Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
10-01-2025 03:53
Behavioral task
behavioral1
Sample
8887336c28e75355173797e5d3ea95b72acd055c0b4b8c95982aae78735b4420.exe
Resource
win7-20241023-en
windows7-x64
12 signatures
150 seconds
General
-
Target
8887336c28e75355173797e5d3ea95b72acd055c0b4b8c95982aae78735b4420.exe
-
Size
93KB
-
MD5
a16f0f64aee70b5a7dc65b52d8377bb3
-
SHA1
89f612c470ea23d0d7e11d0e0db1b7097de838f7
-
SHA256
8887336c28e75355173797e5d3ea95b72acd055c0b4b8c95982aae78735b4420
-
SHA512
78ec311c10c7693cf66570f4abe62d50adc2f18e685b08d3d4e32f2f669400e5f4bcfda048da7fa09a53d3db65baa696b6b1da6b49c826ec3c0a0540ad376e5e
-
SSDEEP
1536:Qhp2ADxOrgFJfE2bvLwhfKsv5M8UaxSjtWWI1DaYfMZRWuLsV+1L:QhpflLLR4RPSj0TgYfc0DV+1L
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amnocpdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbafjlaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okpcoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hakkgc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afkdakjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqlicclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcokiaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbcjnnpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikogf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgcejm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnmeen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbgod32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clpabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hloiib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afffenbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meffhnal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmecgba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopijc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdmnam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlqmmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oghhfg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqmamm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpmbfbgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmfdhojb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acqnnndl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpedeg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edqocbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oippjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Affdle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbaken32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cegoqlof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlhjhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dodafoni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egiiapci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gppipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jckgicnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljieppcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbpipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdkklp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eknkpbdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfemlpdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgefefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhdocl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnkmqkbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eabcggll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Demofaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklddhka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqdefddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfoiqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmcjhdbc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iigpli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aobnniji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djgkii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngneph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pepcelel.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adnpkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Locjhqpa.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2752 Qijdocfj.exe 2916 Qkhpkoen.exe 2628 Qqeicede.exe 2468 Aniimjbo.exe 772 Aaheie32.exe 2956 Ajpjakhc.exe 1012 Achojp32.exe 2108 Agdjkogm.exe 796 Amqccfed.exe 2688 Agfgqo32.exe 2980 Aigchgkh.exe 2088 Afkdakjb.exe 1816 Ajgpbj32.exe 2072 Abbeflpf.exe 308 Bmhideol.exe 2068 Bbdallnd.exe 468 Bnkbam32.exe 1392 Biafnecn.exe 1540 Bhdgjb32.exe 1984 Bjbcfn32.exe 2200 Behgcf32.exe 2540 Blaopqpo.exe 2300 Bjdplm32.exe 2368 Bejdiffp.exe 1504 Bdmddc32.exe 2872 Bfkpqn32.exe 2684 Cdoajb32.exe 1700 Cilibi32.exe 2856 Cpfaocal.exe 2056 Cdanpb32.exe 2212 Cklfll32.exe 2416 Cphndc32.exe 1524 Cmlong32.exe 2988 Cegcbjkn.exe 1308 Cicpch32.exe 2948 Cpmhpbkc.exe 2944 Cejphiik.exe 1916 Chhldeho.exe 1424 Dkgippgb.exe 1976 Dkiefp32.exe 764 Dodafoni.exe 2392 Dacnbjml.exe 1132 Dgpfkakd.exe 2576 Dognlnlf.exe 1964 Daejhjkj.exe 1748 Dnlkmkpn.exe 576 Dpjgifpa.exe 2580 Ddfcje32.exe 2772 Dkpkfooh.exe 2780 Dpmdofno.exe 2636 Eckpkamb.exe 2664 Ejehgkdp.exe 2700 Elcdcgcc.exe 532 Eobapbbg.exe 1780 Ecnmpa32.exe 2912 Egiiapci.exe 2336 Ehjehh32.exe 1704 Elfaifaq.exe 2196 Ecpjfq32.exe 1576 Efnfbl32.exe 2244 Elhnof32.exe 2044 Eogjka32.exe 2008 Ebefgm32.exe 760 Emkkdf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2848 8887336c28e75355173797e5d3ea95b72acd055c0b4b8c95982aae78735b4420.exe 2848 8887336c28e75355173797e5d3ea95b72acd055c0b4b8c95982aae78735b4420.exe 2752 Qijdocfj.exe 2752 Qijdocfj.exe 2916 Qkhpkoen.exe 2916 Qkhpkoen.exe 2628 Qqeicede.exe 2628 Qqeicede.exe 2468 Aniimjbo.exe 2468 Aniimjbo.exe 772 Aaheie32.exe 772 Aaheie32.exe 2956 Ajpjakhc.exe 2956 Ajpjakhc.exe 1012 Achojp32.exe 1012 Achojp32.exe 2108 Agdjkogm.exe 2108 Agdjkogm.exe 796 Amqccfed.exe 796 Amqccfed.exe 2688 Agfgqo32.exe 2688 Agfgqo32.exe 2980 Aigchgkh.exe 2980 Aigchgkh.exe 2088 Afkdakjb.exe 2088 Afkdakjb.exe 1816 Ajgpbj32.exe 1816 Ajgpbj32.exe 2072 Abbeflpf.exe 2072 Abbeflpf.exe 308 Bmhideol.exe 308 Bmhideol.exe 2068 Bbdallnd.exe 2068 Bbdallnd.exe 468 Bnkbam32.exe 468 Bnkbam32.exe 1392 Biafnecn.exe 1392 Biafnecn.exe 1540 Bhdgjb32.exe 1540 Bhdgjb32.exe 1984 Bjbcfn32.exe 1984 Bjbcfn32.exe 2200 Behgcf32.exe 2200 Behgcf32.exe 2540 Blaopqpo.exe 2540 Blaopqpo.exe 2300 Bjdplm32.exe 2300 Bjdplm32.exe 2368 Bejdiffp.exe 2368 Bejdiffp.exe 1504 Bdmddc32.exe 1504 Bdmddc32.exe 2872 Bfkpqn32.exe 2872 Bfkpqn32.exe 2684 Cdoajb32.exe 2684 Cdoajb32.exe 1700 Cilibi32.exe 1700 Cilibi32.exe 2856 Cpfaocal.exe 2856 Cpfaocal.exe 2056 Cdanpb32.exe 2056 Cdanpb32.exe 2212 Cklfll32.exe 2212 Cklfll32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Epnlhaii.dll Mpmcielb.exe File created C:\Windows\SysWOW64\Kidhce32.dll Bkmhnjlh.exe File created C:\Windows\SysWOW64\Fggkcl32.exe Fhdjgoha.exe File created C:\Windows\SysWOW64\Hjqqap32.exe Hpkldg32.exe File opened for modification C:\Windows\SysWOW64\Lfolaang.exe Lpedeg32.exe File created C:\Windows\SysWOW64\Aipfmane.exe Afajafoa.exe File opened for modification C:\Windows\SysWOW64\Bigimdjh.exe Bfhmqhkd.exe File created C:\Windows\SysWOW64\Aaaphj32.dll Cedpbd32.exe File created C:\Windows\SysWOW64\Lmmlmd32.dll Aigchgkh.exe File opened for modification C:\Windows\SysWOW64\Meicnm32.exe Mamgmofp.exe File created C:\Windows\SysWOW64\Opknndcg.dll Afajafoa.exe File opened for modification C:\Windows\SysWOW64\Dkigoimd.exe Dlfgcl32.exe File opened for modification C:\Windows\SysWOW64\Abhkfg32.exe Acekjjmk.exe File created C:\Windows\SysWOW64\Nmnaak32.dll Kjglkm32.exe File opened for modification C:\Windows\SysWOW64\Ldoimh32.exe Lqcmmjko.exe File created C:\Windows\SysWOW64\Cmlcld32.dll Eknmhk32.exe File opened for modification C:\Windows\SysWOW64\Fdkklp32.exe Famope32.exe File opened for modification C:\Windows\SysWOW64\Jcjnfdbp.exe Jonbee32.exe File opened for modification C:\Windows\SysWOW64\Ljfogake.exe Lbogfcjc.exe File created C:\Windows\SysWOW64\Mnomjl32.exe Mgedmb32.exe File opened for modification C:\Windows\SysWOW64\Alihaioe.exe Qnghel32.exe File created C:\Windows\SysWOW64\Dhfcho32.dll Cfeepelg.exe File opened for modification C:\Windows\SysWOW64\Gcbabpcf.exe Gqdefddb.exe File created C:\Windows\SysWOW64\Hmalldcn.exe Hifpke32.exe File created C:\Windows\SysWOW64\Polkppon.dll Fncmmmma.exe File created C:\Windows\SysWOW64\Glhnji32.dll Fmfnhj32.exe File opened for modification C:\Windows\SysWOW64\Qmgibqjc.exe Qndigd32.exe File opened for modification C:\Windows\SysWOW64\Jckgicnp.exe Jnnnalph.exe File created C:\Windows\SysWOW64\Ohcdhi32.exe Oeehln32.exe File created C:\Windows\SysWOW64\Nhcmgmam.dll Nhjjgd32.exe File opened for modification C:\Windows\SysWOW64\Pggdejno.exe Pdihiook.exe File created C:\Windows\SysWOW64\Dgjfek32.exe Dpqnhadq.exe File created C:\Windows\SysWOW64\Fcikef32.dll Miehak32.exe File created C:\Windows\SysWOW64\Nhjpke32.dll Jaeafklf.exe File created C:\Windows\SysWOW64\Ckoelflc.dll Jgdfdbhk.exe File opened for modification C:\Windows\SysWOW64\Pincfpoo.exe Pcdkif32.exe File opened for modification C:\Windows\SysWOW64\Eihgfd32.exe Ecnoijbd.exe File created C:\Windows\SysWOW64\Mlkjne32.exe Meabakda.exe File opened for modification C:\Windows\SysWOW64\Fhdjgoha.exe Fpmbfbgo.exe File created C:\Windows\SysWOW64\Fgnadkic.exe Fqdiga32.exe File created C:\Windows\SysWOW64\Jlphbbbg.exe Jialfgcc.exe File created C:\Windows\SysWOW64\Oococb32.exe Ohiffh32.exe File opened for modification C:\Windows\SysWOW64\Cchbgi32.exe Cbffoabe.exe File created C:\Windows\SysWOW64\Holphali.dll Opifnm32.exe File opened for modification C:\Windows\SysWOW64\Bidlgdlk.exe Baigca32.exe File created C:\Windows\SysWOW64\Miehak32.exe Mbkpeake.exe File created C:\Windows\SysWOW64\Aebmjo32.dll Hmoofdea.exe File created C:\Windows\SysWOW64\Jpefpo32.dll Qdncmgbj.exe File created C:\Windows\SysWOW64\Fbfnjhdd.dll Bepjha32.exe File created C:\Windows\SysWOW64\Jkbojpna.exe Jckgicnp.exe File opened for modification C:\Windows\SysWOW64\Noffdd32.exe Nlhjhi32.exe File opened for modification C:\Windows\SysWOW64\Cegcbjkn.exe Cmlong32.exe File created C:\Windows\SysWOW64\Ofljekhm.dll Fcbbjcif.exe File created C:\Windows\SysWOW64\Ifkedenn.dll Fgnokb32.exe File created C:\Windows\SysWOW64\Knmamp32.exe Kfeikcfa.exe File created C:\Windows\SysWOW64\Bbejeo32.dll Nlnnnk32.exe File created C:\Windows\SysWOW64\Lmkcam32.dll Qaqnkafa.exe File created C:\Windows\SysWOW64\Gdboig32.exe Geoonjeg.exe File created C:\Windows\SysWOW64\Fqlicclo.exe Fjbafi32.exe File opened for modification C:\Windows\SysWOW64\Okbpde32.exe Ohcdhi32.exe File created C:\Windows\SysWOW64\Nhjjgd32.exe Neknki32.exe File created C:\Windows\SysWOW64\Bcjcme32.exe Bqlfaj32.exe File opened for modification C:\Windows\SysWOW64\Jbcjnnpl.exe Jliaac32.exe File created C:\Windows\SysWOW64\Olkjnqpo.dll Cphndc32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8252 9136 WerFault.exe 928 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieagbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhglq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akhfoldn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlhkbhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diaaeepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnflke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpdeogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khcomhbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbncfjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eogjka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnklcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enlglnci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdocl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eamilh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmpobck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoghakb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndpicm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciifbchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hinqgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmhnjlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfoiqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgnmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgphcqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elnqmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpfmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdgjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicpch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bepjha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlhjhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbpde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blaopqpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlkail32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aflfjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicnkdnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjcomcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgchgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afkdakjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmcjhdbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpadhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecpjfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngneph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhnifmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnifja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clmdmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggkqmoma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiaeiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojomdoof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklfll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gppipc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpicodoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmcielb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Illbhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmpbdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqmjnk32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehjehh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pimkgkgm.dll" Idiaii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjllab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajjfkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epbfmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgcejm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnpkflne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkfmcc32.dll" Gjjmijme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agdjkogm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjoifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoajel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Modcdaml.dll" Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedohngn.dll" Khabghdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogdgeded.dll" Pkdihhag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgbioq32.dll" Mcqombic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjpkqonj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opfbngfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pomhcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoepingi.dll" Khielcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnndan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijclol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcacjhob.dll" Llbqfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geoonjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nadimacd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cgohil32.dll" Iaeegh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpfdhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfgegnbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imglhaji.dll" Jbpdeogo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhndp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bkbaii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhgcm32.dll" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbdmji32.dll" Jbqmhnbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmdjkhdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iegjqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oibmpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpkldg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfcqgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncdgll32.dll" Edlfhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjacjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfjckino.dll" Jdnmma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khiccj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpedeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nagbgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqhhanig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmpcgace.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cklfll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dognlnlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecpjfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhamckel.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfoiqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfcijf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdjfphd.dll" Mnomjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aincgi32.dll" Cpfaocal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Enlglnci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdgkco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gegabegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cicalakk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2848 wrote to memory of 2752 2848 8887336c28e75355173797e5d3ea95b72acd055c0b4b8c95982aae78735b4420.exe 30 PID 2848 wrote to memory of 2752 2848 8887336c28e75355173797e5d3ea95b72acd055c0b4b8c95982aae78735b4420.exe 30 PID 2848 wrote to memory of 2752 2848 8887336c28e75355173797e5d3ea95b72acd055c0b4b8c95982aae78735b4420.exe 30 PID 2848 wrote to memory of 2752 2848 8887336c28e75355173797e5d3ea95b72acd055c0b4b8c95982aae78735b4420.exe 30 PID 2752 wrote to memory of 2916 2752 Qijdocfj.exe 31 PID 2752 wrote to memory of 2916 2752 Qijdocfj.exe 31 PID 2752 wrote to memory of 2916 2752 Qijdocfj.exe 31 PID 2752 wrote to memory of 2916 2752 Qijdocfj.exe 31 PID 2916 wrote to memory of 2628 2916 Qkhpkoen.exe 32 PID 2916 wrote to memory of 2628 2916 Qkhpkoen.exe 32 PID 2916 wrote to memory of 2628 2916 Qkhpkoen.exe 32 PID 2916 wrote to memory of 2628 2916 Qkhpkoen.exe 32 PID 2628 wrote to memory of 2468 2628 Qqeicede.exe 33 PID 2628 wrote to memory of 2468 2628 Qqeicede.exe 33 PID 2628 wrote to memory of 2468 2628 Qqeicede.exe 33 PID 2628 wrote to memory of 2468 2628 Qqeicede.exe 33 PID 2468 wrote to memory of 772 2468 Aniimjbo.exe 34 PID 2468 wrote to memory of 772 2468 Aniimjbo.exe 34 PID 2468 wrote to memory of 772 2468 Aniimjbo.exe 34 PID 2468 wrote to memory of 772 2468 Aniimjbo.exe 34 PID 772 wrote to memory of 2956 772 Aaheie32.exe 35 PID 772 wrote to memory of 2956 772 Aaheie32.exe 35 PID 772 wrote to memory of 2956 772 Aaheie32.exe 35 PID 772 wrote to memory of 2956 772 Aaheie32.exe 35 PID 2956 wrote to memory of 1012 2956 Ajpjakhc.exe 36 PID 2956 wrote to memory of 1012 2956 Ajpjakhc.exe 36 PID 2956 wrote to memory of 1012 2956 Ajpjakhc.exe 36 PID 2956 wrote to memory of 1012 2956 Ajpjakhc.exe 36 PID 1012 wrote to memory of 2108 1012 Achojp32.exe 37 PID 1012 wrote to memory of 2108 1012 Achojp32.exe 37 PID 1012 wrote to memory of 2108 1012 Achojp32.exe 37 PID 1012 wrote to memory of 2108 1012 Achojp32.exe 37 PID 2108 wrote to memory of 796 2108 Agdjkogm.exe 38 PID 2108 wrote to memory of 796 2108 Agdjkogm.exe 38 PID 2108 wrote to memory of 796 2108 Agdjkogm.exe 38 PID 2108 wrote to memory of 796 2108 Agdjkogm.exe 38 PID 796 wrote to memory of 2688 796 Amqccfed.exe 39 PID 796 wrote to memory of 2688 796 Amqccfed.exe 39 PID 796 wrote to memory of 2688 796 Amqccfed.exe 39 PID 796 wrote to memory of 2688 796 Amqccfed.exe 39 PID 2688 wrote to memory of 2980 2688 Agfgqo32.exe 40 PID 2688 wrote to memory of 2980 2688 Agfgqo32.exe 40 PID 2688 wrote to memory of 2980 2688 Agfgqo32.exe 40 PID 2688 wrote to memory of 2980 2688 Agfgqo32.exe 40 PID 2980 wrote to memory of 2088 2980 Aigchgkh.exe 41 PID 2980 wrote to memory of 2088 2980 Aigchgkh.exe 41 PID 2980 wrote to memory of 2088 2980 Aigchgkh.exe 41 PID 2980 wrote to memory of 2088 2980 Aigchgkh.exe 41 PID 2088 wrote to memory of 1816 2088 Afkdakjb.exe 42 PID 2088 wrote to memory of 1816 2088 Afkdakjb.exe 42 PID 2088 wrote to memory of 1816 2088 Afkdakjb.exe 42 PID 2088 wrote to memory of 1816 2088 Afkdakjb.exe 42 PID 1816 wrote to memory of 2072 1816 Ajgpbj32.exe 43 PID 1816 wrote to memory of 2072 1816 Ajgpbj32.exe 43 PID 1816 wrote to memory of 2072 1816 Ajgpbj32.exe 43 PID 1816 wrote to memory of 2072 1816 Ajgpbj32.exe 43 PID 2072 wrote to memory of 308 2072 Abbeflpf.exe 44 PID 2072 wrote to memory of 308 2072 Abbeflpf.exe 44 PID 2072 wrote to memory of 308 2072 Abbeflpf.exe 44 PID 2072 wrote to memory of 308 2072 Abbeflpf.exe 44 PID 308 wrote to memory of 2068 308 Bmhideol.exe 45 PID 308 wrote to memory of 2068 308 Bmhideol.exe 45 PID 308 wrote to memory of 2068 308 Bmhideol.exe 45 PID 308 wrote to memory of 2068 308 Bmhideol.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8887336c28e75355173797e5d3ea95b72acd055c0b4b8c95982aae78735b4420.exe"C:\Users\Admin\AppData\Local\Temp\8887336c28e75355173797e5d3ea95b72acd055c0b4b8c95982aae78735b4420.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Qkhpkoen.exeC:\Windows\system32\Qkhpkoen.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Aniimjbo.exeC:\Windows\system32\Aniimjbo.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Windows\SysWOW64\Agdjkogm.exeC:\Windows\system32\Agdjkogm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Amqccfed.exeC:\Windows\system32\Amqccfed.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Bnkbam32.exeC:\Windows\system32\Bnkbam32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:468 -
C:\Windows\SysWOW64\Biafnecn.exeC:\Windows\system32\Biafnecn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1984 -
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Bjdplm32.exeC:\Windows\system32\Bjdplm32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2368 -
C:\Windows\SysWOW64\Bdmddc32.exeC:\Windows\system32\Bdmddc32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1504 -
C:\Windows\SysWOW64\Bfkpqn32.exeC:\Windows\system32\Bfkpqn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Cilibi32.exeC:\Windows\system32\Cilibi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Cpfaocal.exeC:\Windows\system32\Cpfaocal.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2212 -
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2416 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1524 -
C:\Windows\SysWOW64\Cegcbjkn.exeC:\Windows\system32\Cegcbjkn.exe35⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe37⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe38⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe39⤵
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Dkgippgb.exeC:\Windows\system32\Dkgippgb.exe40⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe41⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Dodafoni.exeC:\Windows\system32\Dodafoni.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:764 -
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe43⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe44⤵
- Executes dropped EXE
PID:1132 -
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2576 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe46⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Dnlkmkpn.exeC:\Windows\system32\Dnlkmkpn.exe47⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Dpjgifpa.exeC:\Windows\system32\Dpjgifpa.exe48⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe49⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Dkpkfooh.exeC:\Windows\system32\Dkpkfooh.exe50⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Dpmdofno.exeC:\Windows\system32\Dpmdofno.exe51⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe52⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe53⤵
- Executes dropped EXE
PID:2664 -
C:\Windows\SysWOW64\Elcdcgcc.exeC:\Windows\system32\Elcdcgcc.exe54⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Eobapbbg.exeC:\Windows\system32\Eobapbbg.exe55⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Ecnmpa32.exeC:\Windows\system32\Ecnmpa32.exe56⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Egiiapci.exeC:\Windows\system32\Egiiapci.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ehjehh32.exeC:\Windows\system32\Ehjehh32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Elfaifaq.exeC:\Windows\system32\Elfaifaq.exe59⤵
- Executes dropped EXE
PID:1704 -
C:\Windows\SysWOW64\Ecpjfq32.exeC:\Windows\system32\Ecpjfq32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Efnfbl32.exeC:\Windows\system32\Efnfbl32.exe61⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Elhnof32.exeC:\Windows\system32\Elhnof32.exe62⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Eogjka32.exeC:\Windows\system32\Eogjka32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2044 -
C:\Windows\SysWOW64\Ebefgm32.exeC:\Windows\system32\Ebefgm32.exe64⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Emkkdf32.exeC:\Windows\system32\Emkkdf32.exe65⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Eknkpbdf.exeC:\Windows\system32\Eknkpbdf.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1996 -
C:\Windows\SysWOW64\Enlglnci.exeC:\Windows\system32\Enlglnci.exe67⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Ehakigbo.exeC:\Windows\system32\Ehakigbo.exe68⤵PID:1932
-
C:\Windows\SysWOW64\Egdlec32.exeC:\Windows\system32\Egdlec32.exe69⤵PID:1804
-
C:\Windows\SysWOW64\Fnndan32.exeC:\Windows\system32\Fnndan32.exe70⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Fqmpni32.exeC:\Windows\system32\Fqmpni32.exe71⤵PID:2692
-
C:\Windows\SysWOW64\Fidhof32.exeC:\Windows\system32\Fidhof32.exe72⤵PID:892
-
C:\Windows\SysWOW64\Fkdaqa32.exeC:\Windows\system32\Fkdaqa32.exe73⤵PID:2672
-
C:\Windows\SysWOW64\Fncmmmma.exeC:\Windows\system32\Fncmmmma.exe74⤵
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Fmfnhj32.exeC:\Windows\system32\Fmfnhj32.exe75⤵
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Fcpfedki.exeC:\Windows\system32\Fcpfedki.exe76⤵PID:964
-
C:\Windows\SysWOW64\Ffnbaojm.exeC:\Windows\system32\Ffnbaojm.exe77⤵PID:2804
-
C:\Windows\SysWOW64\Fnejbmko.exeC:\Windows\system32\Fnejbmko.exe78⤵PID:2612
-
C:\Windows\SysWOW64\Fqcfnhjb.exeC:\Windows\system32\Fqcfnhjb.exe79⤵PID:1512
-
C:\Windows\SysWOW64\Fpffje32.exeC:\Windows\system32\Fpffje32.exe80⤵PID:1036
-
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe81⤵
- Drops file in System32 directory
PID:3008 -
C:\Windows\SysWOW64\Fgnokb32.exeC:\Windows\system32\Fgnokb32.exe82⤵
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe83⤵PID:908
-
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe84⤵
- System Location Discovery: System Language Discovery
PID:1736 -
C:\Windows\SysWOW64\Gjngmmnp.exeC:\Windows\system32\Gjngmmnp.exe85⤵PID:1228
-
C:\Windows\SysWOW64\Gmmdiind.exeC:\Windows\system32\Gmmdiind.exe86⤵PID:2064
-
C:\Windows\SysWOW64\Glpdde32.exeC:\Windows\system32\Glpdde32.exe87⤵PID:2436
-
C:\Windows\SysWOW64\Gbjlaplk.exeC:\Windows\system32\Gbjlaplk.exe88⤵PID:1844
-
C:\Windows\SysWOW64\Gicdnj32.exeC:\Windows\system32\Gicdnj32.exe89⤵PID:2680
-
C:\Windows\SysWOW64\Gfgegnbb.exeC:\Windows\system32\Gfgegnbb.exe90⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe91⤵PID:1652
-
C:\Windows\SysWOW64\Gldmoepi.exeC:\Windows\system32\Gldmoepi.exe92⤵PID:2968
-
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3000 -
C:\Windows\SysWOW64\Gihniioc.exeC:\Windows\system32\Gihniioc.exe94⤵PID:624
-
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe95⤵PID:2708
-
C:\Windows\SysWOW64\Geoonjeg.exeC:\Windows\system32\Geoonjeg.exe96⤵
- Drops file in System32 directory
- Modifies registry class
PID:3044 -
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe97⤵PID:1808
-
C:\Windows\SysWOW64\Gmjcblbb.exeC:\Windows\system32\Gmjcblbb.exe98⤵PID:936
-
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe99⤵PID:904
-
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe100⤵PID:888
-
C:\Windows\SysWOW64\Hpkldg32.exeC:\Windows\system32\Hpkldg32.exe101⤵
- Drops file in System32 directory
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Hjqqap32.exeC:\Windows\system32\Hjqqap32.exe102⤵PID:2892
-
C:\Windows\SysWOW64\Hmomml32.exeC:\Windows\system32\Hmomml32.exe103⤵PID:1048
-
C:\Windows\SysWOW64\Hdiejfej.exeC:\Windows\system32\Hdiejfej.exe104⤵PID:2124
-
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe105⤵PID:2332
-
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe106⤵PID:2536
-
C:\Windows\SysWOW64\Helngnie.exeC:\Windows\system32\Helngnie.exe107⤵PID:2020
-
C:\Windows\SysWOW64\Hpbbdfik.exeC:\Windows\system32\Hpbbdfik.exe108⤵PID:2192
-
C:\Windows\SysWOW64\Hbqoqbho.exeC:\Windows\system32\Hbqoqbho.exe109⤵PID:1988
-
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe110⤵PID:696
-
C:\Windows\SysWOW64\Hijgml32.exeC:\Windows\system32\Hijgml32.exe111⤵PID:972
-
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe112⤵PID:2184
-
C:\Windows\SysWOW64\Ibckfa32.exeC:\Windows\system32\Ibckfa32.exe113⤵PID:868
-
C:\Windows\SysWOW64\Ieagbm32.exeC:\Windows\system32\Ieagbm32.exe114⤵
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Ihpdoh32.exeC:\Windows\system32\Ihpdoh32.exe115⤵PID:2640
-
C:\Windows\SysWOW64\Iknpkd32.exeC:\Windows\system32\Iknpkd32.exe116⤵PID:572
-
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe117⤵PID:316
-
C:\Windows\SysWOW64\Iecdhm32.exeC:\Windows\system32\Iecdhm32.exe118⤵PID:1148
-
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe119⤵PID:2716
-
C:\Windows\SysWOW64\Imoilo32.exeC:\Windows\system32\Imoilo32.exe120⤵PID:1828
-
C:\Windows\SysWOW64\Iefamlak.exeC:\Windows\system32\Iefamlak.exe121⤵PID:448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-