Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 04:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe
-
Size
80KB
-
MD5
a1194f0ceb6430af8d9d39463092d12f
-
SHA1
e78f6e70144216d71630c8adb7bc21279355795d
-
SHA256
ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef
-
SHA512
076e0ece1ad294d53bab14492be8bbafadd119bde96be9c4e65159ecee81565094c1794d7624a1c142414df479ec22f42613496b1de857c56a407d427a97c570
-
SSDEEP
1536:bj44ZaFpVoIdv4pe9PPiTLMDPLs8zDfWqdMVrlEFtyb7IYOOqw4Tv:1ZaloIdvee9PMwDDs8zTWqAhELy1MTTv
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbbobkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eeagimdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgbfnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhjlli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgchgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gonale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcjmmdbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lghgmg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dokfme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijphofem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eojlbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaihob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbggif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebklic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giipab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhdlad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcpacf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lofifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oemgplgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhbkohm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdghaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdkkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimpkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieomef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggggoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgocmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmfdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchbgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpcoeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcadghnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eklqcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcigco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Momfan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhbnbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmpcca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefcfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgfjggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nflchkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdjqamme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagpdd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppddpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iieepbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpnopm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkecij32.exe -
Executes dropped EXE 64 IoCs
pid Process 2388 Dmojkc32.exe 2384 Epmfgo32.exe 1924 Eggndi32.exe 2852 Eldglp32.exe 2972 Ecnoijbd.exe 2832 Eihgfd32.exe 2628 Ehkhaqpk.exe 3048 Eoepnk32.exe 584 Ecploipa.exe 1676 Eeohkeoe.exe 2164 Ehmdgp32.exe 2576 Eklqcl32.exe 1084 Eogmcjef.exe 1776 Ecbhdi32.exe 2288 Eeaepd32.exe 2140 Ehpalp32.exe 1604 Elkmmodo.exe 2992 Enlidg32.exe 1372 Eaheeecg.exe 984 Edfbaabj.exe 1740 Fhbnbpjc.exe 1376 Fkpjnkig.exe 2548 Folfoj32.exe 2560 Fnofjfhk.exe 1540 Fajbke32.exe 2276 Fdiogq32.exe 988 Fggkcl32.exe 2836 Fnacpffh.exe 2640 Fpoolael.exe 2620 Fcnkhmdp.exe 2176 Fkecij32.exe 1668 Flfpabkp.exe 1980 Fqalaa32.exe 1544 Fgldnkkf.exe 2680 Ffodjh32.exe 2808 Flhmfbim.exe 2232 Fogibnha.exe 1664 Fcbecl32.exe 1960 Fgnadkic.exe 820 Gceailog.exe 2936 Gbhbdi32.exe 2928 Gjojef32.exe 900 Gkpfmnlb.exe 2472 Gcgnnlle.exe 2380 Gbjojh32.exe 316 Gdhkfd32.exe 1696 Ghdgfbkl.exe 2844 Gonocmbi.exe 2756 Gblkoham.exe 372 Gdkgkcpq.exe 2840 Gifclb32.exe 2440 Ggicgopd.exe 2736 Gkephn32.exe 2816 Gncldi32.exe 2240 Gbohehoj.exe 1624 Gqahqd32.exe 1288 Giipab32.exe 1276 Ggkqmoma.exe 2304 Gjjmijme.exe 1304 Gneijien.exe 2072 Gqdefddb.exe 2720 Gepafc32.exe 2208 Gcbabpcf.exe 1876 Ggnmbn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2128 ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe 2128 ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe 2388 Dmojkc32.exe 2388 Dmojkc32.exe 2384 Epmfgo32.exe 2384 Epmfgo32.exe 1924 Eggndi32.exe 1924 Eggndi32.exe 2852 Eldglp32.exe 2852 Eldglp32.exe 2972 Ecnoijbd.exe 2972 Ecnoijbd.exe 2832 Eihgfd32.exe 2832 Eihgfd32.exe 2628 Ehkhaqpk.exe 2628 Ehkhaqpk.exe 3048 Eoepnk32.exe 3048 Eoepnk32.exe 584 Ecploipa.exe 584 Ecploipa.exe 1676 Eeohkeoe.exe 1676 Eeohkeoe.exe 2164 Ehmdgp32.exe 2164 Ehmdgp32.exe 2576 Eklqcl32.exe 2576 Eklqcl32.exe 1084 Eogmcjef.exe 1084 Eogmcjef.exe 1776 Ecbhdi32.exe 1776 Ecbhdi32.exe 2288 Eeaepd32.exe 2288 Eeaepd32.exe 2140 Ehpalp32.exe 2140 Ehpalp32.exe 1604 Elkmmodo.exe 1604 Elkmmodo.exe 2992 Enlidg32.exe 2992 Enlidg32.exe 1372 Eaheeecg.exe 1372 Eaheeecg.exe 984 Edfbaabj.exe 984 Edfbaabj.exe 1740 Fhbnbpjc.exe 1740 Fhbnbpjc.exe 1376 Fkpjnkig.exe 1376 Fkpjnkig.exe 2548 Folfoj32.exe 2548 Folfoj32.exe 2560 Fnofjfhk.exe 2560 Fnofjfhk.exe 1540 Fajbke32.exe 1540 Fajbke32.exe 2276 Fdiogq32.exe 2276 Fdiogq32.exe 988 Fggkcl32.exe 988 Fggkcl32.exe 2836 Fnacpffh.exe 2836 Fnacpffh.exe 2640 Fpoolael.exe 2640 Fpoolael.exe 2620 Fcnkhmdp.exe 2620 Fcnkhmdp.exe 2176 Fkecij32.exe 2176 Fkecij32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nfoghakb.exe Nabopjmj.exe File created C:\Windows\SysWOW64\Kechdf32.exe Kcdlhj32.exe File created C:\Windows\SysWOW64\Bbjjjgna.dll Pjleclph.exe File opened for modification C:\Windows\SysWOW64\Ggkqmoma.exe Giipab32.exe File created C:\Windows\SysWOW64\Fdakoaln.dll Pdgmlhha.exe File created C:\Windows\SysWOW64\Hjmicg32.dll Lngpog32.exe File created C:\Windows\SysWOW64\Ifemminl.dll Fkqlgc32.exe File created C:\Windows\SysWOW64\Kbclpfop.dll Ikqnlh32.exe File created C:\Windows\SysWOW64\Jpigma32.exe Jhbold32.exe File created C:\Windows\SysWOW64\Gahjmjal.dll Ibkmchbh.exe File created C:\Windows\SysWOW64\Omhhke32.exe Oeaqig32.exe File created C:\Windows\SysWOW64\Gejgei32.dll Djiqdb32.exe File created C:\Windows\SysWOW64\Angldo32.dll Foolgh32.exe File created C:\Windows\SysWOW64\Hmjoqo32.exe Hjlbdc32.exe File opened for modification C:\Windows\SysWOW64\Flfpabkp.exe Fkecij32.exe File created C:\Windows\SysWOW64\Mqehjecl.exe Mbchni32.exe File created C:\Windows\SysWOW64\Pdfndl32.dll Giolnomh.exe File created C:\Windows\SysWOW64\Lhlqjone.exe Lemdncoa.exe File created C:\Windows\SysWOW64\Mjcjog32.exe Mfgnnhkc.exe File created C:\Windows\SysWOW64\Mjaddn32.exe Lgchgb32.exe File created C:\Windows\SysWOW64\Ofkggbgh.dll Jfdhmk32.exe File created C:\Windows\SysWOW64\Piliii32.exe Pfnmmn32.exe File opened for modification C:\Windows\SysWOW64\Qemldifo.exe Qbnphngk.exe File created C:\Windows\SysWOW64\Kageia32.exe Kipmhc32.exe File created C:\Windows\SysWOW64\Epmfgo32.exe Dmojkc32.exe File opened for modification C:\Windows\SysWOW64\Mobfgdcl.exe Mqpflg32.exe File created C:\Windows\SysWOW64\Kojgdjqe.dll Eodicd32.exe File created C:\Windows\SysWOW64\Fibcoalf.exe Fgdgcfmb.exe File created C:\Windows\SysWOW64\Lanbdf32.exe Lopfhk32.exe File created C:\Windows\SysWOW64\Bieepc32.dll Eblelb32.exe File created C:\Windows\SysWOW64\Dhcihn32.dll Eojlbb32.exe File opened for modification C:\Windows\SysWOW64\Ibfmmb32.exe Iogpag32.exe File created C:\Windows\SysWOW64\Bbnlpnob.dll Hpbdmo32.exe File opened for modification C:\Windows\SysWOW64\Kfodfh32.exe Kdphjm32.exe File created C:\Windows\SysWOW64\Knkgpi32.exe Kgqocoin.exe File opened for modification C:\Windows\SysWOW64\Lopfhk32.exe Lkdjglfo.exe File opened for modification C:\Windows\SysWOW64\Honnki32.exe Hmpaom32.exe File created C:\Windows\SysWOW64\Iinhdmma.exe Ifolhann.exe File opened for modification C:\Windows\SysWOW64\Fodebh32.exe Fleifl32.exe File opened for modification C:\Windows\SysWOW64\Dcllbhdn.exe Danpemej.exe File opened for modification C:\Windows\SysWOW64\Nnnbni32.exe Nfgjml32.exe File created C:\Windows\SysWOW64\Fkecij32.exe Fcnkhmdp.exe File created C:\Windows\SysWOW64\Egpfmb32.dll Kdpfadlm.exe File created C:\Windows\SysWOW64\Hjfnnajl.exe Hbofmcij.exe File created C:\Windows\SysWOW64\Abqcpo32.dll Kambcbhb.exe File created C:\Windows\SysWOW64\Hneeilgj.exe Hpbdmo32.exe File opened for modification C:\Windows\SysWOW64\Klngkfge.exe Knkgpi32.exe File created C:\Windows\SysWOW64\Jmgghnmp.dll Olbfagca.exe File created C:\Windows\SysWOW64\Aeojbkal.dll Dfpaic32.exe File opened for modification C:\Windows\SysWOW64\Kilgoe32.exe Kgnkci32.exe File created C:\Windows\SysWOW64\Cmhjdiap.exe Cjjnhnbl.exe File created C:\Windows\SysWOW64\Hnbbcale.dll Gcgqgd32.exe File created C:\Windows\SysWOW64\Hjacjifm.exe Hfegij32.exe File opened for modification C:\Windows\SysWOW64\Hidcef32.exe Hjacjifm.exe File created C:\Windows\SysWOW64\Mfjann32.exe Mggabaea.exe File opened for modification C:\Windows\SysWOW64\Ifdlng32.exe Icfpbl32.exe File opened for modification C:\Windows\SysWOW64\Agbbgqhh.exe Ahpbkd32.exe File created C:\Windows\SysWOW64\Bhkeohhn.exe Ajhddk32.exe File created C:\Windows\SysWOW64\Dpklkgoj.exe Dmmpolof.exe File opened for modification C:\Windows\SysWOW64\Ghdgfbkl.exe Gdhkfd32.exe File created C:\Windows\SysWOW64\Cabalojc.dll Kddomchg.exe File created C:\Windows\SysWOW64\Gffdobll.dll Kgcnahoo.exe File created C:\Windows\SysWOW64\Ihdpbq32.exe Iefcfe32.exe File created C:\Windows\SysWOW64\Mpelaf32.dll Ephbal32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8852 8916 WerFault.exe 915 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdogedmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhbdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agolnbok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkmbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deakjjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfnnajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadbdkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhbkohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnocipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojeobm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmqapci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oflpgnld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giaidnkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklgbadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnomjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpojkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmhejhao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agglbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eicpcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpieengb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leikbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngealejo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcllbhdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifolhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgnnlle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefcfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijnkifgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Padhdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpfplo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojlbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjqgjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghacfmic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbdjcffd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebklic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiaefgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efedga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgicg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjbpne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkibhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldheebad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaimipjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqeqqk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiongbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flapkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkqlgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fliook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdcanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhilkege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbjpil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdhdfgep.dll" Jieaofmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkmollme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdngobg.dll" Fihfnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphfihaj.dll" Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdoodan.dll" Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnpmhc32.dll" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnimiblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eifmimch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdnmma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jefdckem.dll" Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgghnmp.dll" Olbfagca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Daplkmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elcpbigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjmicg32.dll" Lngpog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jigbebhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikgeel32.dll" Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmiljc32.dll" Cfhkhd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkfclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdogedmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qndhjl32.dll" Efljhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdekgjno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbcafk32.dll" Ljldnhid.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahpifj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfioia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbonaedo.dll" Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mebgijei.dll" Jbclgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlomqkmp.dll" Inhanl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Legdph32.dll" Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaogognm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fennoa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdmban32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmnkd32.dll" Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnoefj32.dll" Napbjjom.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeppdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knhoedke.dll" Dcohghbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmmneg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bipalg32.dll" Mlafkb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfcodkcb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgldnkkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoojnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obeacl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldheebad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehiknbl.dll" Agihgp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfhfpel.dll" Qlfdac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Colpld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpphhp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpebmc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2128 wrote to memory of 2388 2128 ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe 30 PID 2128 wrote to memory of 2388 2128 ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe 30 PID 2128 wrote to memory of 2388 2128 ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe 30 PID 2128 wrote to memory of 2388 2128 ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe 30 PID 2388 wrote to memory of 2384 2388 Dmojkc32.exe 31 PID 2388 wrote to memory of 2384 2388 Dmojkc32.exe 31 PID 2388 wrote to memory of 2384 2388 Dmojkc32.exe 31 PID 2388 wrote to memory of 2384 2388 Dmojkc32.exe 31 PID 2384 wrote to memory of 1924 2384 Epmfgo32.exe 32 PID 2384 wrote to memory of 1924 2384 Epmfgo32.exe 32 PID 2384 wrote to memory of 1924 2384 Epmfgo32.exe 32 PID 2384 wrote to memory of 1924 2384 Epmfgo32.exe 32 PID 1924 wrote to memory of 2852 1924 Eggndi32.exe 33 PID 1924 wrote to memory of 2852 1924 Eggndi32.exe 33 PID 1924 wrote to memory of 2852 1924 Eggndi32.exe 33 PID 1924 wrote to memory of 2852 1924 Eggndi32.exe 33 PID 2852 wrote to memory of 2972 2852 Eldglp32.exe 34 PID 2852 wrote to memory of 2972 2852 Eldglp32.exe 34 PID 2852 wrote to memory of 2972 2852 Eldglp32.exe 34 PID 2852 wrote to memory of 2972 2852 Eldglp32.exe 34 PID 2972 wrote to memory of 2832 2972 Ecnoijbd.exe 35 PID 2972 wrote to memory of 2832 2972 Ecnoijbd.exe 35 PID 2972 wrote to memory of 2832 2972 Ecnoijbd.exe 35 PID 2972 wrote to memory of 2832 2972 Ecnoijbd.exe 35 PID 2832 wrote to memory of 2628 2832 Eihgfd32.exe 36 PID 2832 wrote to memory of 2628 2832 Eihgfd32.exe 36 PID 2832 wrote to memory of 2628 2832 Eihgfd32.exe 36 PID 2832 wrote to memory of 2628 2832 Eihgfd32.exe 36 PID 2628 wrote to memory of 3048 2628 Ehkhaqpk.exe 37 PID 2628 wrote to memory of 3048 2628 Ehkhaqpk.exe 37 PID 2628 wrote to memory of 3048 2628 Ehkhaqpk.exe 37 PID 2628 wrote to memory of 3048 2628 Ehkhaqpk.exe 37 PID 3048 wrote to memory of 584 3048 Eoepnk32.exe 38 PID 3048 wrote to memory of 584 3048 Eoepnk32.exe 38 PID 3048 wrote to memory of 584 3048 Eoepnk32.exe 38 PID 3048 wrote to memory of 584 3048 Eoepnk32.exe 38 PID 584 wrote to memory of 1676 584 Ecploipa.exe 39 PID 584 wrote to memory of 1676 584 Ecploipa.exe 39 PID 584 wrote to memory of 1676 584 Ecploipa.exe 39 PID 584 wrote to memory of 1676 584 Ecploipa.exe 39 PID 1676 wrote to memory of 2164 1676 Eeohkeoe.exe 40 PID 1676 wrote to memory of 2164 1676 Eeohkeoe.exe 40 PID 1676 wrote to memory of 2164 1676 Eeohkeoe.exe 40 PID 1676 wrote to memory of 2164 1676 Eeohkeoe.exe 40 PID 2164 wrote to memory of 2576 2164 Ehmdgp32.exe 41 PID 2164 wrote to memory of 2576 2164 Ehmdgp32.exe 41 PID 2164 wrote to memory of 2576 2164 Ehmdgp32.exe 41 PID 2164 wrote to memory of 2576 2164 Ehmdgp32.exe 41 PID 2576 wrote to memory of 1084 2576 Eklqcl32.exe 42 PID 2576 wrote to memory of 1084 2576 Eklqcl32.exe 42 PID 2576 wrote to memory of 1084 2576 Eklqcl32.exe 42 PID 2576 wrote to memory of 1084 2576 Eklqcl32.exe 42 PID 1084 wrote to memory of 1776 1084 Eogmcjef.exe 43 PID 1084 wrote to memory of 1776 1084 Eogmcjef.exe 43 PID 1084 wrote to memory of 1776 1084 Eogmcjef.exe 43 PID 1084 wrote to memory of 1776 1084 Eogmcjef.exe 43 PID 1776 wrote to memory of 2288 1776 Ecbhdi32.exe 44 PID 1776 wrote to memory of 2288 1776 Ecbhdi32.exe 44 PID 1776 wrote to memory of 2288 1776 Ecbhdi32.exe 44 PID 1776 wrote to memory of 2288 1776 Ecbhdi32.exe 44 PID 2288 wrote to memory of 2140 2288 Eeaepd32.exe 45 PID 2288 wrote to memory of 2140 2288 Eeaepd32.exe 45 PID 2288 wrote to memory of 2140 2288 Eeaepd32.exe 45 PID 2288 wrote to memory of 2140 2288 Eeaepd32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe"C:\Users\Admin\AppData\Local\Temp\ea7f7b8a97c4ec658c1d48a63c687318790c4b96deb8226458ff249293698bef.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Ecnoijbd.exeC:\Windows\system32\Ecnoijbd.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Eeaepd32.exeC:\Windows\system32\Eeaepd32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ehpalp32.exeC:\Windows\system32\Ehpalp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Elkmmodo.exeC:\Windows\system32\Elkmmodo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Enlidg32.exeC:\Windows\system32\Enlidg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:984 -
C:\Windows\SysWOW64\Fhbnbpjc.exeC:\Windows\system32\Fhbnbpjc.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1376 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Fnofjfhk.exeC:\Windows\system32\Fnofjfhk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2836 -
C:\Windows\SysWOW64\Fpoolael.exeC:\Windows\system32\Fpoolael.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Fcnkhmdp.exeC:\Windows\system32\Fcnkhmdp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe33⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe34⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Fgldnkkf.exeC:\Windows\system32\Fgldnkkf.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1544 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe36⤵
- Executes dropped EXE
PID:2680 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe37⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe38⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe39⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe40⤵
- Executes dropped EXE
PID:1960 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe41⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2936 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe43⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe44⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2472 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe46⤵
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:316 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe48⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe49⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe51⤵
- Executes dropped EXE
PID:372 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe53⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe54⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe55⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe56⤵
- Executes dropped EXE
PID:2240 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe57⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1288 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe59⤵
- Executes dropped EXE
PID:1276 -
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe60⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe61⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe62⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe63⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe64⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Ggnmbn32.exeC:\Windows\system32\Ggnmbn32.exe65⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe66⤵PID:2660
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe67⤵PID:2556
-
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe68⤵PID:668
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe69⤵PID:400
-
C:\Windows\SysWOW64\Hcdnhoac.exeC:\Windows\system32\Hcdnhoac.exe70⤵PID:2880
-
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe71⤵PID:2244
-
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe72⤵PID:408
-
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe73⤵PID:1856
-
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe74⤵PID:2704
-
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe75⤵PID:2220
-
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe76⤵PID:1160
-
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2508 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe78⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe79⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe80⤵PID:2764
-
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe81⤵PID:2464
-
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe82⤵PID:1716
-
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2296 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe84⤵PID:2580
-
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe85⤵PID:2652
-
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe86⤵PID:1952
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe87⤵PID:1600
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe88⤵PID:2812
-
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe89⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe90⤵PID:1940
-
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1804 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe92⤵PID:2940
-
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe93⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe94⤵PID:1820
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe95⤵PID:1864
-
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2188 -
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe97⤵PID:2068
-
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe98⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Ibcnojnp.exeC:\Windows\system32\Ibcnojnp.exe99⤵PID:2932
-
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe100⤵PID:1584
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe101⤵
- Modifies registry class
PID:636 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe102⤵PID:1732
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe103⤵PID:280
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe104⤵PID:2716
-
C:\Windows\SysWOW64\Inlkik32.exeC:\Windows\system32\Inlkik32.exe105⤵PID:1048
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe106⤵PID:816
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe108⤵PID:2856
-
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe109⤵PID:1796
-
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe110⤵PID:1172
-
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe111⤵PID:888
-
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe112⤵PID:1612
-
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe113⤵PID:1992
-
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe114⤵PID:2488
-
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe115⤵PID:1164
-
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe116⤵PID:2944
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe117⤵PID:1516
-
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe118⤵
- Modifies registry class
PID:1996 -
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe119⤵PID:2376
-
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe120⤵PID:2952
-
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe121⤵PID:2752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-