Resubmissions
09-12-2024 13:39
241209-qxx8mazjds 10Analysis
-
max time kernel
33s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
09-12-2024 13:39
Behavioral task
behavioral1
Sample
ecff67f8e7531eb01950da892924f9a3f53ee138d8d2e0e533c0532a305af246.exe
Resource
win7-20241023-en
windows7-x64
12 signatures
120 seconds
General
-
Target
ecff67f8e7531eb01950da892924f9a3f53ee138d8d2e0e533c0532a305af246.exe
-
Size
337KB
-
MD5
6e90abd2de50b24b7e37fa00f8020ccf
-
SHA1
644b24540c33367d40fb23281a285382466a52d8
-
SHA256
ecff67f8e7531eb01950da892924f9a3f53ee138d8d2e0e533c0532a305af246
-
SHA512
2a32898e30d99f0f12ae026cfff72f064e1a72cbb99e8bc2b5ac5e35a9910b521aee42a8bf0e41d5b4c64ea461072f866a291070c181e087d72f7c1c39f9be4f
-
SSDEEP
3072:X7gScz8ibZtgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc0P:XAht1+fIyG5jZkCwi8p
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciihklpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eodicd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmqmod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciagojda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcjlnpmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jagpdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhhgpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglehp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfoeil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhgha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlcibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbcoio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephbal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhjfgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dljmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkmbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Indnnfdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlgjldnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndhlhg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmimcbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bammlq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmdhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfmbek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklgbadb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dinneo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkhhjei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hldlga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbkqdepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfgjml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaalh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfcnegnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odchbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdfqbio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Boifga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfoeil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooembgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgkpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdlggg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbgfkje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjjnhnbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkklhjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jolghndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpajbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jimdcqom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jefbnacn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeohkeoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhgim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoblnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpabpcdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamdkfnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfdhmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olpbaa32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1888 Najpll32.exe 2384 Ndhlhg32.exe 2564 Njbdea32.exe 2876 Nallalep.exe 2672 Nmejllia.exe 3040 Oeckfndj.exe 2664 Odhhgkib.exe 2520 Oonldcih.exe 1340 Ohhmcinf.exe 1344 Pgnjde32.exe 1956 Pincfpoo.exe 1900 Ppkhhjei.exe 2632 Plaimk32.exe 1596 Qhjfgl32.exe 448 Qdaglmcb.exe 1972 Aqhhanig.exe 1724 Agbpnh32.exe 2900 Amaelomh.exe 692 Ackmih32.exe 776 Aobnniji.exe 1036 Aflfjc32.exe 1948 Akiobk32.exe 384 Bbbgod32.exe 1764 Bkklhjnk.exe 2472 Bnihdemo.exe 1540 Bnldjekl.exe 2848 Bajqfq32.exe 1976 Bammlq32.exe 2868 Bckjhl32.exe 2892 Bflbigdb.exe 2216 Cpdgbm32.exe 2836 Cmhglq32.exe 2504 Cbepdhgc.exe 1128 Cfcijf32.exe 2956 Cmmagpef.exe 3008 Cpmjhk32.exe 2884 Cblfdg32.exe 1988 Daacecfc.exe 2760 Dmhdkdlg.exe 532 Dhmhhmlm.exe 1816 Dogpdg32.exe 1368 Dddimn32.exe 1836 Dknajh32.exe 1508 Dmojkc32.exe 564 Eclbcj32.exe 1968 Eppcmncq.exe 684 Egikjh32.exe 872 Eihgfd32.exe 1748 Elfcbo32.exe 1628 Eoepnk32.exe 2008 Eeohkeoe.exe 2864 Ecbhdi32.exe 2768 Eddeladm.exe 2936 Eoiiijcc.exe 2844 Eaheeecg.exe 2728 Edfbaabj.exe 2492 Fkpjnkig.exe 624 Fajbke32.exe 2840 Fdiogq32.exe 1904 Fhdjgoha.exe 748 Fkbgckgd.exe 580 Fnacpffh.exe 1588 Fdkklp32.exe 1208 Fkecij32.exe -
Loads dropped DLL 64 IoCs
pid Process 1544 ecff67f8e7531eb01950da892924f9a3f53ee138d8d2e0e533c0532a305af246.exe 1544 ecff67f8e7531eb01950da892924f9a3f53ee138d8d2e0e533c0532a305af246.exe 1888 Najpll32.exe 1888 Najpll32.exe 2384 Ndhlhg32.exe 2384 Ndhlhg32.exe 2564 Njbdea32.exe 2564 Njbdea32.exe 2876 Nallalep.exe 2876 Nallalep.exe 2672 Nmejllia.exe 2672 Nmejllia.exe 3040 Oeckfndj.exe 3040 Oeckfndj.exe 2664 Odhhgkib.exe 2664 Odhhgkib.exe 2520 Oonldcih.exe 2520 Oonldcih.exe 1340 Ohhmcinf.exe 1340 Ohhmcinf.exe 1344 Pgnjde32.exe 1344 Pgnjde32.exe 1956 Pincfpoo.exe 1956 Pincfpoo.exe 1900 Ppkhhjei.exe 1900 Ppkhhjei.exe 2632 Plaimk32.exe 2632 Plaimk32.exe 1596 Qhjfgl32.exe 1596 Qhjfgl32.exe 448 Qdaglmcb.exe 448 Qdaglmcb.exe 1972 Aqhhanig.exe 1972 Aqhhanig.exe 1724 Agbpnh32.exe 1724 Agbpnh32.exe 2900 Amaelomh.exe 2900 Amaelomh.exe 692 Ackmih32.exe 692 Ackmih32.exe 776 Aobnniji.exe 776 Aobnniji.exe 1036 Aflfjc32.exe 1036 Aflfjc32.exe 1948 Akiobk32.exe 1948 Akiobk32.exe 384 Bbbgod32.exe 384 Bbbgod32.exe 1764 Bkklhjnk.exe 1764 Bkklhjnk.exe 2472 Bnihdemo.exe 2472 Bnihdemo.exe 1540 Bnldjekl.exe 1540 Bnldjekl.exe 2848 Bajqfq32.exe 2848 Bajqfq32.exe 1976 Bammlq32.exe 1976 Bammlq32.exe 2868 Bckjhl32.exe 2868 Bckjhl32.exe 2892 Bflbigdb.exe 2892 Bflbigdb.exe 2216 Cpdgbm32.exe 2216 Cpdgbm32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cfcijf32.exe Cbepdhgc.exe File created C:\Windows\SysWOW64\Enmkijgm.dll Jbjpom32.exe File created C:\Windows\SysWOW64\Kpdjfphd.dll Mjcaimgg.exe File created C:\Windows\SysWOW64\Qdlggg32.exe Ppnnai32.exe File created C:\Windows\SysWOW64\Bebhmb32.dll Fibcoalf.exe File created C:\Windows\SysWOW64\Pfncnjoi.dll Gnbejb32.exe File created C:\Windows\SysWOW64\Kdhdfgep.dll Jfgebjnm.exe File created C:\Windows\SysWOW64\Kalhln32.dll Pnchhllf.exe File created C:\Windows\SysWOW64\Ooffgmde.dll Pddjlb32.exe File created C:\Windows\SysWOW64\Bodilc32.dll Koflgf32.exe File opened for modification C:\Windows\SysWOW64\Dpcmgi32.exe Dfkhndca.exe File created C:\Windows\SysWOW64\Ghlfjq32.exe Ggkibhjf.exe File created C:\Windows\SysWOW64\Mmjplobo.dll Ibkmchbh.exe File opened for modification C:\Windows\SysWOW64\Jdcpkp32.exe Jaecod32.exe File created C:\Windows\SysWOW64\Kglbad32.dll Lkbmbl32.exe File created C:\Windows\SysWOW64\Ghanagbo.dll Mokilo32.exe File opened for modification C:\Windows\SysWOW64\Anjnnk32.exe Ahmefdcp.exe File opened for modification C:\Windows\SysWOW64\Mbcoio32.exe Mpebmc32.exe File created C:\Windows\SysWOW64\Cfhakqek.dll Gfhgpg32.exe File opened for modification C:\Windows\SysWOW64\Ppnnai32.exe Pidfdofi.exe File opened for modification C:\Windows\SysWOW64\Bgaebe32.exe Bmlael32.exe File opened for modification C:\Windows\SysWOW64\Gnphdceh.exe Gqlhkofn.exe File opened for modification C:\Windows\SysWOW64\Gqdgom32.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Bdclnelo.dll Nmfbpk32.exe File created C:\Windows\SysWOW64\Ckndebll.dll Bgaebe32.exe File opened for modification C:\Windows\SysWOW64\Fibcoalf.exe Fdekgjno.exe File created C:\Windows\SysWOW64\Ckpckece.exe Ciagojda.exe File created C:\Windows\SysWOW64\Dkdmfe32.exe Dekdikhc.exe File opened for modification C:\Windows\SysWOW64\Agbpnh32.exe Aqhhanig.exe File created C:\Windows\SysWOW64\Hedbmpnc.dll Fqfemqod.exe File created C:\Windows\SysWOW64\Onaiomjo.dll Cgaaah32.exe File created C:\Windows\SysWOW64\Kcginj32.exe Klmqapci.exe File created C:\Windows\SysWOW64\Gffdobll.dll Kbhbai32.exe File created C:\Windows\SysWOW64\Ahmiofbn.dll Dhmhhmlm.exe File opened for modification C:\Windows\SysWOW64\Ffodjh32.exe Fdmhbplb.exe File created C:\Windows\SysWOW64\Oljomn32.dll Gkpfmnlb.exe File opened for modification C:\Windows\SysWOW64\Lnhgim32.exe Loefnpnn.exe File opened for modification C:\Windows\SysWOW64\Hegpjaac.exe Hnnhngjf.exe File opened for modification C:\Windows\SysWOW64\Lkbmbl32.exe Llomfpag.exe File created C:\Windows\SysWOW64\Ginaep32.dll Bfoeil32.exe File opened for modification C:\Windows\SysWOW64\Fkefbcmf.exe Fppaej32.exe File opened for modification C:\Windows\SysWOW64\Jedehaea.exe Jpgmpk32.exe File created C:\Windows\SysWOW64\Hpbdmo32.exe Hmdhad32.exe File created C:\Windows\SysWOW64\Inhanl32.exe Iliebpfc.exe File created C:\Windows\SysWOW64\Llbqfe32.exe Lcjlnpmo.exe File created C:\Windows\SysWOW64\Nlcibc32.exe Nameek32.exe File created C:\Windows\SysWOW64\Okhdnm32.dll Opihgfop.exe File created C:\Windows\SysWOW64\Ngpqfp32.exe Mimpkcdn.exe File created C:\Windows\SysWOW64\Jhhcghdk.dll Dcbnpgkh.exe File created C:\Windows\SysWOW64\Dpklkgoj.exe Dmmpolof.exe File created C:\Windows\SysWOW64\Dofphfof.dll Fkpjnkig.exe File created C:\Windows\SysWOW64\Fnflke32.exe Ffodjh32.exe File created C:\Windows\SysWOW64\Obhipb32.dll Gbjojh32.exe File created C:\Windows\SysWOW64\Ihdpbq32.exe Iefcfe32.exe File created C:\Windows\SysWOW64\Nbhhdnlh.exe Nmkplgnq.exe File created C:\Windows\SysWOW64\Nlboaceh.dll Ofadnq32.exe File created C:\Windows\SysWOW64\Lbhnia32.dll Bjdkjpkb.exe File created C:\Windows\SysWOW64\Iblkei32.dll Ijphofem.exe File created C:\Windows\SysWOW64\Gnfkba32.exe Ghibjjnk.exe File created C:\Windows\SysWOW64\Bndneq32.dll Kipmhc32.exe File created C:\Windows\SysWOW64\Odhhgkib.exe Oeckfndj.exe File created C:\Windows\SysWOW64\Ipnlibhd.dll Pincfpoo.exe File created C:\Windows\SysWOW64\Elfcbo32.exe Eihgfd32.exe File opened for modification C:\Windows\SysWOW64\Lklgbadb.exe Lfoojj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6164 5408 WerFault.exe 586 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeladm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekmfne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjgehgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccbbachm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehlkhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adlcfjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eclbcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpabpcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehhdkjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plaimk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jedehaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnpnkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkoobhhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbobkol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piliii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hboddk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honnki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnhbmpkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinhdmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfofol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfhcoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlhkofn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnapnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhdkdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmabg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbnjhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkipao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffodjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmjhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khghgchk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kncaojfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dljmlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnphdceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdgmimg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgciff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkbcbn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcomepg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blkjkflb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpaom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khjgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnomp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afdiondb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfgebjnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llomfpag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkmollme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcojam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageompfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anjnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfjolf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihgfd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gkoobhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakpkfka.dll" Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjjnhnbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dmhdkdlg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnalcc32.dll" Hgciff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbclpfop.dll" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eicpcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebaijflc.dll" Edfbaabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchaehnb.dll" Locjhqpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqokpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldokfakl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mokilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbpfqb32.dll" Nallalep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilnomp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcofio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjejkao.dll" Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmidng32.dll" Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aflfjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccbbachm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbpbbdb.dll" Jmdgipkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieocod32.dll" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgghac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flfpabkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofglaipf.dll" Mobomnoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boifga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdgipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eddeladm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmkplgnq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bckjhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbhccm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odchbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjfkgcdc.dll" Deondj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oiahkhpo.dll" Jfmkbebl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ffodjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbemboof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlkngc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbmnig32.dll" Bmpkqklh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbnjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajfgpl32.dll" Dmhdkdlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edfbaabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liihgqil.dll" Gfcnegnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npepbkgb.dll" Ccpeld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hclfag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgfca32.dll" Klmqapci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mokilo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gecpnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eaheeecg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikjhki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afffenbp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ciihklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekmfne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgkjaa32.dll" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhdjgoha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefkh32.dll" Dmmpolof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbeedh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boifga32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1544 wrote to memory of 1888 1544 ecff67f8e7531eb01950da892924f9a3f53ee138d8d2e0e533c0532a305af246.exe 30 PID 1544 wrote to memory of 1888 1544 ecff67f8e7531eb01950da892924f9a3f53ee138d8d2e0e533c0532a305af246.exe 30 PID 1544 wrote to memory of 1888 1544 ecff67f8e7531eb01950da892924f9a3f53ee138d8d2e0e533c0532a305af246.exe 30 PID 1544 wrote to memory of 1888 1544 ecff67f8e7531eb01950da892924f9a3f53ee138d8d2e0e533c0532a305af246.exe 30 PID 1888 wrote to memory of 2384 1888 Najpll32.exe 31 PID 1888 wrote to memory of 2384 1888 Najpll32.exe 31 PID 1888 wrote to memory of 2384 1888 Najpll32.exe 31 PID 1888 wrote to memory of 2384 1888 Najpll32.exe 31 PID 2384 wrote to memory of 2564 2384 Ndhlhg32.exe 32 PID 2384 wrote to memory of 2564 2384 Ndhlhg32.exe 32 PID 2384 wrote to memory of 2564 2384 Ndhlhg32.exe 32 PID 2384 wrote to memory of 2564 2384 Ndhlhg32.exe 32 PID 2564 wrote to memory of 2876 2564 Njbdea32.exe 33 PID 2564 wrote to memory of 2876 2564 Njbdea32.exe 33 PID 2564 wrote to memory of 2876 2564 Njbdea32.exe 33 PID 2564 wrote to memory of 2876 2564 Njbdea32.exe 33 PID 2876 wrote to memory of 2672 2876 Nallalep.exe 34 PID 2876 wrote to memory of 2672 2876 Nallalep.exe 34 PID 2876 wrote to memory of 2672 2876 Nallalep.exe 34 PID 2876 wrote to memory of 2672 2876 Nallalep.exe 34 PID 2672 wrote to memory of 3040 2672 Nmejllia.exe 35 PID 2672 wrote to memory of 3040 2672 Nmejllia.exe 35 PID 2672 wrote to memory of 3040 2672 Nmejllia.exe 35 PID 2672 wrote to memory of 3040 2672 Nmejllia.exe 35 PID 3040 wrote to memory of 2664 3040 Oeckfndj.exe 36 PID 3040 wrote to memory of 2664 3040 Oeckfndj.exe 36 PID 3040 wrote to memory of 2664 3040 Oeckfndj.exe 36 PID 3040 wrote to memory of 2664 3040 Oeckfndj.exe 36 PID 2664 wrote to memory of 2520 2664 Odhhgkib.exe 37 PID 2664 wrote to memory of 2520 2664 Odhhgkib.exe 37 PID 2664 wrote to memory of 2520 2664 Odhhgkib.exe 37 PID 2664 wrote to memory of 2520 2664 Odhhgkib.exe 37 PID 2520 wrote to memory of 1340 2520 Oonldcih.exe 38 PID 2520 wrote to memory of 1340 2520 Oonldcih.exe 38 PID 2520 wrote to memory of 1340 2520 Oonldcih.exe 38 PID 2520 wrote to memory of 1340 2520 Oonldcih.exe 38 PID 1340 wrote to memory of 1344 1340 Ohhmcinf.exe 39 PID 1340 wrote to memory of 1344 1340 Ohhmcinf.exe 39 PID 1340 wrote to memory of 1344 1340 Ohhmcinf.exe 39 PID 1340 wrote to memory of 1344 1340 Ohhmcinf.exe 39 PID 1344 wrote to memory of 1956 1344 Pgnjde32.exe 40 PID 1344 wrote to memory of 1956 1344 Pgnjde32.exe 40 PID 1344 wrote to memory of 1956 1344 Pgnjde32.exe 40 PID 1344 wrote to memory of 1956 1344 Pgnjde32.exe 40 PID 1956 wrote to memory of 1900 1956 Pincfpoo.exe 41 PID 1956 wrote to memory of 1900 1956 Pincfpoo.exe 41 PID 1956 wrote to memory of 1900 1956 Pincfpoo.exe 41 PID 1956 wrote to memory of 1900 1956 Pincfpoo.exe 41 PID 1900 wrote to memory of 2632 1900 Ppkhhjei.exe 42 PID 1900 wrote to memory of 2632 1900 Ppkhhjei.exe 42 PID 1900 wrote to memory of 2632 1900 Ppkhhjei.exe 42 PID 1900 wrote to memory of 2632 1900 Ppkhhjei.exe 42 PID 2632 wrote to memory of 1596 2632 Plaimk32.exe 43 PID 2632 wrote to memory of 1596 2632 Plaimk32.exe 43 PID 2632 wrote to memory of 1596 2632 Plaimk32.exe 43 PID 2632 wrote to memory of 1596 2632 Plaimk32.exe 43 PID 1596 wrote to memory of 448 1596 Qhjfgl32.exe 44 PID 1596 wrote to memory of 448 1596 Qhjfgl32.exe 44 PID 1596 wrote to memory of 448 1596 Qhjfgl32.exe 44 PID 1596 wrote to memory of 448 1596 Qhjfgl32.exe 44 PID 448 wrote to memory of 1972 448 Qdaglmcb.exe 45 PID 448 wrote to memory of 1972 448 Qdaglmcb.exe 45 PID 448 wrote to memory of 1972 448 Qdaglmcb.exe 45 PID 448 wrote to memory of 1972 448 Qdaglmcb.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\ecff67f8e7531eb01950da892924f9a3f53ee138d8d2e0e533c0532a305af246.exe"C:\Users\Admin\AppData\Local\Temp\ecff67f8e7531eb01950da892924f9a3f53ee138d8d2e0e533c0532a305af246.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Nallalep.exeC:\Windows\system32\Nallalep.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\Plaimk32.exeC:\Windows\system32\Plaimk32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1972 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:692 -
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1036 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1948 -
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:384 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2472 -
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Bajqfq32.exeC:\Windows\system32\Bajqfq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Bflbigdb.exeC:\Windows\system32\Bflbigdb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2892 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe33⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Cbepdhgc.exeC:\Windows\system32\Cbepdhgc.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2504 -
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe35⤵
- Executes dropped EXE
PID:1128 -
C:\Windows\SysWOW64\Cmmagpef.exeC:\Windows\system32\Cmmagpef.exe36⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Cblfdg32.exeC:\Windows\system32\Cblfdg32.exe38⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Dhmhhmlm.exeC:\Windows\system32\Dhmhhmlm.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:532 -
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe42⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe43⤵
- Executes dropped EXE
PID:1368 -
C:\Windows\SysWOW64\Dknajh32.exeC:\Windows\system32\Dknajh32.exe44⤵
- Executes dropped EXE
PID:1836 -
C:\Windows\SysWOW64\Dmojkc32.exeC:\Windows\system32\Dmojkc32.exe45⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe47⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe48⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe50⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Eoepnk32.exeC:\Windows\system32\Eoepnk32.exe51⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe53⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Eoiiijcc.exeC:\Windows\system32\Eoiiijcc.exe55⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2728 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe59⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe60⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1904 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe62⤵
- Executes dropped EXE
PID:748 -
C:\Windows\SysWOW64\Fnacpffh.exeC:\Windows\system32\Fnacpffh.exe63⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe64⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Fkecij32.exeC:\Windows\system32\Fkecij32.exe65⤵
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Flfpabkp.exeC:\Windows\system32\Flfpabkp.exe66⤵
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe67⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Ffodjh32.exeC:\Windows\system32\Ffodjh32.exe68⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2460 -
C:\Windows\SysWOW64\Fnflke32.exeC:\Windows\system32\Fnflke32.exe69⤵PID:1752
-
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe70⤵PID:2612
-
C:\Windows\SysWOW64\Fgnadkic.exeC:\Windows\system32\Fgnadkic.exe71⤵PID:2872
-
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe72⤵PID:2908
-
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe73⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Gfcnegnk.exeC:\Windows\system32\Gfcnegnk.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Ghajacmo.exeC:\Windows\system32\Ghajacmo.exe75⤵PID:2684
-
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe76⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe77⤵
- Drops file in System32 directory
PID:1140 -
C:\Windows\SysWOW64\Gfejjgli.exeC:\Windows\system32\Gfejjgli.exe78⤵PID:2248
-
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe79⤵PID:1876
-
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe80⤵
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe81⤵
- System Location Discovery: System Language Discovery
PID:2032 -
C:\Windows\SysWOW64\Gfhgpg32.exeC:\Windows\system32\Gfhgpg32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe83⤵PID:2468
-
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe84⤵PID:2236
-
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe85⤵PID:1568
-
C:\Windows\SysWOW64\Gjjmijme.exeC:\Windows\system32\Gjjmijme.exe86⤵PID:1580
-
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe87⤵PID:1688
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe88⤵PID:2364
-
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe89⤵PID:2828
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe90⤵PID:2024
-
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe91⤵PID:1484
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe92⤵PID:1884
-
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe93⤵PID:848
-
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe94⤵PID:832
-
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe95⤵PID:744
-
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1684 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe97⤵PID:1176
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1576 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe99⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\Hemqpf32.exeC:\Windows\system32\Hemqpf32.exe100⤵PID:2924
-
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe102⤵PID:2880
-
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe103⤵PID:2652
-
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe104⤵PID:2204
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe105⤵
- Drops file in System32 directory
PID:2040 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe106⤵PID:660
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe107⤵PID:1472
-
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe108⤵PID:288
-
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe109⤵PID:1744
-
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe110⤵PID:2164
-
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe111⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe112⤵PID:2712
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe113⤵
- Drops file in System32 directory
PID:2412 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe114⤵PID:1928
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe115⤵PID:3000
-
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe117⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Ijehdl32.exeC:\Windows\system32\Ijehdl32.exe118⤵PID:2288
-
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe119⤵PID:1520
-
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe120⤵PID:1784
-
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe121⤵PID:2916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-