrote to memory of 2684 2524 Fmnccn32.exe 38 PID 2524 wrote to memory of 2684 2524 Fmnccn32.exe 38 PID 2684 wrote to memory of 1128 2684 Gpaikiig.exe 39 PID 2684 wrote to memory of 1128 2684 Gpaikiig.exe 39 PID 2684 wrote to memory of 1128 2684 Gpaikiig.exe 39 PID 2684 wrote to memory of 1128 2684 Gpaikiig.exe 39 PID 1128 wrote to memory of 820 1128 Glhjpjok.exe 40 PID 1128 wrote to memory of 820 1128 Glhjpjok.exe 40 PID 1128 wrote to memory of 820 1128 Glhjpjok.exe 40 PID 1128 wrote to memory of 820 1128 Glhjpjok.exe 40 PID 820 wrote to memory of 1772 820 Gonlld32.exe 41 PID 820 wrote to memory of 1772 820 Gonlld32.exe 41 PID 820 wrote to memory of 1772 820 Gonlld32.exe 41 PID 820 wrote to memory of 1772 820 Gonlld32.exe 41 PID 1772 wrote to memory of 2276 1772 Hanenoeh.exe 42 PID 1772 wrote to memory of 2276 1772 Hanenoeh.exe 42 PID 1772 wrote to memory of 2276 1772 Hanenoeh.exe 42 PID 1772 wrote to memory of 2276 1772 Hanenoeh.exe 42 PID 2276 wrote to memory of 1612 2276 Hkifld32.exe 43 PID 2276 wrote to memory of 1612 2276 Hkifld32.exe 43 PID 2276 wrote to memory of 1612 2276 Hkifld32.exe 43 PID 2276 wrote to memory of 1612 2276 Hkifld32.exe 43 PID 1612 wrote to memory of 2176 1612 Heedbbdb.exe 44 PID 1612 wrote to memory of 2176 1612 Heedbbdb.exe 44 PID 1612 wrote to memory of 2176 1612 Heedbbdb.exe 44 PID 1612 wrote to memory of 2176 1612 Heedbbdb.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2N.exe"C:\Users\Admin\AppData\Local\Temp\e9b44cdcd1e3d1aa35fd6d0ee163928395ec9699379c2994babfd5eee554c1b2N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Dhhhphmc.exeC:\Windows\system32\Dhhhphmc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2904 -
C:\Windows\SysWOW64\Dndahokk.exeC:\Windows\system32\Dndahokk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Dcaiqfib.exeC:\Windows\system32\Dcaiqfib.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Epmcqf32.exeC:\Windows\system32\Epmcqf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Ebnlba32.exeC:\Windows\system32\Ebnlba32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Filnjk32.exeC:\Windows\system32\Filnjk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Fmnccn32.exeC:\Windows\system32\Fmnccn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Gpaikiig.exeC:\Windows\system32\Gpaikiig.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1128 -
C:\Windows\SysWOW64\Gonlld32.exeC:\Windows\system32\Gonlld32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820 -
C:\Windows\SysWOW64\Hanenoeh.exeC:\Windows\system32\Hanenoeh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Windows\SysWOW64\Hkifld32.exeC:\Windows\system32\Hkifld32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Heedbbdb.exeC:\Windows\system32\Heedbbdb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2176 -
C:\Windows\SysWOW64\Iejnna32.exeC:\Windows\system32\Iejnna32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Ilfbpk32.exeC:\Windows\system32\Ilfbpk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Igpcpi32.exeC:\Windows\system32\Igpcpi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1696 -
C:\Windows\SysWOW64\Jknlfg32.exeC:\Windows\system32\Jknlfg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Jgdmkhnp.exeC:\Windows\system32\Jgdmkhnp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2980 -
C:\Windows\SysWOW64\Jggiah32.exeC:\Windows\system32\Jggiah32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Jnqanbcj.exeC:\Windows\system32\Jnqanbcj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Jbbgge32.exeC:\Windows\system32\Jbbgge32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2532 -
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Kaagnp32.exeC:\Windows\system32\Kaagnp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Kfnpgg32.exeC:\Windows\system32\Kfnpgg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Lfpllg32.exeC:\Windows\system32\Lfpllg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Moecghdl.exeC:\Windows\system32\Moecghdl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe33⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe34⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Ndkoemji.exeC:\Windows\system32\Ndkoemji.exe35⤵
- Executes dropped EXE
PID:2376 -
C:\Windows\SysWOW64\Nihgndip.exeC:\Windows\system32\Nihgndip.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1272 -
C:\Windows\SysWOW64\Noepfkgh.exeC:\Windows\system32\Noepfkgh.exe37⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe38⤵
- Executes dropped EXE
PID:656 -
C:\Windows\SysWOW64\Nogmkk32.exeC:\Windows\system32\Nogmkk32.exe39⤵
- Executes dropped EXE
PID:1556 -
C:\Windows\SysWOW64\Nhpadpke.exeC:\Windows\system32\Nhpadpke.exe40⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Nahemf32.exeC:\Windows\system32\Nahemf32.exe41⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Nhbnjpic.exeC:\Windows\system32\Nhbnjpic.exe42⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Ndhooaog.exeC:\Windows\system32\Ndhooaog.exe43⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Ooncljom.exeC:\Windows\system32\Ooncljom.exe44⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Okecak32.exeC:\Windows\system32\Okecak32.exe45⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Oaolne32.exeC:\Windows\system32\Oaolne32.exe46⤵
- Executes dropped EXE
PID:752 -
C:\Windows\SysWOW64\Okgpfjbo.exeC:\Windows\system32\Okgpfjbo.exe47⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Ocbekmpi.exeC:\Windows\system32\Ocbekmpi.exe48⤵
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Ojlmgg32.exeC:\Windows\system32\Ojlmgg32.exe49⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Oceaql32.exeC:\Windows\system32\Oceaql32.exe50⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Polbemck.exeC:\Windows\system32\Polbemck.exe51⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Pjafbfca.exeC:\Windows\system32\Pjafbfca.exe52⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Ponokmah.exeC:\Windows\system32\Ponokmah.exe53⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe54⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Pncllifp.exeC:\Windows\system32\Pncllifp.exe55⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Pfjdmggb.exeC:\Windows\system32\Pfjdmggb.exe56⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Pneiaidn.exeC:\Windows\system32\Pneiaidn.exe57⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe58⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Pbcahgjd.exeC:\Windows\system32\Pbcahgjd.exe59⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Qklfqm32.exeC:\Windows\system32\Qklfqm32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2424 -
C:\Windows\SysWOW64\Qcgkeonp.exeC:\Windows\system32\Qcgkeonp.exe61⤵
- Executes dropped EXE
PID:1312 -
C:\Windows\SysWOW64\Qmoone32.exeC:\Windows\system32\Qmoone32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Afhcgjkq.exeC:\Windows\system32\Afhcgjkq.exe63⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Apphpp32.exeC:\Windows\system32\Apphpp32.exe64⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Algida32.exeC:\Windows\system32\Algida32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Abaaakob.exeC:\Windows\system32\Abaaakob.exe66⤵PID:2020
-
C:\Windows\SysWOW64\Apeakonl.exeC:\Windows\system32\Apeakonl.exe67⤵PID:2404
-
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1728 -
C:\Windows\SysWOW64\Aedghf32.exeC:\Windows\system32\Aedghf32.exe69⤵PID:1512
-
C:\Windows\SysWOW64\Ajqoqm32.exeC:\Windows\system32\Ajqoqm32.exe70⤵PID:1968
-
C:\Windows\SysWOW64\Bjclfmfe.exeC:\Windows\system32\Bjclfmfe.exe71⤵PID:3032
-
C:\Windows\SysWOW64\Bjehlldb.exeC:\Windows\system32\Bjehlldb.exe72⤵PID:2664
-
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe73⤵PID:2680
-
C:\Windows\SysWOW64\Bmfamg32.exeC:\Windows\system32\Bmfamg32.exe74⤵PID:2540
-
C:\Windows\SysWOW64\Bkjbgk32.exeC:\Windows\system32\Bkjbgk32.exe75⤵PID:2808
-
C:\Windows\SysWOW64\Bmhncg32.exeC:\Windows\system32\Bmhncg32.exe76⤵PID:2892
-
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe77⤵PID:2984
-
C:\Windows\SysWOW64\Cbhcankf.exeC:\Windows\system32\Cbhcankf.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1660 -
C:\Windows\SysWOW64\Chdlidjm.exeC:\Windows\system32\Chdlidjm.exe79⤵PID:2672
-
C:\Windows\SysWOW64\Campbj32.exeC:\Windows\system32\Campbj32.exe80⤵
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Ckeekp32.exeC:\Windows\system32\Ckeekp32.exe81⤵PID:2656
-
C:\Windows\SysWOW64\Cekihh32.exeC:\Windows\system32\Cekihh32.exe82⤵PID:1564
-
C:\Windows\SysWOW64\Cnfnlk32.exeC:\Windows\system32\Cnfnlk32.exe83⤵PID:2492
-
C:\Windows\SysWOW64\Chkbjc32.exeC:\Windows\system32\Chkbjc32.exe84⤵PID:1088
-
C:\Windows\SysWOW64\Coejfn32.exeC:\Windows\system32\Coejfn32.exe85⤵PID:2208
-
C:\Windows\SysWOW64\Dhnoocab.exeC:\Windows\system32\Dhnoocab.exe86⤵PID:2320
-
C:\Windows\SysWOW64\Djokgk32.exeC:\Windows\system32\Djokgk32.exe87⤵PID:736
-
C:\Windows\SysWOW64\Dddodd32.exeC:\Windows\system32\Dddodd32.exe88⤵PID:2964
-
C:\Windows\SysWOW64\Dnmdmj32.exeC:\Windows\system32\Dnmdmj32.exe89⤵PID:1336
-
C:\Windows\SysWOW64\Dfhial32.exeC:\Windows\system32\Dfhial32.exe90⤵PID:2172
-
C:\Windows\SysWOW64\Dghekobe.exeC:\Windows\system32\Dghekobe.exe91⤵PID:2520
-
C:\Windows\SysWOW64\Dldndf32.exeC:\Windows\system32\Dldndf32.exe92⤵PID:784
-
C:\Windows\SysWOW64\Dcofqphi.exeC:\Windows\system32\Dcofqphi.exe93⤵PID:1596
-
C:\Windows\SysWOW64\Eoefea32.exeC:\Windows\system32\Eoefea32.exe94⤵PID:900
-
C:\Windows\SysWOW64\Eklgjbca.exeC:\Windows\system32\Eklgjbca.exe95⤵
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Ehphdf32.exeC:\Windows\system32\Ehphdf32.exe96⤵PID:2840
-
C:\Windows\SysWOW64\Eojpqpih.exeC:\Windows\system32\Eojpqpih.exe97⤵PID:3064
-
C:\Windows\SysWOW64\Gabohk32.exeC:\Windows\system32\Gabohk32.exe98⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Gepgni32.exeC:\Windows\system32\Gepgni32.exe99⤵PID:2844
-
C:\Windows\SysWOW64\Gibmglep.exeC:\Windows\system32\Gibmglep.exe100⤵PID:2868
-
C:\Windows\SysWOW64\Ghcmedmo.exeC:\Windows\system32\Ghcmedmo.exe101⤵PID:1488
-
C:\Windows\SysWOW64\Hakani32.exeC:\Windows\system32\Hakani32.exe102⤵PID:2260
-
C:\Windows\SysWOW64\Hiffbl32.exeC:\Windows\system32\Hiffbl32.exe103⤵PID:816
-
C:\Windows\SysWOW64\Hpqoofhg.exeC:\Windows\system32\Hpqoofhg.exe104⤵PID:1124
-
C:\Windows\SysWOW64\Hemggm32.exeC:\Windows\system32\Hemggm32.exe105⤵PID:1704
-
C:\Windows\SysWOW64\Hlgodgnk.exeC:\Windows\system32\Hlgodgnk.exe106⤵
- Drops file in System32 directory
PID:320 -
C:\Windows\SysWOW64\Hepdml32.exeC:\Windows\system32\Hepdml32.exe107⤵PID:2124
-
C:\Windows\SysWOW64\Hljljflh.exeC:\Windows\system32\Hljljflh.exe108⤵PID:2740
-
C:\Windows\SysWOW64\Hafdbmjp.exeC:\Windows\system32\Hafdbmjp.exe109⤵PID:1388
-
C:\Windows\SysWOW64\Hhqmogam.exeC:\Windows\system32\Hhqmogam.exe110⤵PID:2504
-
C:\Windows\SysWOW64\Hojeka32.exeC:\Windows\system32\Hojeka32.exe111⤵PID:2732
-
C:\Windows\SysWOW64\Iedmhlqf.exeC:\Windows\system32\Iedmhlqf.exe112⤵PID:2912
-
C:\Windows\SysWOW64\Iomaaa32.exeC:\Windows\system32\Iomaaa32.exe113⤵PID:1864
-
C:\Windows\SysWOW64\Iaknmm32.exeC:\Windows\system32\Iaknmm32.exe114⤵PID:2088
-
C:\Windows\SysWOW64\Idjjih32.exeC:\Windows\system32\Idjjih32.exe115⤵PID:2920
-
C:\Windows\SysWOW64\Ioonfaed.exeC:\Windows\system32\Ioonfaed.exe116⤵PID:2996
-
C:\Windows\SysWOW64\Ikfokb32.exeC:\Windows\system32\Ikfokb32.exe117⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Indkgm32.exeC:\Windows\system32\Indkgm32.exe118⤵PID:2552
-
C:\Windows\SysWOW64\Icadpd32.exeC:\Windows\system32\Icadpd32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Ikhlaaif.exeC:\Windows\system32\Ikhlaaif.exe120⤵PID:2096
-
C:\Windows\SysWOW64\Ipedihgm.exeC:\Windows\system32\Ipedihgm.exe121⤵PID:2008
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-