Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06-10-2024 09:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1N.exe
-
Size
55KB
-
MD5
57a82bc6b7fd805cd0abe2535ff47b80
-
SHA1
710be5fc911595ccabc21083f8b9ed761bd5423c
-
SHA256
1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1
-
SHA512
c2a6393e69160c10557bfee80090c606804fb38fa8fa96e6e1f0be4de3a0aeba4ed7de515f4b7a7638a8a71f4b25b0d76092fbf44bd5b5d63531c867b516a352
-
SSDEEP
768:XUJDpGfg+C3vGwEI6yxhq0KAtDCd5d1/yv68VLlpv8KT4kJmbpRokYbJ5rZJZ/1g:X+DSOOw3RM0KCCTDyv687pukJA4lW
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iblola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdadhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlmoilni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpikik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qdpohodn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihgmdih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnahilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggiofa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abnopj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhhbif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmidlmcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhkbmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfllhao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbdham32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnbpqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpgnoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mejmmqpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajamfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijmbnpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqkpmaif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbadagln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fobkfqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkdcdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqmmbqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcmdjgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlhddh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mopdpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obecld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmljcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdcmig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddkgbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bklpjlmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ockinl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okbapi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkelpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbjdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjhnqfla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llpoohik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miapbpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcemnopj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfdkc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pflbpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecgjdong.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioiidfon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhmldfdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadobccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdhhdqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgibdjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Appbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejcofica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okpdjjil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkihofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afgnkilf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfoihhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldhgnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bknmok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iciopdca.exe -
Executes dropped EXE 64 IoCs
pid Process 2672 Doabjbci.exe 2656 Dghjkpck.exe 2712 Djgfgkbo.exe 2588 Dqaode32.exe 2652 Dfngll32.exe 1684 Dilchhgg.exe 1488 Dkjpdcfj.exe 2088 Dbdham32.exe 3036 Decdmi32.exe 836 Dkmljcdh.exe 2112 Dnkhfnck.exe 2352 Deeqch32.exe 3040 Dgcmod32.exe 3052 Enneln32.exe 1992 Ealahi32.exe 3048 Eiciig32.exe 1960 Elaeeb32.exe 1532 Enpban32.exe 1260 Eejjnhgc.exe 1356 Ecmjid32.exe 2888 Eldbkbop.exe 1748 Enbogmnc.exe 2984 Eelgcg32.exe 2388 Ecogodlk.exe 988 Ejioln32.exe 2768 Endklmlq.exe 2752 Eacghhkd.exe 2848 Efppqoil.exe 2564 Ejklan32.exe 2956 Ephdjeol.exe 444 Ffbmfo32.exe 1300 Fiqibj32.exe 2192 Floeof32.exe 2592 Ffdilo32.exe 628 Fmnahilc.exe 1388 Fopnpaba.exe 2324 Ffgfancd.exe 776 Fhhbif32.exe 1268 Flcojeak.exe 2492 Fobkfqpo.exe 1924 Felcbk32.exe 840 Fodgkp32.exe 1028 Fenphjei.exe 2128 Fhmldfdm.exe 3012 Fkkhpadq.exe 528 Gmidlmcd.exe 2988 Geqlnjcf.exe 2392 Gdcmig32.exe 2792 Gkmefaan.exe 2812 Goiafp32.exe 2532 Gmlablaa.exe 236 Gagmbkik.exe 2252 Gpjmnh32.exe 2900 Gdfiofhn.exe 1632 Ggdekbgb.exe 2520 Gibbgmfe.exe 576 Gmnngl32.exe 1276 Gdhfdffl.exe 1740 Gckfpc32.exe 3004 Ggfbpaeo.exe 832 Gieommdc.exe 2852 Gmqkml32.exe 1544 Gpogiglp.exe 1680 Gcmcebkc.exe -
Loads dropped DLL 64 IoCs
pid Process 2624 1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1N.exe 2624 1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1N.exe 2672 Doabjbci.exe 2672 Doabjbci.exe 2656 Dghjkpck.exe 2656 Dghjkpck.exe 2712 Djgfgkbo.exe 2712 Djgfgkbo.exe 2588 Dqaode32.exe 2588 Dqaode32.exe 2652 Dfngll32.exe 2652 Dfngll32.exe 1684 Dilchhgg.exe 1684 Dilchhgg.exe 1488 Dkjpdcfj.exe 1488 Dkjpdcfj.exe 2088 Dbdham32.exe 2088 Dbdham32.exe 3036 Decdmi32.exe 3036 Decdmi32.exe 836 Dkmljcdh.exe 836 Dkmljcdh.exe 2112 Dnkhfnck.exe 2112 Dnkhfnck.exe 2352 Deeqch32.exe 2352 Deeqch32.exe 3040 Dgcmod32.exe 3040 Dgcmod32.exe 3052 Enneln32.exe 3052 Enneln32.exe 1992 Ealahi32.exe 1992 Ealahi32.exe 3048 Eiciig32.exe 3048 Eiciig32.exe 1960 Elaeeb32.exe 1960 Elaeeb32.exe 1532 Enpban32.exe 1532 Enpban32.exe 1260 Eejjnhgc.exe 1260 Eejjnhgc.exe 1356 Ecmjid32.exe 1356 Ecmjid32.exe 2888 Eldbkbop.exe 2888 Eldbkbop.exe 1748 Enbogmnc.exe 1748 Enbogmnc.exe 2984 Eelgcg32.exe 2984 Eelgcg32.exe 2388 Ecogodlk.exe 2388 Ecogodlk.exe 988 Ejioln32.exe 988 Ejioln32.exe 2768 Endklmlq.exe 2768 Endklmlq.exe 2752 Eacghhkd.exe 2752 Eacghhkd.exe 2848 Efppqoil.exe 2848 Efppqoil.exe 2564 Ejklan32.exe 2564 Ejklan32.exe 2956 Ephdjeol.exe 2956 Ephdjeol.exe 444 Ffbmfo32.exe 444 Ffbmfo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kbnlnmnm.dll Lilfgq32.exe File opened for modification C:\Windows\SysWOW64\Mkibjgli.exe Mgnfji32.exe File created C:\Windows\SysWOW64\Qekbgbpf.exe Qaofgc32.exe File opened for modification C:\Windows\SysWOW64\Qifnhaho.exe Qekbgbpf.exe File created C:\Windows\SysWOW64\Almpdj32.dll Ejfllhao.exe File opened for modification C:\Windows\SysWOW64\Jkdcdf32.exe Iifghk32.exe File opened for modification C:\Windows\SysWOW64\Kihpmnbb.exe Kfidqb32.exe File opened for modification C:\Windows\SysWOW64\Kpdeoh32.exe Klhioioc.exe File created C:\Windows\SysWOW64\Elhnce32.dll Lalhgogb.exe File opened for modification C:\Windows\SysWOW64\Qncfphff.exe Qldjdlgb.exe File created C:\Windows\SysWOW64\Bdohpb32.dll Cgjgol32.exe File created C:\Windows\SysWOW64\Cpiaipmh.exe Clnehado.exe File opened for modification C:\Windows\SysWOW64\Dgcmod32.exe Deeqch32.exe File created C:\Windows\SysWOW64\Hjjbejog.dll Endklmlq.exe File created C:\Windows\SysWOW64\Fdbhpk32.dll Lkgifd32.exe File created C:\Windows\SysWOW64\Jdncnflm.dll Ajldkhjh.exe File created C:\Windows\SysWOW64\Bfdbgnmd.dll Nfglfdeb.exe File opened for modification C:\Windows\SysWOW64\Chggdoee.exe Cppobaeb.exe File opened for modification C:\Windows\SysWOW64\Cjmmffgn.exe Cfaqfh32.exe File created C:\Windows\SysWOW64\Dochelmj.exe Dkgldm32.exe File created C:\Windows\SysWOW64\Jkkjeeke.exe Jcdadhjb.exe File opened for modification C:\Windows\SysWOW64\Mejmmqpd.exe Maoalb32.exe File created C:\Windows\SysWOW64\Lmeebpkd.exe Lkgifd32.exe File created C:\Windows\SysWOW64\Oodjjign.exe Okinik32.exe File created C:\Windows\SysWOW64\Oggeokoq.exe Ockinl32.exe File opened for modification C:\Windows\SysWOW64\Bfjkphjd.exe Abnopj32.exe File created C:\Windows\SysWOW64\Enbogmnc.exe Eldbkbop.exe File created C:\Windows\SysWOW64\Lcfejhma.dll Koibpd32.exe File created C:\Windows\SysWOW64\Nplkbo32.dll Pflbpg32.exe File created C:\Windows\SysWOW64\Nabcho32.dll Immjnj32.exe File created C:\Windows\SysWOW64\Blcajboa.dll Jnifaajh.exe File created C:\Windows\SysWOW64\Jbekkd32.dll Lkelpd32.exe File created C:\Windows\SysWOW64\Aphdkpjd.dll Mneaacno.exe File created C:\Windows\SysWOW64\Qkekbn32.dll Okkkoj32.exe File created C:\Windows\SysWOW64\Hmdkip32.dll Dmmbge32.exe File created C:\Windows\SysWOW64\Geloanjg.exe Ggiofa32.exe File created C:\Windows\SysWOW64\Mmgofm32.dll Hqochjnk.exe File created C:\Windows\SysWOW64\Eqkjmcmq.exe Empomd32.exe File created C:\Windows\SysWOW64\Nnfdgopc.dll Hhcndhap.exe File created C:\Windows\SysWOW64\Nlobbi32.dll Hdjoii32.exe File opened for modification C:\Windows\SysWOW64\Lbgkfbbj.exe Klmbjh32.exe File created C:\Windows\SysWOW64\Akpcdopi.dll Bknmok32.exe File created C:\Windows\SysWOW64\Cnabffeo.exe Bkcfjk32.exe File created C:\Windows\SysWOW64\Fkgodoah.dll Ffdilo32.exe File created C:\Windows\SysWOW64\Jpdepqif.dll Gigkbm32.exe File created C:\Windows\SysWOW64\Pncjad32.exe Pjhnqfla.exe File opened for modification C:\Windows\SysWOW64\Bihgmdih.exe Bfjkphjd.exe File created C:\Windows\SysWOW64\Aeelon32.dll Bhndnpnp.exe File opened for modification C:\Windows\SysWOW64\Bahelebm.exe Bojipjcj.exe File created C:\Windows\SysWOW64\Cfaqfh32.exe Cccdjl32.exe File created C:\Windows\SysWOW64\Honfqb32.exe Hkbkpcpd.exe File created C:\Windows\SysWOW64\Mfeilp32.dll Kimjhnnl.exe File created C:\Windows\SysWOW64\Kpbhjh32.exe Kmclmm32.exe File opened for modification C:\Windows\SysWOW64\Laaabo32.exe Lmeebpkd.exe File opened for modification C:\Windows\SysWOW64\Macjgadf.exe Mnhnfckm.exe File created C:\Windows\SysWOW64\Lpkjfakb.dll Oqmmbqgd.exe File opened for modification C:\Windows\SysWOW64\Bimphc32.exe Bafhff32.exe File opened for modification C:\Windows\SysWOW64\Flnndp32.exe Fhbbcail.exe File created C:\Windows\SysWOW64\Jkfpjf32.exe Jihdnk32.exe File opened for modification C:\Windows\SysWOW64\Jecnnk32.exe Jahbmlil.exe File created C:\Windows\SysWOW64\Oknhdjko.exe Oiokholk.exe File created C:\Windows\SysWOW64\Iifpfl32.dll Ockinl32.exe File created C:\Windows\SysWOW64\Dklepmal.exe Dcemnopj.exe File created C:\Windows\SysWOW64\Lehdhn32.exe Lalhgogb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5604 5568 WerFault.exe 508 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejjnhgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogdhik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijhhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meecaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflfad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkmjlca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngeljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldjdlgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamlhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paafmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdcmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajnqphhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmqmpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhndnpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldjdlgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajldkhjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgnkilf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbfjkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laodmoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdhfdffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcppkbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpdnpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdadhjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfhqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebcmfj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejioln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmjomogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbogmnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpniokan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjkphjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gieommdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnpgloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpnoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhkcnfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epeajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fllaopcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiciig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlablaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmaphmln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhimji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkbcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okinik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklpjlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkcfjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhkfnlme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nladco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckecpjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilfgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfglfdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkkoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddkgbc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcemnopj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedfgejh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephdjeol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmcilp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkghqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dochelmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqngcc32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbglpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afcdpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjbejog.dll" Endklmlq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Monhjgkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkdioh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgibdjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fenphjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbihoo32.dll" Gdfiofhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajnnkldn.dll" Haemloni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miapbpmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anhpkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clfnfl32.dll" Hhaanh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bojipjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelafe32.dll" Cnabffeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjlnjmna.dll" Decdmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebockkal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejioln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fobkfqpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obecld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bihgmdih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkbokl32.dll" Efhcej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Padccpal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdajpkkj.dll" Bhpqcpkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gcppkbia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgofm32.dll" Hqochjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Boandf32.dll" Jbnlaqhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aolgka32.dll" Oiokholk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiciig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppfafphp.dll" Keoabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lonlkcho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmqcmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Clnehado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbqkeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbdimmi.dll" Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoinika.dll" Dbdagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijidfpci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmjomogn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qldjdlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egfdjljo.dll" Ammmlcgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgmicg32.dll" Appbcn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efoifiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enpban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jandaf32.dll" Ggiofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onoqfehp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgibdjln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjjkfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfifock.dll" Deeqch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iiicagla.dll" Eelgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njdfnb32.dll" Lkifkdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nggipg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiokholk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apilcoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbogaf32.dll" Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmkmnp32.dll" Efoifiep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpacogjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aocbokia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlboca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccpbd32.dll" Bfjkphjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fllaopcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fodgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oepbmk32.dll" Goiafp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqochjnk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2624 wrote to memory of 2672 2624 1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1N.exe 30 PID 2624 wrote to memory of 2672 2624 1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1N.exe 30 PID 2624 wrote to memory of 2672 2624 1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1N.exe 30 PID 2624 wrote to memory of 2672 2624 1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1N.exe 30 PID 2672 wrote to memory of 2656 2672 Doabjbci.exe 31 PID 2672 wrote to memory of 2656 2672 Doabjbci.exe 31 PID 2672 wrote to memory of 2656 2672 Doabjbci.exe 31 PID 2672 wrote to memory of 2656 2672 Doabjbci.exe 31 PID 2656 wrote to memory of 2712 2656 Dghjkpck.exe 32 PID 2656 wrote to memory of 2712 2656 Dghjkpck.exe 32 PID 2656 wrote to memory of 2712 2656 Dghjkpck.exe 32 PID 2656 wrote to memory of 2712 2656 Dghjkpck.exe 32 PID 2712 wrote to memory of 2588 2712 Djgfgkbo.exe 33 PID 2712 wrote to memory of 2588 2712 Djgfgkbo.exe 33 PID 2712 wrote to memory of 2588 2712 Djgfgkbo.exe 33 PID 2712 wrote to memory of 2588 2712 Djgfgkbo.exe 33 PID 2588 wrote to memory of 2652 2588 Dqaode32.exe 34 PID 2588 wrote to memory of 2652 2588 Dqaode32.exe 34 PID 2588 wrote to memory of 2652 2588 Dqaode32.exe 34 PID 2588 wrote to memory of 2652 2588 Dqaode32.exe 34 PID 2652 wrote to memory of 1684 2652 Dfngll32.exe 35 PID 2652 wrote to memory of 1684 2652 Dfngll32.exe 35 PID 2652 wrote to memory of 1684 2652 Dfngll32.exe 35 PID 2652 wrote to memory of 1684 2652 Dfngll32.exe 35 PID 1684 wrote to memory of 1488 1684 Dilchhgg.exe 36 PID 1684 wrote to memory of 1488 1684 Dilchhgg.exe 36 PID 1684 wrote to memory of 1488 1684 Dilchhgg.exe 36 PID 1684 wrote to memory of 1488 1684 Dilchhgg.exe 36 PID 1488 wrote to memory of 2088 1488 Dkjpdcfj.exe 37 PID 1488 wrote to memory of 2088 1488 Dkjpdcfj.exe 37 PID 1488 wrote to memory of 2088 1488 Dkjpdcfj.exe 37 PID 1488 wrote to memory of 2088 1488 Dkjpdcfj.exe 37 PID 2088 wrote to memory of 3036 2088 Dbdham32.exe 38 PID 2088 wrote to memory of 3036 2088 Dbdham32.exe 38 PID 2088 wrote to memory of 3036 2088 Dbdham32.exe 38 PID 2088 wrote to memory of 3036 2088 Dbdham32.exe 38 PID 3036 wrote to memory of 836 3036 Decdmi32.exe 39 PID 3036 wrote to memory of 836 3036 Decdmi32.exe 39 PID 3036 wrote to memory of 836 3036 Decdmi32.exe 39 PID 3036 wrote to memory of 836 3036 Decdmi32.exe 39 PID 836 wrote to memory of 2112 836 Dkmljcdh.exe 40 PID 836 wrote to memory of 2112 836 Dkmljcdh.exe 40 PID 836 wrote to memory of 2112 836 Dkmljcdh.exe 40 PID 836 wrote to memory of 2112 836 Dkmljcdh.exe 40 PID 2112 wrote to memory of 2352 2112 Dnkhfnck.exe 41 PID 2112 wrote to memory of 2352 2112 Dnkhfnck.exe 41 PID 2112 wrote to memory of 2352 2112 Dnkhfnck.exe 41 PID 2112 wrote to memory of 2352 2112 Dnkhfnck.exe 41 PID 2352 wrote to memory of 3040 2352 Deeqch32.exe 42 PID 2352 wrote to memory of 3040 2352 Deeqch32.exe 42 PID 2352 wrote to memory of 3040 2352 Deeqch32.exe 42 PID 2352 wrote to memory of 3040 2352 Deeqch32.exe 42 PID 3040 wrote to memory of 3052 3040 Dgcmod32.exe 43 PID 3040 wrote to memory of 3052 3040 Dgcmod32.exe 43 PID 3040 wrote to memory of 3052 3040 Dgcmod32.exe 43 PID 3040 wrote to memory of 3052 3040 Dgcmod32.exe 43 PID 3052 wrote to memory of 1992 3052 Enneln32.exe 44 PID 3052 wrote to memory of 1992 3052 Enneln32.exe 44 PID 3052 wrote to memory of 1992 3052 Enneln32.exe 44 PID 3052 wrote to memory of 1992 3052 Enneln32.exe 44 PID 1992 wrote to memory of 3048 1992 Ealahi32.exe 45 PID 1992 wrote to memory of 3048 1992 Ealahi32.exe 45 PID 1992 wrote to memory of 3048 1992 Ealahi32.exe 45 PID 1992 wrote to memory of 3048 1992 Ealahi32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1N.exe"C:\Users\Admin\AppData\Local\Temp\1af4d673e50cc088509f6763f7640634f62d41383202afb93a67654444ac83c1N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Djgfgkbo.exeC:\Windows\system32\Djgfgkbo.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1960 -
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1260 -
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1356 -
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1748 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2388 -
C:\Windows\SysWOW64\Ejioln32.exeC:\Windows\system32\Ejioln32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Ejklan32.exeC:\Windows\system32\Ejklan32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Ffbmfo32.exeC:\Windows\system32\Ffbmfo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Windows\SysWOW64\Fiqibj32.exeC:\Windows\system32\Fiqibj32.exe33⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe34⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Ffdilo32.exeC:\Windows\system32\Ffdilo32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe37⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Ffgfancd.exeC:\Windows\system32\Ffgfancd.exe38⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe40⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Fobkfqpo.exeC:\Windows\system32\Fobkfqpo.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Felcbk32.exeC:\Windows\system32\Felcbk32.exe42⤵
- Executes dropped EXE
PID:1924 -
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1028 -
C:\Windows\SysWOW64\Fhmldfdm.exeC:\Windows\system32\Fhmldfdm.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Fkkhpadq.exeC:\Windows\system32\Fkkhpadq.exe46⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Gmidlmcd.exeC:\Windows\system32\Gmidlmcd.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:528 -
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe48⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Gdcmig32.exeC:\Windows\system32\Gdcmig32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe50⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Gmlablaa.exeC:\Windows\system32\Gmlablaa.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe53⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Gpjmnh32.exeC:\Windows\system32\Gpjmnh32.exe54⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2900 -
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe56⤵
- Executes dropped EXE
PID:1632 -
C:\Windows\SysWOW64\Gibbgmfe.exeC:\Windows\system32\Gibbgmfe.exe57⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe58⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Gdhfdffl.exeC:\Windows\system32\Gdhfdffl.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe61⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Gieommdc.exeC:\Windows\system32\Gieommdc.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:832 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe63⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Gpogiglp.exeC:\Windows\system32\Gpogiglp.exe64⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe65⤵
- Executes dropped EXE
PID:1680 -
C:\Windows\SysWOW64\Ggiofa32.exeC:\Windows\system32\Ggiofa32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Geloanjg.exeC:\Windows\system32\Geloanjg.exe67⤵PID:740
-
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe68⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2856 -
C:\Windows\SysWOW64\Gpacogjm.exeC:\Windows\system32\Gpacogjm.exe70⤵
- Modifies registry class
PID:400 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Hijhhl32.exeC:\Windows\system32\Hijhhl32.exe72⤵
- System Location Discovery: System Language Discovery
PID:1576 -
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe73⤵PID:2244
-
C:\Windows\SysWOW64\Hlhddh32.exeC:\Windows\system32\Hlhddh32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1236 -
C:\Windows\SysWOW64\Hpcpdfhj.exeC:\Windows\system32\Hpcpdfhj.exe75⤵PID:804
-
C:\Windows\SysWOW64\Hcblqb32.exeC:\Windows\system32\Hcblqb32.exe76⤵PID:1084
-
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe77⤵
- Modifies registry class
PID:1252 -
C:\Windows\SysWOW64\Hhoeii32.exeC:\Windows\system32\Hhoeii32.exe78⤵PID:1524
-
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe79⤵PID:960
-
C:\Windows\SysWOW64\Hkmaed32.exeC:\Windows\system32\Hkmaed32.exe80⤵PID:1520
-
C:\Windows\SysWOW64\Hcdifa32.exeC:\Windows\system32\Hcdifa32.exe81⤵PID:1780
-
C:\Windows\SysWOW64\Hecebm32.exeC:\Windows\system32\Hecebm32.exe82⤵PID:2016
-
C:\Windows\SysWOW64\Hhaanh32.exeC:\Windows\system32\Hhaanh32.exe83⤵
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Hlmnogkl.exeC:\Windows\system32\Hlmnogkl.exe84⤵PID:2780
-
C:\Windows\SysWOW64\Hokjkbkp.exeC:\Windows\system32\Hokjkbkp.exe85⤵PID:2556
-
C:\Windows\SysWOW64\Hnnjfo32.exeC:\Windows\system32\Hnnjfo32.exe86⤵PID:2548
-
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe87⤵PID:2444
-
C:\Windows\SysWOW64\Hdhbci32.exeC:\Windows\system32\Hdhbci32.exe88⤵PID:1332
-
C:\Windows\SysWOW64\Hhcndhap.exeC:\Windows\system32\Hhcndhap.exe89⤵
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Hgfooe32.exeC:\Windows\system32\Hgfooe32.exe90⤵PID:2360
-
C:\Windows\SysWOW64\Hkbkpcpd.exeC:\Windows\system32\Hkbkpcpd.exe91⤵
- Drops file in System32 directory
PID:1336 -
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe92⤵PID:2876
-
C:\Windows\SysWOW64\Hnpgloog.exeC:\Windows\system32\Hnpgloog.exe93⤵
- System Location Discovery: System Language Discovery
PID:644 -
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe94⤵
- Modifies registry class
PID:1364 -
C:\Windows\SysWOW64\Hqochjnk.exeC:\Windows\system32\Hqochjnk.exe95⤵
- Drops file in System32 directory
- Modifies registry class
PID:1428 -
C:\Windows\SysWOW64\Hdjoii32.exeC:\Windows\system32\Hdjoii32.exe96⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe97⤵PID:2676
-
C:\Windows\SysWOW64\Hkdgecna.exeC:\Windows\system32\Hkdgecna.exe98⤵PID:2648
-
C:\Windows\SysWOW64\Hjggap32.exeC:\Windows\system32\Hjggap32.exe99⤵PID:2544
-
C:\Windows\SysWOW64\Hnbcaome.exeC:\Windows\system32\Hnbcaome.exe100⤵PID:2604
-
C:\Windows\SysWOW64\Iqapnjli.exeC:\Windows\system32\Iqapnjli.exe101⤵PID:608
-
C:\Windows\SysWOW64\Ikfdkc32.exeC:\Windows\system32\Ikfdkc32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:844 -
C:\Windows\SysWOW64\Ijidfpci.exeC:\Windows\system32\Ijidfpci.exe103⤵
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Inepgn32.exeC:\Windows\system32\Inepgn32.exe104⤵PID:2168
-
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe105⤵PID:3028
-
C:\Windows\SysWOW64\Iqcmcj32.exeC:\Windows\system32\Iqcmcj32.exe106⤵PID:2436
-
C:\Windows\SysWOW64\Icbipe32.exeC:\Windows\system32\Icbipe32.exe107⤵PID:2020
-
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe108⤵PID:564
-
C:\Windows\SysWOW64\Ijlaloaf.exeC:\Windows\system32\Ijlaloaf.exe109⤵PID:2788
-
C:\Windows\SysWOW64\Ingmmn32.exeC:\Windows\system32\Ingmmn32.exe110⤵PID:2996
-
C:\Windows\SysWOW64\Ioiidfon.exeC:\Windows\system32\Ioiidfon.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1948 -
C:\Windows\SysWOW64\Icdeee32.exeC:\Windows\system32\Icdeee32.exe112⤵PID:2096
-
C:\Windows\SysWOW64\Ifbaapfk.exeC:\Windows\system32\Ifbaapfk.exe113⤵PID:1164
-
C:\Windows\SysWOW64\Ijnnao32.exeC:\Windows\system32\Ijnnao32.exe114⤵PID:1820
-
C:\Windows\SysWOW64\Immjnj32.exeC:\Windows\system32\Immjnj32.exe115⤵
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Iokfjf32.exeC:\Windows\system32\Iokfjf32.exe116⤵PID:2072
-
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe117⤵PID:760
-
C:\Windows\SysWOW64\Imogcj32.exeC:\Windows\system32\Imogcj32.exe118⤵PID:2268
-
C:\Windows\SysWOW64\Ikagogco.exeC:\Windows\system32\Ikagogco.exe119⤵PID:2644
-
C:\Windows\SysWOW64\Iciopdca.exeC:\Windows\system32\Iciopdca.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2204 -
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2908
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-