Analysis
-
max time kernel
58s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
23-10-2024 21:19
Behavioral task
behavioral1
Sample
59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
General
-
Target
59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5.exe
-
Size
337KB
-
MD5
bd4ab2511b58137b6e7e3fe75109dbf6
-
SHA1
ead3713dec51bbf597fa2023bf534ade240f704b
-
SHA256
59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5
-
SHA512
ed31d427982dbb05ccbde60bbc4f7539c86648862a9ef28a607560ab86dbb229e24368c20e9aeb535d4be0b6a42242351f9151f2189ccec42e4791ff89a4963b
-
SSDEEP
3072:8ZG2j+buvZXYgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:FbIFY1+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abaaakob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clphjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Engpfgql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gckmgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Napibq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhimaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnccn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffiebc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgfkoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcnfllcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfanjcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqgofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdqclpgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmipmlan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qljaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Domgache.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Liaenblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hehgbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcnomjbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Benpik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Necandjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpajjmon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcljjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjmbohhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggifmgia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgjbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iejnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dopfpkng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkkcbdhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfiajj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmpkhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okmqlp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahomlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndekok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajhkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lanmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egaoldnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjglppd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boggkicf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgpkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhmdc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkldli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjgekf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjdhpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhabfibb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qokjcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lneghd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmlfcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjgpqjqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okmena32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eickdlcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idlgohcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkfpefme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkalph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfiajj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aendjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbpmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbegkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebhlmlhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejfnfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neihmpon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbfpcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmblljb.exe -
Executes dropped EXE 64 IoCs
pid Process 2156 Flbgak32.exe 2792 Gifhkpgk.exe 2836 Gmhmdc32.exe 2920 Ggcnbh32.exe 2676 Ggekhhle.exe 2184 Hocmbjhn.exe 308 Heoadcmh.exe 2044 Hfanjcke.exe 2336 Hhbgkn32.exe 912 Imifpagp.exe 2040 Iqgofo32.exe 2372 Jbkhcg32.exe 928 Joohmk32.exe 3036 Jboanfmm.exe 2536 Jadnoc32.exe 2520 Kagkebpb.exe 1576 Kjdiigbm.exe 288 Kemjieol.exe 236 Likbpceb.exe 776 Lohkhjcj.exe 2124 Legmpdga.exe 1972 Lanmde32.exe 1308 Lmdnjf32.exe 2008 Mdqclpgd.exe 896 Miphjf32.exe 2136 Makmnh32.exe 2496 Mhgbpb32.exe 2944 Noojfpbi.exe 2896 Obpbhk32.exe 2856 Ofmknifp.exe 1920 Ofphdi32.exe 2824 Okmqlp32.exe 2436 Okomappb.exe 2212 Pcjbfbmm.exe 2032 Pcokaa32.exe 2928 Pmgpjgph.exe 1764 Pphilb32.exe 2988 Qloiqcbn.exe 2432 Qhejed32.exe 1436 Aelgdhei.exe 2092 Ajipmocp.exe 2408 Aendjh32.exe 1604 Ahomlb32.exe 1568 Aagadh32.exe 1668 Akpfmnmh.exe 1984 Blabef32.exe 1572 Bmpooiji.exe 2340 Bhjppg32.exe 2508 Bodhlane.exe 2772 Benpik32.exe 2888 Blhifemo.exe 3016 Bdcmjg32.exe 2100 Boiagp32.exe 2980 Bebjdjal.exe 2248 Ckoblapc.exe 948 Ckboba32.exe 1516 Cnpknl32.exe 1228 Ccmcfc32.exe 2072 Clehoiam.exe 2404 Cgklma32.exe 2512 Cpcaeghc.exe 3044 Cjlenm32.exe 1232 Dbgjbo32.exe 1252 Dkookd32.exe -
Loads dropped DLL 64 IoCs
pid Process 2148 59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5.exe 2148 59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5.exe 2156 Flbgak32.exe 2156 Flbgak32.exe 2792 Gifhkpgk.exe 2792 Gifhkpgk.exe 2836 Gmhmdc32.exe 2836 Gmhmdc32.exe 2920 Ggcnbh32.exe 2920 Ggcnbh32.exe 2676 Ggekhhle.exe 2676 Ggekhhle.exe 2184 Hocmbjhn.exe 2184 Hocmbjhn.exe 308 Heoadcmh.exe 308 Heoadcmh.exe 2044 Hfanjcke.exe 2044 Hfanjcke.exe 2336 Hhbgkn32.exe 2336 Hhbgkn32.exe 912 Imifpagp.exe 912 Imifpagp.exe 2040 Iqgofo32.exe 2040 Iqgofo32.exe 2372 Jbkhcg32.exe 2372 Jbkhcg32.exe 928 Joohmk32.exe 928 Joohmk32.exe 3036 Jboanfmm.exe 3036 Jboanfmm.exe 2536 Jadnoc32.exe 2536 Jadnoc32.exe 2520 Kagkebpb.exe 2520 Kagkebpb.exe 1576 Kjdiigbm.exe 1576 Kjdiigbm.exe 288 Kemjieol.exe 288 Kemjieol.exe 236 Likbpceb.exe 236 Likbpceb.exe 776 Lohkhjcj.exe 776 Lohkhjcj.exe 2124 Legmpdga.exe 2124 Legmpdga.exe 1972 Lanmde32.exe 1972 Lanmde32.exe 1308 Lmdnjf32.exe 1308 Lmdnjf32.exe 2008 Mdqclpgd.exe 2008 Mdqclpgd.exe 896 Miphjf32.exe 896 Miphjf32.exe 2136 Makmnh32.exe 2136 Makmnh32.exe 2496 Mhgbpb32.exe 2496 Mhgbpb32.exe 2944 Noojfpbi.exe 2944 Noojfpbi.exe 2896 Obpbhk32.exe 2896 Obpbhk32.exe 2856 Ofmknifp.exe 2856 Ofmknifp.exe 1920 Ofphdi32.exe 1920 Ofphdi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Icidlf32.exe Hnllcoed.exe File opened for modification C:\Windows\SysWOW64\Nldgdpjf.exe Mggoli32.exe File opened for modification C:\Windows\SysWOW64\Lmppmi32.exe Liaggk32.exe File created C:\Windows\SysWOW64\Djhjhdem.dll Pmnnomnn.exe File created C:\Windows\SysWOW64\Pieodn32.exe Pdhflg32.exe File created C:\Windows\SysWOW64\Nfqdgd32.dll Kcjcefbd.exe File opened for modification C:\Windows\SysWOW64\Fqgnmo32.exe Fjkije32.exe File created C:\Windows\SysWOW64\Ldnjml32.dll Llagegfb.exe File created C:\Windows\SysWOW64\Aqfiqjgb.exe Angmdoho.exe File opened for modification C:\Windows\SysWOW64\Ofphdi32.exe Ofmknifp.exe File opened for modification C:\Windows\SysWOW64\Qhejed32.exe Qloiqcbn.exe File opened for modification C:\Windows\SysWOW64\Ckeekp32.exe Condfo32.exe File opened for modification C:\Windows\SysWOW64\Edahca32.exe Engpfgql.exe File created C:\Windows\SysWOW64\Ekgineko.exe Dhimaill.exe File created C:\Windows\SysWOW64\Cgklma32.exe Clehoiam.exe File opened for modification C:\Windows\SysWOW64\Nimaic32.exe Nliqoofa.exe File created C:\Windows\SysWOW64\Gcofqebd.dll Clmdjmpm.exe File created C:\Windows\SysWOW64\Goklkh32.dll Gjgpqjqa.exe File created C:\Windows\SysWOW64\Qklhifhi.exe Pnhhpaio.exe File opened for modification C:\Windows\SysWOW64\Bjjdpdga.exe Bcqlcj32.exe File created C:\Windows\SysWOW64\Akdgmd32.exe Ahfkah32.exe File created C:\Windows\SysWOW64\Kbgqbdbd.exe Kecpipck.exe File opened for modification C:\Windows\SysWOW64\Ohajic32.exe Ofcnmh32.exe File created C:\Windows\SysWOW64\Iobbfggm.exe Iejnna32.exe File created C:\Windows\SysWOW64\Imcamh32.dll Jqonjmbn.exe File created C:\Windows\SysWOW64\Biodkpfp.dll Pkalph32.exe File opened for modification C:\Windows\SysWOW64\Lfeegfkf.exe Liaenblm.exe File created C:\Windows\SysWOW64\Gbolncpj.dll Mjknab32.exe File created C:\Windows\SysWOW64\Bbnlia32.exe Bjcgdojn.exe File created C:\Windows\SysWOW64\Abejlj32.exe Allbpqcp.exe File created C:\Windows\SysWOW64\Njfgba32.dll Lkjadh32.exe File opened for modification C:\Windows\SysWOW64\Oehmamnn.exe Oefqlmpq.exe File created C:\Windows\SysWOW64\Poldnf32.exe Oiolfo32.exe File created C:\Windows\SysWOW64\Njdcmn32.dll Pcljjd32.exe File created C:\Windows\SysWOW64\Ekjgao32.dll Olhhmele.exe File opened for modification C:\Windows\SysWOW64\Gfjicd32.exe Gckmgi32.exe File opened for modification C:\Windows\SysWOW64\Kemjieol.exe Kjdiigbm.exe File opened for modification C:\Windows\SysWOW64\Flhnqf32.exe Fflehp32.exe File created C:\Windows\SysWOW64\Eppbgh32.dll Jbfpcl32.exe File created C:\Windows\SysWOW64\Hcoalbbk.dll Ibglhhdf.exe File created C:\Windows\SysWOW64\Dfhcpggl.dll Lmbcmo32.exe File created C:\Windows\SysWOW64\Dpkpie32.exe Dddodd32.exe File created C:\Windows\SysWOW64\Jhbfcj32.exe Jgaikb32.exe File created C:\Windows\SysWOW64\Ejgkkf32.dll Bomcgfjh.exe File opened for modification C:\Windows\SysWOW64\Aedghf32.exe Abejlj32.exe File opened for modification C:\Windows\SysWOW64\Pjiffd32.exe Pdlmnm32.exe File created C:\Windows\SysWOW64\Qmohco32.exe Qfdpgd32.exe File opened for modification C:\Windows\SysWOW64\Jgbboa32.exe Ilianckh.exe File created C:\Windows\SysWOW64\Ncjmeinn.dll Ljjnpo32.exe File created C:\Windows\SysWOW64\Jhiiaqdl.dll Bbnlia32.exe File created C:\Windows\SysWOW64\Qabhbm32.dll Gffmqq32.exe File created C:\Windows\SysWOW64\Pgdfbb32.exe Pdfifg32.exe File created C:\Windows\SysWOW64\Focpclmi.dll Hmfjda32.exe File created C:\Windows\SysWOW64\Kikmdack.dll Nliqoofa.exe File created C:\Windows\SysWOW64\Leiabnbn.dll Liqnclia.exe File created C:\Windows\SysWOW64\Homkcdlb.dll Ibigeojp.exe File created C:\Windows\SysWOW64\Dldgme32.dll Ddgcdjip.exe File created C:\Windows\SysWOW64\Eebdhmbm.dll Eopbooqb.exe File opened for modification C:\Windows\SysWOW64\Lcbbidgl.exe Ljjnpo32.exe File created C:\Windows\SysWOW64\Oiolpb32.dll Njcmeqkl.exe File created C:\Windows\SysWOW64\Afpmipib.dll Hbomdjoo.exe File opened for modification C:\Windows\SysWOW64\Ephkak32.exe Eklbid32.exe File created C:\Windows\SysWOW64\Abklpl32.dll Nibcgb32.exe File created C:\Windows\SysWOW64\Oiemejgm.dll Boggkicf.exe -
Program crash 1 IoCs
pid pid_target Process 2308 2296 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfanjcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aendjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noepfkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aedghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpckee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emmljodk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhckm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Loicnemp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cflanc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilbnfmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpajjmon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cecnflpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkbagjfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekiaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppgfkpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocmdeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fniikj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbomdjoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfnomgqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofphdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbgbngm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akpfmnmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldgdpjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomaaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjagh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcokhaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnnpdaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifngiqlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpigeblb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhlmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqnclia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbggqfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpekggc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjgnhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbgjbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epopff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmondpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coejfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeofcpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibdcnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbfpcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmcmcjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mknaahhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpphlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hphljkfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkoemji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oficoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbcne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjgoaflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edahca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pofqhdnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhfpmee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kagkebpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqncnjan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinolcbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgfio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjppg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oceaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoffmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljljflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejmha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhbgkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfeegfkf.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komhohde.dll" Hphljkfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldhhfdpd.dll" Gpfeoqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmlleofb.dll" Ihhehoci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aahoageo.dll" Mcmnbbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mknaahhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eikmkbeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Angmdoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekifcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgddin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ajelmiag.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allbpqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfqdgd32.dll" Kcjcefbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmhbbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pinchq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnagecdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmondpbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohdkop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plfmlj32.dll" Bdnmda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lneghd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gckmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iklchphj.dll" Fnnpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oamohenq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnboonmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coejfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjbcfc32.dll" Hljljflh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnckabmd.dll" Iedmhlqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odhhdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odkjck32.dll" Caligc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinldeif.dll" Pdhflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nkpbjn32.dll" Mnbpgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcgiejje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffghlcei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdlmnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpohp32.dll" Pinchq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obbpio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpdeghgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggifmgia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcnfllcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmgpjgph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfehmgfd.dll" Hgbdge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hehgbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbnlia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhagaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcoalbbk.dll" Ibglhhdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggikja32.dll" Hocmbjhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjfaad32.dll" Ahfkah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gojpmapo.dll" Cflanc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kemjieol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noojfpbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjialchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nioqmpcf.dll" Pqodho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akdgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eclqhfpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhkka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decejkpa.dll" Imifpagp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gilojo32.dll" Makmnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eligoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Llagegfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neihmpon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hacabgig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqonjmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodgeg32.dll" Oepjmbka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Megkgpaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pieodn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2148 wrote to memory of 2156 2148 59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5.exe 29 PID 2148 wrote to memory of 2156 2148 59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5.exe 29 PID 2148 wrote to memory of 2156 2148 59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5.exe 29 PID 2148 wrote to memory of 2156 2148 59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5.exe 29 PID 2156 wrote to memory of 2792 2156 Flbgak32.exe 30 PID 2156 wrote to memory of 2792 2156 Flbgak32.exe 30 PID 2156 wrote to memory of 2792 2156 Flbgak32.exe 30 PID 2156 wrote to memory of 2792 2156 Flbgak32.exe 30 PID 2792 wrote to memory of 2836 2792 Gifhkpgk.exe 31 PID 2792 wrote to memory of 2836 2792 Gifhkpgk.exe 31 PID 2792 wrote to memory of 2836 2792 Gifhkpgk.exe 31 PID 2792 wrote to memory of 2836 2792 Gifhkpgk.exe 31 PID 2836 wrote to memory of 2920 2836 Gmhmdc32.exe 32 PID 2836 wrote to memory of 2920 2836 Gmhmdc32.exe 32 PID 2836 wrote to memory of 2920 2836 Gmhmdc32.exe 32 PID 2836 wrote to memory of 2920 2836 Gmhmdc32.exe 32 PID 2920 wrote to memory of 2676 2920 Ggcnbh32.exe 33 PID 2920 wrote to memory of 2676 2920 Ggcnbh32.exe 33 PID 2920 wrote to memory of 2676 2920 Ggcnbh32.exe 33 PID 2920 wrote to memory of 2676 2920 Ggcnbh32.exe 33 PID 2676 wrote to memory of 2184 2676 Ggekhhle.exe 34 PID 2676 wrote to memory of 2184 2676 Ggekhhle.exe 34 PID 2676 wrote to memory of 2184 2676 Ggekhhle.exe 34 PID 2676 wrote to memory of 2184 2676 Ggekhhle.exe 34 PID 2184 wrote to memory of 308 2184 Hocmbjhn.exe 35 PID 2184 wrote to memory of 308 2184 Hocmbjhn.exe 35 PID 2184 wrote to memory of 308 2184 Hocmbjhn.exe 35 PID 2184 wrote to memory of 308 2184 Hocmbjhn.exe 35 PID 308 wrote to memory of 2044 308 Heoadcmh.exe 36 PID 308 wrote to memory of 2044 308 Heoadcmh.exe 36 PID 308 wrote to memory of 2044 308 Heoadcmh.exe 36 PID 308 wrote to memory of 2044 308 Heoadcmh.exe 36 PID 2044 wrote to memory of 2336 2044 Hfanjcke.exe 37 PID 2044 wrote to memory of 2336 2044 Hfanjcke.exe 37 PID 2044 wrote to memory of 2336 2044 Hfanjcke.exe 37 PID 2044 wrote to memory of 2336 2044 Hfanjcke.exe 37 PID 2336 wrote to memory of 912 2336 Hhbgkn32.exe 38 PID 2336 wrote to memory of 912 2336 Hhbgkn32.exe 38 PID 2336 wrote to memory of 912 2336 Hhbgkn32.exe 38 PID 2336 wrote to memory of 912 2336 Hhbgkn32.exe 38 PID 912 wrote to memory of 2040 912 Imifpagp.exe 39 PID 912 wrote to memory of 2040 912 Imifpagp.exe 39 PID 912 wrote to memory of 2040 912 Imifpagp.exe 39 PID 912 wrote to memory of 2040 912 Imifpagp.exe 39 PID 2040 wrote to memory of 2372 2040 Iqgofo32.exe 40 PID 2040 wrote to memory of 2372 2040 Iqgofo32.exe 40 PID 2040 wrote to memory of 2372 2040 Iqgofo32.exe 40 PID 2040 wrote to memory of 2372 2040 Iqgofo32.exe 40 PID 2372 wrote to memory of 928 2372 Jbkhcg32.exe 41 PID 2372 wrote to memory of 928 2372 Jbkhcg32.exe 41 PID 2372 wrote to memory of 928 2372 Jbkhcg32.exe 41 PID 2372 wrote to memory of 928 2372 Jbkhcg32.exe 41 PID 928 wrote to memory of 3036 928 Joohmk32.exe 42 PID 928 wrote to memory of 3036 928 Joohmk32.exe 42 PID 928 wrote to memory of 3036 928 Joohmk32.exe 42 PID 928 wrote to memory of 3036 928 Joohmk32.exe 42 PID 3036 wrote to memory of 2536 3036 Jboanfmm.exe 43 PID 3036 wrote to memory of 2536 3036 Jboanfmm.exe 43 PID 3036 wrote to memory of 2536 3036 Jboanfmm.exe 43 PID 3036 wrote to memory of 2536 3036 Jboanfmm.exe 43 PID 2536 wrote to memory of 2520 2536 Jadnoc32.exe 44 PID 2536 wrote to memory of 2520 2536 Jadnoc32.exe 44 PID 2536 wrote to memory of 2520 2536 Jadnoc32.exe 44 PID 2536 wrote to memory of 2520 2536 Jadnoc32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5.exe"C:\Users\Admin\AppData\Local\Temp\59d778bae7677644af1604a06c7f6dd8fe55e5a73378f2863a198e5797b0ebc5.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Gifhkpgk.exeC:\Windows\system32\Gifhkpgk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Gmhmdc32.exeC:\Windows\system32\Gmhmdc32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ggcnbh32.exeC:\Windows\system32\Ggcnbh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ggekhhle.exeC:\Windows\system32\Ggekhhle.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Hocmbjhn.exeC:\Windows\system32\Hocmbjhn.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Heoadcmh.exeC:\Windows\system32\Heoadcmh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Hfanjcke.exeC:\Windows\system32\Hfanjcke.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Hhbgkn32.exeC:\Windows\system32\Hhbgkn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Imifpagp.exeC:\Windows\system32\Imifpagp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:912 -
C:\Windows\SysWOW64\Iqgofo32.exeC:\Windows\system32\Iqgofo32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Windows\SysWOW64\Jbkhcg32.exeC:\Windows\system32\Jbkhcg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Joohmk32.exeC:\Windows\system32\Joohmk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:928 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Jadnoc32.exeC:\Windows\system32\Jadnoc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Kagkebpb.exeC:\Windows\system32\Kagkebpb.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Kjdiigbm.exeC:\Windows\system32\Kjdiigbm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Kemjieol.exeC:\Windows\system32\Kemjieol.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:288 -
C:\Windows\SysWOW64\Likbpceb.exeC:\Windows\system32\Likbpceb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Lohkhjcj.exeC:\Windows\system32\Lohkhjcj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Legmpdga.exeC:\Windows\system32\Legmpdga.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Lanmde32.exeC:\Windows\system32\Lanmde32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1972 -
C:\Windows\SysWOW64\Lmdnjf32.exeC:\Windows\system32\Lmdnjf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1308 -
C:\Windows\SysWOW64\Mdqclpgd.exeC:\Windows\system32\Mdqclpgd.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Miphjf32.exeC:\Windows\system32\Miphjf32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Makmnh32.exeC:\Windows\system32\Makmnh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Mhgbpb32.exeC:\Windows\system32\Mhgbpb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Noojfpbi.exeC:\Windows\system32\Noojfpbi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2944 -
C:\Windows\SysWOW64\Obpbhk32.exeC:\Windows\system32\Obpbhk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Ofmknifp.exeC:\Windows\system32\Ofmknifp.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2856 -
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Okmqlp32.exeC:\Windows\system32\Okmqlp32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Okomappb.exeC:\Windows\system32\Okomappb.exe34⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Pcjbfbmm.exeC:\Windows\system32\Pcjbfbmm.exe35⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Pcokaa32.exeC:\Windows\system32\Pcokaa32.exe36⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Pmgpjgph.exeC:\Windows\system32\Pmgpjgph.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe38⤵
- Executes dropped EXE
PID:1764 -
C:\Windows\SysWOW64\Qloiqcbn.exeC:\Windows\system32\Qloiqcbn.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2988 -
C:\Windows\SysWOW64\Qhejed32.exeC:\Windows\system32\Qhejed32.exe40⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Aelgdhei.exeC:\Windows\system32\Aelgdhei.exe41⤵
- Executes dropped EXE
PID:1436 -
C:\Windows\SysWOW64\Ajipmocp.exeC:\Windows\system32\Ajipmocp.exe42⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Aendjh32.exeC:\Windows\system32\Aendjh32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Ahomlb32.exeC:\Windows\system32\Ahomlb32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1604 -
C:\Windows\SysWOW64\Aagadh32.exeC:\Windows\system32\Aagadh32.exe45⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Akpfmnmh.exeC:\Windows\system32\Akpfmnmh.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Blabef32.exeC:\Windows\system32\Blabef32.exe47⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Bmpooiji.exeC:\Windows\system32\Bmpooiji.exe48⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Bhjppg32.exeC:\Windows\system32\Bhjppg32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe50⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Benpik32.exeC:\Windows\system32\Benpik32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Blhifemo.exeC:\Windows\system32\Blhifemo.exe52⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Bdcmjg32.exeC:\Windows\system32\Bdcmjg32.exe53⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe54⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Bebjdjal.exeC:\Windows\system32\Bebjdjal.exe55⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Ckoblapc.exeC:\Windows\system32\Ckoblapc.exe56⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Ckboba32.exeC:\Windows\system32\Ckboba32.exe57⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Cnpknl32.exeC:\Windows\system32\Cnpknl32.exe58⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Ccmcfc32.exeC:\Windows\system32\Ccmcfc32.exe59⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Cgklma32.exeC:\Windows\system32\Cgklma32.exe61⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Cpcaeghc.exeC:\Windows\system32\Cpcaeghc.exe62⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Cjlenm32.exeC:\Windows\system32\Cjlenm32.exe63⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Dbgjbo32.exeC:\Windows\system32\Dbgjbo32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1232 -
C:\Windows\SysWOW64\Dkookd32.exeC:\Windows\system32\Dkookd32.exe65⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ddgcdjip.exeC:\Windows\system32\Ddgcdjip.exe66⤵
- Drops file in System32 directory
PID:1512 -
C:\Windows\SysWOW64\Domgache.exeC:\Windows\system32\Domgache.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1052 -
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe68⤵PID:1752
-
C:\Windows\SysWOW64\Dbnpcn32.exeC:\Windows\system32\Dbnpcn32.exe69⤵PID:1644
-
C:\Windows\SysWOW64\Ddlloi32.exeC:\Windows\system32\Ddlloi32.exe70⤵PID:1492
-
C:\Windows\SysWOW64\Dbpmin32.exeC:\Windows\system32\Dbpmin32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Ekiaac32.exeC:\Windows\system32\Ekiaac32.exe72⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe73⤵PID:2732
-
C:\Windows\SysWOW64\Egobfdpi.exeC:\Windows\system32\Egobfdpi.exe74⤵PID:564
-
C:\Windows\SysWOW64\Egaoldnf.exeC:\Windows\system32\Egaoldnf.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3060 -
C:\Windows\SysWOW64\Eickdlcd.exeC:\Windows\system32\Eickdlcd.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Efglmpbn.exeC:\Windows\system32\Efglmpbn.exe77⤵PID:760
-
C:\Windows\SysWOW64\Epopff32.exeC:\Windows\system32\Epopff32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Eelinm32.exeC:\Windows\system32\Eelinm32.exe79⤵PID:2204
-
C:\Windows\SysWOW64\Fflehp32.exeC:\Windows\system32\Fflehp32.exe80⤵
- Drops file in System32 directory
PID:972 -
C:\Windows\SysWOW64\Flhnqf32.exeC:\Windows\system32\Flhnqf32.exe81⤵PID:2632
-
C:\Windows\SysWOW64\Fbbfmqdm.exeC:\Windows\system32\Fbbfmqdm.exe82⤵PID:1712
-
C:\Windows\SysWOW64\Fjnkac32.exeC:\Windows\system32\Fjnkac32.exe83⤵PID:2616
-
C:\Windows\SysWOW64\Fbebcp32.exeC:\Windows\system32\Fbebcp32.exe84⤵PID:2764
-
C:\Windows\SysWOW64\Fmnccn32.exeC:\Windows\system32\Fmnccn32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:524 -
C:\Windows\SysWOW64\Ffghlcei.exeC:\Windows\system32\Ffghlcei.exe86⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe87⤵
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Fpoleilj.exeC:\Windows\system32\Fpoleilj.exe88⤵PID:2528
-
C:\Windows\SysWOW64\Ffiebc32.exeC:\Windows\system32\Ffiebc32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Ghagjj32.exeC:\Windows\system32\Ghagjj32.exe90⤵PID:2028
-
C:\Windows\SysWOW64\Hlamfh32.exeC:\Windows\system32\Hlamfh32.exe91⤵PID:2472
-
C:\Windows\SysWOW64\Hdonpjbi.exeC:\Windows\system32\Hdonpjbi.exe92⤵PID:1140
-
C:\Windows\SysWOW64\Hgnjlfam.exeC:\Windows\system32\Hgnjlfam.exe93⤵PID:976
-
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe94⤵PID:2416
-
C:\Windows\SysWOW64\Hkkcbdhc.exeC:\Windows\system32\Hkkcbdhc.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe96⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Hgbdge32.exeC:\Windows\system32\Hgbdge32.exe97⤵
- Modifies registry class
PID:924 -
C:\Windows\SysWOW64\Hnllcoed.exeC:\Windows\system32\Hnllcoed.exe98⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Icidlf32.exeC:\Windows\system32\Icidlf32.exe99⤵PID:844
-
C:\Windows\SysWOW64\Ipmeej32.exeC:\Windows\system32\Ipmeej32.exe100⤵PID:1072
-
C:\Windows\SysWOW64\Iejnna32.exeC:\Windows\system32\Iejnna32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Iobbfggm.exeC:\Windows\system32\Iobbfggm.exe102⤵PID:2808
-
C:\Windows\SysWOW64\Idojon32.exeC:\Windows\system32\Idojon32.exe103⤵PID:2816
-
C:\Windows\SysWOW64\Iodolf32.exeC:\Windows\system32\Iodolf32.exe104⤵PID:1040
-
C:\Windows\SysWOW64\Ifngiqlg.exeC:\Windows\system32\Ifngiqlg.exe105⤵
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Igpcpi32.exeC:\Windows\system32\Igpcpi32.exe106⤵PID:1900
-
C:\Windows\SysWOW64\Injlmcib.exeC:\Windows\system32\Injlmcib.exe107⤵PID:1332
-
C:\Windows\SysWOW64\Idcdjmao.exeC:\Windows\system32\Idcdjmao.exe108⤵PID:2724
-
C:\Windows\SysWOW64\Jqjdon32.exeC:\Windows\system32\Jqjdon32.exe109⤵PID:2476
-
C:\Windows\SysWOW64\Jciaki32.exeC:\Windows\system32\Jciaki32.exe110⤵PID:2620
-
C:\Windows\SysWOW64\Jnnehb32.exeC:\Windows\system32\Jnnehb32.exe111⤵PID:3032
-
C:\Windows\SysWOW64\Jggiah32.exeC:\Windows\system32\Jggiah32.exe112⤵PID:2240
-
C:\Windows\SysWOW64\Jqonjmbn.exeC:\Windows\system32\Jqonjmbn.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe114⤵PID:2924
-
C:\Windows\SysWOW64\Jbbgge32.exeC:\Windows\system32\Jbbgge32.exe115⤵PID:2660
-
C:\Windows\SysWOW64\Jimodo32.exeC:\Windows\system32\Jimodo32.exe116⤵PID:1888
-
C:\Windows\SysWOW64\Kecpipck.exeC:\Windows\system32\Kecpipck.exe117⤵
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Kbgqbdbd.exeC:\Windows\system32\Kbgqbdbd.exe118⤵PID:1600
-
C:\Windows\SysWOW64\Kgffpk32.exeC:\Windows\system32\Kgffpk32.exe119⤵PID:1464
-
C:\Windows\SysWOW64\Knqnmeff.exeC:\Windows\system32\Knqnmeff.exe120⤵PID:2488
-
C:\Windows\SysWOW64\Kjgoaflj.exeC:\Windows\system32\Kjgoaflj.exe121⤵
- System Location Discovery: System Language Discovery
PID:2376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-