Analysis
-
max time kernel
112s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29/11/2024, 10:35
Behavioral task
behavioral1
Sample
148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe
Resource
win7-20241010-en
windows7-x64
11 signatures
120 seconds
General
-
Target
148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe
-
Size
93KB
-
MD5
b12f442d674019fab7d575b99edefb72
-
SHA1
c5e18aa9f53f917a84378769169b975194e0712b
-
SHA256
148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc
-
SHA512
80e1b27292dc7c67b190119c15e8b8c643567b297151a59042d648c735f006268798fd99cb8fa779d421da4aa9458be20bca258c891432e3e83455082e098e83
-
SSDEEP
1536:ZnQcOY6qHHesG0GgSiKoOlrGGJ1DaYfMZRWuLsV+1x:pj1zeZ0I/lpJgYfc0DV+1x
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hikpnkme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibaonfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbkhikfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pednllpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcbcah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oleinmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlaqba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhfhaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Alifee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjlbcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbhahigb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnkjlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pekffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pipnohdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgnjhfbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjkije32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhoeqide.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmmkdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgggpded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiahfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmiakdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glckehfp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdobqgpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocpakg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acbigfii.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpdhea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmfnbohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nocfdhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kehidp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chahin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiahfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggaeae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofmlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogbkakeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfhefc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhjjbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbnmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdhjfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joijpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohifch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cflcglho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inllflpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikplopnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncellpog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dohnfc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpjndh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bndjei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eadejede.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihedodm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghmach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gadidabc.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2136 Emieflec.exe 2068 Egbffj32.exe 2944 Elpnmhgh.exe 2716 Eekpknlf.exe 2900 Fadmenpg.exe 336 Fpijgk32.exe 564 Ffeoid32.exe 2456 Gledgkfn.exe 2248 Gadidabc.exe 956 Gpiffngk.exe 2476 Gdgoll32.exe 2116 Hdilalko.exe 1352 Hjhaob32.exe 3028 Hjkneb32.exe 2220 Hfanjcke.exe 2412 Hfdkoc32.exe 1532 Iqnlpq32.exe 2424 Ijfpif32.exe 1536 Idkdfo32.exe 1036 Imgija32.exe 2776 Inffdd32.exe 964 Igojmjgf.exe 1980 Jcekbk32.exe 1308 Jchhhjjg.exe 1448 Jekaeb32.exe 1660 Jboanfmm.exe 1248 Jjjfbikh.exe 2788 Kmkodd32.exe 1504 Knkkngol.exe 3020 Kcjqlm32.exe 2920 Kfkjnh32.exe 2700 Lhnckp32.exe 1920 Lbdghi32.exe 2164 Mpgdaqmh.exe 2432 Miphjf32.exe 2080 Moomgmpm.exe 1684 Napfihmn.exe 2784 Ngmoao32.exe 2992 Nkjggmal.exe 764 Ncellpog.exe 940 Nnnmoh32.exe 2384 Ogfagmck.exe 1596 Oqnfqcjk.exe 2276 Ojgkih32.exe 1424 Okhgaqfj.exe 1760 Oilgje32.exe 1408 Ofphdi32.exe 2960 Obfiijia.exe 1932 Pjbnmm32.exe 2508 Pcjbfbmm.exe 2156 Pmbfoh32.exe 1472 Pclolakk.exe 2836 Pmecdgbk.exe 2924 Pjicnlqe.exe 1968 Pmgpjgph.exe 2072 Pbdhbnnp.exe 2616 Pphilb32.exe 2448 Qipmdhcj.exe 1140 Qpjeaa32.exe 2016 Qibjjgag.exe 1244 Qpmbgaid.exe 2632 Aanonj32.exe 2088 Alcclb32.exe 704 Adohpe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2060 148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe 2060 148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe 2136 Emieflec.exe 2136 Emieflec.exe 2068 Egbffj32.exe 2068 Egbffj32.exe 2944 Elpnmhgh.exe 2944 Elpnmhgh.exe 2716 Eekpknlf.exe 2716 Eekpknlf.exe 2900 Fadmenpg.exe 2900 Fadmenpg.exe 336 Fpijgk32.exe 336 Fpijgk32.exe 564 Ffeoid32.exe 564 Ffeoid32.exe 2456 Gledgkfn.exe 2456 Gledgkfn.exe 2248 Gadidabc.exe 2248 Gadidabc.exe 956 Gpiffngk.exe 956 Gpiffngk.exe 2476 Gdgoll32.exe 2476 Gdgoll32.exe 2116 Hdilalko.exe 2116 Hdilalko.exe 1352 Hjhaob32.exe 1352 Hjhaob32.exe 3028 Hjkneb32.exe 3028 Hjkneb32.exe 2220 Hfanjcke.exe 2220 Hfanjcke.exe 2412 Hfdkoc32.exe 2412 Hfdkoc32.exe 1532 Iqnlpq32.exe 1532 Iqnlpq32.exe 2424 Ijfpif32.exe 2424 Ijfpif32.exe 1536 Idkdfo32.exe 1536 Idkdfo32.exe 1036 Imgija32.exe 1036 Imgija32.exe 2776 Inffdd32.exe 2776 Inffdd32.exe 964 Igojmjgf.exe 964 Igojmjgf.exe 1980 Jcekbk32.exe 1980 Jcekbk32.exe 1308 Jchhhjjg.exe 1308 Jchhhjjg.exe 1448 Jekaeb32.exe 1448 Jekaeb32.exe 1660 Jboanfmm.exe 1660 Jboanfmm.exe 1248 Jjjfbikh.exe 1248 Jjjfbikh.exe 2788 Kmkodd32.exe 2788 Kmkodd32.exe 1504 Knkkngol.exe 1504 Knkkngol.exe 3020 Kcjqlm32.exe 3020 Kcjqlm32.exe 2920 Kfkjnh32.exe 2920 Kfkjnh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Akinoefk.dll Fpijgk32.exe File opened for modification C:\Windows\SysWOW64\Cdooongp.exe Cijkaehj.exe File created C:\Windows\SysWOW64\Bqbbpghe.exe Bcoafcjk.exe File opened for modification C:\Windows\SysWOW64\Ikojfg32.exe Iohiafag.exe File created C:\Windows\SysWOW64\Hcocei32.dll Ippflkok.exe File created C:\Windows\SysWOW64\Hnepeg32.dll Mochmm32.exe File created C:\Windows\SysWOW64\Pekhohfk.exe Plbdfc32.exe File opened for modification C:\Windows\SysWOW64\Mckdaojc.exe Process not Found File created C:\Windows\SysWOW64\Bdpaan32.dll Clcghk32.exe File opened for modification C:\Windows\SysWOW64\Phjgdm32.exe Ppoboj32.exe File created C:\Windows\SysWOW64\Mcigmfdc.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ddooqkbb.exe Process not Found File created C:\Windows\SysWOW64\Ahbcda32.exe Anjnllbd.exe File created C:\Windows\SysWOW64\Bkghem32.dll Glmecbbj.exe File created C:\Windows\SysWOW64\Bjcnoe32.exe Bibagmhk.exe File created C:\Windows\SysWOW64\Kckeno32.exe Klqmaebl.exe File created C:\Windows\SysWOW64\Ifjjnbog.dll Hiohob32.exe File created C:\Windows\SysWOW64\Gjpodhfi.exe Gebflaga.exe File created C:\Windows\SysWOW64\Lnpjhbaa.dll Process not Found File opened for modification C:\Windows\SysWOW64\Idmllnho.exe Process not Found File created C:\Windows\SysWOW64\Lbqech32.exe Process not Found File created C:\Windows\SysWOW64\Idjkef32.dll Process not Found File created C:\Windows\SysWOW64\Kckbchmg.dll Nnboonmb.exe File created C:\Windows\SysWOW64\Jopfmg32.dll Nmlgcbei.exe File created C:\Windows\SysWOW64\Poflio32.dll Kfofla32.exe File opened for modification C:\Windows\SysWOW64\Bebmgc32.exe Bkmijk32.exe File created C:\Windows\SysWOW64\Cbdpcd32.exe Process not Found File created C:\Windows\SysWOW64\Lpjpgo32.dll Pmhbbp32.exe File created C:\Windows\SysWOW64\Qiclcp32.exe Qmlknocg.exe File opened for modification C:\Windows\SysWOW64\Gifjeeip.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kokcfn32.exe Process not Found File created C:\Windows\SysWOW64\Imenpfap.exe Iopqoi32.exe File opened for modification C:\Windows\SysWOW64\Hmfjda32.exe Hcnfllcd.exe File opened for modification C:\Windows\SysWOW64\Iamjdi32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kngjifph.exe Process not Found File opened for modification C:\Windows\SysWOW64\Gliomp32.exe Process not Found File created C:\Windows\SysWOW64\Lagknhgp.dll Bjclfmfe.exe File created C:\Windows\SysWOW64\Coofoghn.exe Cbhejf32.exe File opened for modification C:\Windows\SysWOW64\Klclom32.exe Kdhgkk32.exe File opened for modification C:\Windows\SysWOW64\Neabophn.exe Nngjbfpa.exe File created C:\Windows\SysWOW64\Cacjebbl.exe Process not Found File created C:\Windows\SysWOW64\Hmcimq32.exe Galhhp32.exe File opened for modification C:\Windows\SysWOW64\Fikkcnog.exe Fiiono32.exe File created C:\Windows\SysWOW64\Kbcbcopn.dll Hcpnpn32.exe File created C:\Windows\SysWOW64\Anbcio32.exe Afgoem32.exe File created C:\Windows\SysWOW64\Pdpepejb.exe Pekhohfk.exe File created C:\Windows\SysWOW64\Biehmiaj.dll Mmlfcn32.exe File opened for modification C:\Windows\SysWOW64\Jclpib32.exe Jnogakma.exe File opened for modification C:\Windows\SysWOW64\Pipnohdl.exe Oadjjfga.exe File created C:\Windows\SysWOW64\Gjoflo32.dll Ecdffe32.exe File created C:\Windows\SysWOW64\Gkemcm32.dll Jchhhjjg.exe File created C:\Windows\SysWOW64\Hdmajkdl.exe Hmcimq32.exe File created C:\Windows\SysWOW64\Ifddon32.dll Mjicdl32.exe File created C:\Windows\SysWOW64\Hnlpghmj.exe Gaeoaggf.exe File opened for modification C:\Windows\SysWOW64\Kefpbm32.exe Kjaled32.exe File opened for modification C:\Windows\SysWOW64\Qpjecn32.exe Qepdbpii.exe File created C:\Windows\SysWOW64\Iofofg32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ngikaijm.exe Nldgdpjf.exe File opened for modification C:\Windows\SysWOW64\Knapen32.exe Kfflal32.exe File created C:\Windows\SysWOW64\Facjobce.exe Fkibbh32.exe File opened for modification C:\Windows\SysWOW64\Ggifmgia.exe Gggihhkd.exe File created C:\Windows\SysWOW64\Iihkea32.exe Ippflkok.exe File created C:\Windows\SysWOW64\Jeingodf.dll Process not Found File created C:\Windows\SysWOW64\Aeljmq32.exe Akdedkfl.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiohob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dalaeicf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfjipe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pakoam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbigfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Facjobce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alglin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoeajc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhfpmee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekgpdqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfkcdgfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppoijq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjinqjpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egbffj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jojmigpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhbbkahk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqbbpghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljelbeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbohblcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nppemgjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baecgdbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dindme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfniekh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bodhlane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkefi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmbmbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imenpfap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdohj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiclcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kckeno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqkdenfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okcjphdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgficdgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkdfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Labamcdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcmna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflpecpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gebflaga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhdiknb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doclijgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccoplcii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciggap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaigab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfeamimh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aplppela.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aocifaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbkhikfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcjqlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomoohoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdibfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnokohkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojjanlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfdpbaeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpmajb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgegk32.dll" Dhiacg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcmgdpid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iohiafag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efibdgle.dll" Membbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnpjhbaa.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Logkbl32.dll" Gadidabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bmaaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmhmkile.dll" Bbbedqcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fahpafeg.dll" Ooblie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qcpgej32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgdcjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iblcjohm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nboohcij.dll" Inmdjjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cqlmcd32.dll" Mnkdlagc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfkjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aepqac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhfniekh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Monilb32.dll" Lbdghi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqibjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnenmfbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emlbce32.dll" Bphhobmd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aekplnlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anmjpg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afolfl32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egpfheoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iikonh32.dll" Ggaeae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcbndg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkkkga32.dll" Lfhdeoqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkkkgkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmiakdll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjpcdg32.dll" Jmplbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoile32.dll" Jmcbio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opohil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mafoal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qepbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcnjnhnk.dll" Afmack32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgmodcqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjimdd32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bcnllf32.dll" 148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kefmnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkbcoi32.dll" Bchmolkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djeoan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfgajna.dll" Iidccj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jghfid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhgnie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enblpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miphjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dncjbl32.dll" Kpdlfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgedlbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eilodk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgbpfel.dll" Iohiafag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Daoklean.dll" Ndjloanf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdhifd32.dll" Gmhibenb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgeomhoa.dll" Bnmpcmpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gckfmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plhfda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfjipe32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2060 wrote to memory of 2136 2060 148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe 29 PID 2060 wrote to memory of 2136 2060 148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe 29 PID 2060 wrote to memory of 2136 2060 148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe 29 PID 2060 wrote to memory of 2136 2060 148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe 29 PID 2136 wrote to memory of 2068 2136 Emieflec.exe 30 PID 2136 wrote to memory of 2068 2136 Emieflec.exe 30 PID 2136 wrote to memory of 2068 2136 Emieflec.exe 30 PID 2136 wrote to memory of 2068 2136 Emieflec.exe 30 PID 2068 wrote to memory of 2944 2068 Egbffj32.exe 31 PID 2068 wrote to memory of 2944 2068 Egbffj32.exe 31 PID 2068 wrote to memory of 2944 2068 Egbffj32.exe 31 PID 2068 wrote to memory of 2944 2068 Egbffj32.exe 31 PID 2944 wrote to memory of 2716 2944 Elpnmhgh.exe 32 PID 2944 wrote to memory of 2716 2944 Elpnmhgh.exe 32 PID 2944 wrote to memory of 2716 2944 Elpnmhgh.exe 32 PID 2944 wrote to memory of 2716 2944 Elpnmhgh.exe 32 PID 2716 wrote to memory of 2900 2716 Eekpknlf.exe 33 PID 2716 wrote to memory of 2900 2716 Eekpknlf.exe 33 PID 2716 wrote to memory of 2900 2716 Eekpknlf.exe 33 PID 2716 wrote to memory of 2900 2716 Eekpknlf.exe 33 PID 2900 wrote to memory of 336 2900 Fadmenpg.exe 34 PID 2900 wrote to memory of 336 2900 Fadmenpg.exe 34 PID 2900 wrote to memory of 336 2900 Fadmenpg.exe 34 PID 2900 wrote to memory of 336 2900 Fadmenpg.exe 34 PID 336 wrote to memory of 564 336 Fpijgk32.exe 35 PID 336 wrote to memory of 564 336 Fpijgk32.exe 35 PID 336 wrote to memory of 564 336 Fpijgk32.exe 35 PID 336 wrote to memory of 564 336 Fpijgk32.exe 35 PID 564 wrote to memory of 2456 564 Ffeoid32.exe 36 PID 564 wrote to memory of 2456 564 Ffeoid32.exe 36 PID 564 wrote to memory of 2456 564 Ffeoid32.exe 36 PID 564 wrote to memory of 2456 564 Ffeoid32.exe 36 PID 2456 wrote to memory of 2248 2456 Gledgkfn.exe 37 PID 2456 wrote to memory of 2248 2456 Gledgkfn.exe 37 PID 2456 wrote to memory of 2248 2456 Gledgkfn.exe 37 PID 2456 wrote to memory of 2248 2456 Gledgkfn.exe 37 PID 2248 wrote to memory of 956 2248 Gadidabc.exe 38 PID 2248 wrote to memory of 956 2248 Gadidabc.exe 38 PID 2248 wrote to memory of 956 2248 Gadidabc.exe 38 PID 2248 wrote to memory of 956 2248 Gadidabc.exe 38 PID 956 wrote to memory of 2476 956 Gpiffngk.exe 39 PID 956 wrote to memory of 2476 956 Gpiffngk.exe 39 PID 956 wrote to memory of 2476 956 Gpiffngk.exe 39 PID 956 wrote to memory of 2476 956 Gpiffngk.exe 39 PID 2476 wrote to memory of 2116 2476 Gdgoll32.exe 40 PID 2476 wrote to memory of 2116 2476 Gdgoll32.exe 40 PID 2476 wrote to memory of 2116 2476 Gdgoll32.exe 40 PID 2476 wrote to memory of 2116 2476 Gdgoll32.exe 40 PID 2116 wrote to memory of 1352 2116 Hdilalko.exe 41 PID 2116 wrote to memory of 1352 2116 Hdilalko.exe 41 PID 2116 wrote to memory of 1352 2116 Hdilalko.exe 41 PID 2116 wrote to memory of 1352 2116 Hdilalko.exe 41 PID 1352 wrote to memory of 3028 1352 Hjhaob32.exe 42 PID 1352 wrote to memory of 3028 1352 Hjhaob32.exe 42 PID 1352 wrote to memory of 3028 1352 Hjhaob32.exe 42 PID 1352 wrote to memory of 3028 1352 Hjhaob32.exe 42 PID 3028 wrote to memory of 2220 3028 Hjkneb32.exe 43 PID 3028 wrote to memory of 2220 3028 Hjkneb32.exe 43 PID 3028 wrote to memory of 2220 3028 Hjkneb32.exe 43 PID 3028 wrote to memory of 2220 3028 Hjkneb32.exe 43 PID 2220 wrote to memory of 2412 2220 Hfanjcke.exe 44 PID 2220 wrote to memory of 2412 2220 Hfanjcke.exe 44 PID 2220 wrote to memory of 2412 2220 Hfanjcke.exe 44 PID 2220 wrote to memory of 2412 2220 Hfanjcke.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe"C:\Users\Admin\AppData\Local\Temp\148f97379b7ed0bdc4834f028bc662f62777e87a566e1100d2d7259275a640bc.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Emieflec.exeC:\Windows\system32\Emieflec.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Egbffj32.exeC:\Windows\system32\Egbffj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Elpnmhgh.exeC:\Windows\system32\Elpnmhgh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Eekpknlf.exeC:\Windows\system32\Eekpknlf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Fadmenpg.exeC:\Windows\system32\Fadmenpg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Fpijgk32.exeC:\Windows\system32\Fpijgk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:336 -
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\Gledgkfn.exeC:\Windows\system32\Gledgkfn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Gadidabc.exeC:\Windows\system32\Gadidabc.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Gpiffngk.exeC:\Windows\system32\Gpiffngk.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\SysWOW64\Gdgoll32.exeC:\Windows\system32\Gdgoll32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Hdilalko.exeC:\Windows\system32\Hdilalko.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Hjhaob32.exeC:\Windows\system32\Hjhaob32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Windows\SysWOW64\Hjkneb32.exeC:\Windows\system32\Hjkneb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Hfanjcke.exeC:\Windows\system32\Hfanjcke.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Iqnlpq32.exeC:\Windows\system32\Iqnlpq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1532 -
C:\Windows\SysWOW64\Ijfpif32.exeC:\Windows\system32\Ijfpif32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2424 -
C:\Windows\SysWOW64\Idkdfo32.exeC:\Windows\system32\Idkdfo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1536 -
C:\Windows\SysWOW64\Imgija32.exeC:\Windows\system32\Imgija32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Inffdd32.exeC:\Windows\system32\Inffdd32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Igojmjgf.exeC:\Windows\system32\Igojmjgf.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:964 -
C:\Windows\SysWOW64\Jcekbk32.exeC:\Windows\system32\Jcekbk32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1980 -
C:\Windows\SysWOW64\Jchhhjjg.exeC:\Windows\system32\Jchhhjjg.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1308 -
C:\Windows\SysWOW64\Jekaeb32.exeC:\Windows\system32\Jekaeb32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1448 -
C:\Windows\SysWOW64\Jboanfmm.exeC:\Windows\system32\Jboanfmm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Jjjfbikh.exeC:\Windows\system32\Jjjfbikh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1248 -
C:\Windows\SysWOW64\Kmkodd32.exeC:\Windows\system32\Kmkodd32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Knkkngol.exeC:\Windows\system32\Knkkngol.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1504 -
C:\Windows\SysWOW64\Kcjqlm32.exeC:\Windows\system32\Kcjqlm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3020 -
C:\Windows\SysWOW64\Kfkjnh32.exeC:\Windows\system32\Kfkjnh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Lhnckp32.exeC:\Windows\system32\Lhnckp32.exe33⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Lbdghi32.exeC:\Windows\system32\Lbdghi32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:1920 -
C:\Windows\SysWOW64\Mpgdaqmh.exeC:\Windows\system32\Mpgdaqmh.exe35⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Miphjf32.exeC:\Windows\system32\Miphjf32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Moomgmpm.exeC:\Windows\system32\Moomgmpm.exe37⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Napfihmn.exeC:\Windows\system32\Napfihmn.exe38⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ngmoao32.exeC:\Windows\system32\Ngmoao32.exe39⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Nkjggmal.exeC:\Windows\system32\Nkjggmal.exe40⤵
- Executes dropped EXE
PID:2992 -
C:\Windows\SysWOW64\Ncellpog.exeC:\Windows\system32\Ncellpog.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Nnnmoh32.exeC:\Windows\system32\Nnnmoh32.exe42⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Ogfagmck.exeC:\Windows\system32\Ogfagmck.exe43⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Oqnfqcjk.exeC:\Windows\system32\Oqnfqcjk.exe44⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe45⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Okhgaqfj.exeC:\Windows\system32\Okhgaqfj.exe46⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Oilgje32.exeC:\Windows\system32\Oilgje32.exe47⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Ofphdi32.exeC:\Windows\system32\Ofphdi32.exe48⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Obfiijia.exeC:\Windows\system32\Obfiijia.exe49⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Pcjbfbmm.exeC:\Windows\system32\Pcjbfbmm.exe51⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Pmbfoh32.exeC:\Windows\system32\Pmbfoh32.exe52⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe53⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Pmecdgbk.exeC:\Windows\system32\Pmecdgbk.exe54⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Pjicnlqe.exeC:\Windows\system32\Pjicnlqe.exe55⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Pmgpjgph.exeC:\Windows\system32\Pmgpjgph.exe56⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Pbdhbnnp.exeC:\Windows\system32\Pbdhbnnp.exe57⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe58⤵
- Executes dropped EXE
PID:2616 -
C:\Windows\SysWOW64\Qipmdhcj.exeC:\Windows\system32\Qipmdhcj.exe59⤵
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Qpjeaa32.exeC:\Windows\system32\Qpjeaa32.exe60⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Qibjjgag.exeC:\Windows\system32\Qibjjgag.exe61⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe62⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Aanonj32.exeC:\Windows\system32\Aanonj32.exe63⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Alcclb32.exeC:\Windows\system32\Alcclb32.exe64⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Adohpe32.exeC:\Windows\system32\Adohpe32.exe65⤵
- Executes dropped EXE
PID:704 -
C:\Windows\SysWOW64\Adadedjq.exeC:\Windows\system32\Adadedjq.exe66⤵PID:2252
-
C:\Windows\SysWOW64\Aofhcmig.exeC:\Windows\system32\Aofhcmig.exe67⤵PID:1252
-
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe68⤵PID:1456
-
C:\Windows\SysWOW64\Apjbpemb.exeC:\Windows\system32\Apjbpemb.exe69⤵PID:1624
-
C:\Windows\SysWOW64\Blabef32.exeC:\Windows\system32\Blabef32.exe70⤵PID:1928
-
C:\Windows\SysWOW64\Bdhjfc32.exeC:\Windows\system32\Bdhjfc32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Biecoj32.exeC:\Windows\system32\Biecoj32.exe72⤵PID:2256
-
C:\Windows\SysWOW64\Bpokkdim.exeC:\Windows\system32\Bpokkdim.exe73⤵PID:2888
-
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe74⤵PID:2956
-
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe75⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Biiljjnk.exeC:\Windows\system32\Biiljjnk.exe76⤵PID:2696
-
C:\Windows\SysWOW64\Bkkiab32.exeC:\Windows\system32\Bkkiab32.exe77⤵PID:672
-
C:\Windows\SysWOW64\Bcbabodk.exeC:\Windows\system32\Bcbabodk.exe78⤵PID:2984
-
C:\Windows\SysWOW64\Bljeke32.exeC:\Windows\system32\Bljeke32.exe79⤵PID:1116
-
C:\Windows\SysWOW64\Cnnohmog.exeC:\Windows\system32\Cnnohmog.exe80⤵PID:1516
-
C:\Windows\SysWOW64\Cgfcabeh.exeC:\Windows\system32\Cgfcabeh.exe81⤵PID:1012
-
C:\Windows\SysWOW64\Cpogjh32.exeC:\Windows\system32\Cpogjh32.exe82⤵PID:2200
-
C:\Windows\SysWOW64\Cnbhcl32.exeC:\Windows\system32\Cnbhcl32.exe83⤵PID:2264
-
C:\Windows\SysWOW64\Ccoplcii.exeC:\Windows\system32\Ccoplcii.exe84⤵
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Cpcaeghc.exeC:\Windows\system32\Cpcaeghc.exe85⤵PID:236
-
C:\Windows\SysWOW64\Cgmiba32.exeC:\Windows\system32\Cgmiba32.exe86⤵PID:3024
-
C:\Windows\SysWOW64\Dohnfc32.exeC:\Windows\system32\Dohnfc32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932 -
C:\Windows\SysWOW64\Djnbdlla.exeC:\Windows\system32\Djnbdlla.exe88⤵PID:872
-
C:\Windows\SysWOW64\Dcffmb32.exeC:\Windows\system32\Dcffmb32.exe89⤵PID:2880
-
C:\Windows\SysWOW64\Dlokegib.exeC:\Windows\system32\Dlokegib.exe90⤵PID:2896
-
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe91⤵PID:536
-
C:\Windows\SysWOW64\Dkdhfdnj.exeC:\Windows\system32\Dkdhfdnj.exe92⤵PID:1800
-
C:\Windows\SysWOW64\Dhhhphmc.exeC:\Windows\system32\Dhhhphmc.exe93⤵PID:1884
-
C:\Windows\SysWOW64\Djiegp32.exeC:\Windows\system32\Djiegp32.exe94⤵PID:1852
-
C:\Windows\SysWOW64\Ddoiei32.exeC:\Windows\system32\Ddoiei32.exe95⤵PID:1996
-
C:\Windows\SysWOW64\Egmeadbk.exeC:\Windows\system32\Egmeadbk.exe96⤵PID:1636
-
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe97⤵PID:2504
-
C:\Windows\SysWOW64\Ecdffe32.exeC:\Windows\system32\Ecdffe32.exe98⤵
- Drops file in System32 directory
PID:1576 -
C:\Windows\SysWOW64\Ecfcle32.exeC:\Windows\system32\Ecfcle32.exe99⤵PID:1216
-
C:\Windows\SysWOW64\Ekcdegqe.exeC:\Windows\system32\Ekcdegqe.exe100⤵PID:1712
-
C:\Windows\SysWOW64\Elfakg32.exeC:\Windows\system32\Elfakg32.exe101⤵PID:1752
-
C:\Windows\SysWOW64\Fpdjaeei.exeC:\Windows\system32\Fpdjaeei.exe102⤵PID:1648
-
C:\Windows\SysWOW64\Feqbilcq.exeC:\Windows\system32\Feqbilcq.exe103⤵PID:2056
-
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe104⤵PID:2524
-
C:\Windows\SysWOW64\Fjpggb32.exeC:\Windows\system32\Fjpggb32.exe105⤵PID:2972
-
C:\Windows\SysWOW64\Fajpdmgb.exeC:\Windows\system32\Fajpdmgb.exe106⤵PID:1268
-
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe107⤵PID:2436
-
C:\Windows\SysWOW64\Fnnpma32.exeC:\Windows\system32\Fnnpma32.exe108⤵PID:1728
-
C:\Windows\SysWOW64\Fjdqbbkp.exeC:\Windows\system32\Fjdqbbkp.exe109⤵PID:1708
-
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe110⤵PID:2512
-
C:\Windows\SysWOW64\Gjgmhaim.exeC:\Windows\system32\Gjgmhaim.exe111⤵PID:2296
-
C:\Windows\SysWOW64\Gdobqgpn.exeC:\Windows\system32\Gdobqgpn.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2304 -
C:\Windows\SysWOW64\Giljinne.exeC:\Windows\system32\Giljinne.exe113⤵PID:584
-
C:\Windows\SysWOW64\Gmhfjm32.exeC:\Windows\system32\Gmhfjm32.exe114⤵PID:1844
-
C:\Windows\SysWOW64\Goicaell.exeC:\Windows\system32\Goicaell.exe115⤵PID:2052
-
C:\Windows\SysWOW64\Giogonlb.exeC:\Windows\system32\Giogonlb.exe116⤵PID:2912
-
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe117⤵PID:2676
-
C:\Windows\SysWOW64\Gbglgcbc.exeC:\Windows\system32\Gbglgcbc.exe118⤵PID:1780
-
C:\Windows\SysWOW64\Gloppi32.exeC:\Windows\system32\Gloppi32.exe119⤵PID:2560
-
C:\Windows\SysWOW64\Galhhp32.exeC:\Windows\system32\Galhhp32.exe120⤵
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Hmcimq32.exeC:\Windows\system32\Hmcimq32.exe121⤵
- Drops file in System32 directory
PID:2536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-