Analysis
-
max time kernel
134s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25-01-2025 00:23
Behavioral task
behavioral1
Sample
5df4c8d3db4b6ecd60b9a93ad6b4e3154165e69a086a5674618b3fd4af19aa0f.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
150 seconds
General
-
Target
5df4c8d3db4b6ecd60b9a93ad6b4e3154165e69a086a5674618b3fd4af19aa0f.exe
-
Size
93KB
-
MD5
ac1a87ad1b52ed3fc43bd013f86a04d1
-
SHA1
140967e78b5d235eaf450afe2d03cda9a5cfbf0d
-
SHA256
5df4c8d3db4b6ecd60b9a93ad6b4e3154165e69a086a5674618b3fd4af19aa0f
-
SHA512
12f8c8c6ecb43b65afee6bc361a241167ff0b043c9568d1486724e7e0e46dbdb4cc0ff1cbed5dafab2a43ec4f097993a7bfd494d8fb621d3bc75c5594233516c
-
SSDEEP
1536:YJ+pjDYS+3dv05uQ1P/Pik38/1DaYfMZRWuLsV+1B:YJE/YS+2531P/Piks/gYfc0DV+1B
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hegdinpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnglekch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eldkkali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgclfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiiafg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idjjih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmmpfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aocgnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odqiaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmidq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgkef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcecpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcnloa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgmhkfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkmddmop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kehjpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnaffpoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgcec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eomaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmkigb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhhgmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccckabef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dppiddie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnhmqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oofbph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmkmao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deckeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbkkgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdogceln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkhocj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdhmel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hleegpgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbonmjph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcehpbdm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbpendha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhhcpkmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgeppe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mahinb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdooongp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgihopao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcnomjbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaeadppc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggmnoo32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2240 Hgjdcghp.exe 1192 Hpbilmop.exe 2796 Hjkneb32.exe 2808 Hkljljko.exe 2704 Hdgkkppm.exe 2832 Ikcpmieg.exe 2732 Indiodbh.exe 1836 Iglngj32.exe 1992 Igojmjgf.exe 2384 Iqgofo32.exe 2912 Jollgl32.exe 1636 Joohmk32.exe 2080 Jkeialfp.exe 2552 Jabajc32.exe 2452 Jadnoc32.exe 648 Kfccmini.exe 2296 Kffpcilf.exe 1584 Kigidd32.exe 1572 Kbonmjph.exe 2196 Kfmfchfo.exe 2040 Lljolodf.exe 788 Lllkaobc.exe 1236 Lojhmjag.exe 2444 Lkahbkgk.exe 2304 Lheilofe.exe 1952 Mpcjfa32.exe 1668 Mkhocj32.exe 1660 Mojdlm32.exe 2948 Miphjf32.exe 2800 Makmnh32.exe 2828 Meiedg32.exe 2712 Nkhkbmco.exe 2684 Npecjdaf.exe 2632 Ndclpb32.exe 1748 Ngcebnen.exe 2996 Ocjfgo32.exe 2496 Ohgnoeii.exe 2084 Ojgkih32.exe 1776 Omgckcmm.exe 584 Pclolakk.exe 3056 Pmecdgbk.exe 1888 Pgjgapaa.exe 2112 Pbdhbnnp.exe 1068 Pllmkcdp.exe 1104 Qnmfmoaa.exe 1756 Qhejed32.exe 2000 Ahhgkdfo.exe 1936 Aelgdhei.exe 1692 Aendjh32.exe 2008 Ajkmbo32.exe 2264 Apheke32.exe 1724 Amledj32.exe 2188 Afdjmo32.exe 3036 Aibfik32.exe 2860 Bdhjfc32.exe 2924 Boakgapg.exe 1080 Belcck32.exe 2308 Bodhlane.exe 2980 Bhlmef32.exe 1072 Bofebqlb.exe 2252 Bhoikfbb.exe 3060 Bnkbcmaj.exe 824 Ckoblapc.exe 2156 Chccfe32.exe -
Loads dropped DLL 64 IoCs
pid Process 2604 5df4c8d3db4b6ecd60b9a93ad6b4e3154165e69a086a5674618b3fd4af19aa0f.exe 2604 5df4c8d3db4b6ecd60b9a93ad6b4e3154165e69a086a5674618b3fd4af19aa0f.exe 2240 Hgjdcghp.exe 2240 Hgjdcghp.exe 1192 Hpbilmop.exe 1192 Hpbilmop.exe 2796 Hjkneb32.exe 2796 Hjkneb32.exe 2808 Hkljljko.exe 2808 Hkljljko.exe 2704 Hdgkkppm.exe 2704 Hdgkkppm.exe 2832 Ikcpmieg.exe 2832 Ikcpmieg.exe 2732 Indiodbh.exe 2732 Indiodbh.exe 1836 Iglngj32.exe 1836 Iglngj32.exe 1992 Igojmjgf.exe 1992 Igojmjgf.exe 2384 Iqgofo32.exe 2384 Iqgofo32.exe 2912 Jollgl32.exe 2912 Jollgl32.exe 1636 Joohmk32.exe 1636 Joohmk32.exe 2080 Jkeialfp.exe 2080 Jkeialfp.exe 2552 Jabajc32.exe 2552 Jabajc32.exe 2452 Jadnoc32.exe 2452 Jadnoc32.exe 648 Kfccmini.exe 648 Kfccmini.exe 2296 Kffpcilf.exe 2296 Kffpcilf.exe 1584 Kigidd32.exe 1584 Kigidd32.exe 1572 Kbonmjph.exe 1572 Kbonmjph.exe 2196 Kfmfchfo.exe 2196 Kfmfchfo.exe 2040 Lljolodf.exe 2040 Lljolodf.exe 788 Lllkaobc.exe 788 Lllkaobc.exe 1236 Lojhmjag.exe 1236 Lojhmjag.exe 2444 Lkahbkgk.exe 2444 Lkahbkgk.exe 2304 Lheilofe.exe 2304 Lheilofe.exe 1952 Mpcjfa32.exe 1952 Mpcjfa32.exe 1668 Mkhocj32.exe 1668 Mkhocj32.exe 1660 Mojdlm32.exe 1660 Mojdlm32.exe 2948 Miphjf32.exe 2948 Miphjf32.exe 2800 Makmnh32.exe 2800 Makmnh32.exe 2828 Meiedg32.exe 2828 Meiedg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Geoemenj.dll Mihngj32.exe File opened for modification C:\Windows\SysWOW64\Jdbmac32.exe Process not Found File created C:\Windows\SysWOW64\Pomceb32.dll Opohil32.exe File created C:\Windows\SysWOW64\Deckeo32.exe Dpfblh32.exe File created C:\Windows\SysWOW64\Lncodf32.exe Kehjpd32.exe File created C:\Windows\SysWOW64\Celnjj32.exe Cmpieg32.exe File created C:\Windows\SysWOW64\Bmjhod32.dll Gdciej32.exe File opened for modification C:\Windows\SysWOW64\Ggpjdohp.exe Gdanhchm.exe File created C:\Windows\SysWOW64\Malflk32.exe Monjpp32.exe File created C:\Windows\SysWOW64\Lbokfaff.exe Process not Found File created C:\Windows\SysWOW64\Lemlao32.dll Amjkgbhe.exe File opened for modification C:\Windows\SysWOW64\Qbpnjn32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Qhejed32.exe Qnmfmoaa.exe File created C:\Windows\SysWOW64\Hgagdp32.dll Kdhgkk32.exe File created C:\Windows\SysWOW64\Ngmbfl32.exe Nqcjiaah.exe File created C:\Windows\SysWOW64\Fnglmffc.dll Egnjbfqc.exe File opened for modification C:\Windows\SysWOW64\Pakoam32.exe Process not Found File created C:\Windows\SysWOW64\Odiocpjb.dll Process not Found File opened for modification C:\Windows\SysWOW64\Acnbqcjm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Lljolodf.exe Kfmfchfo.exe File created C:\Windows\SysWOW64\Bdogceln.exe Bhhfnd32.exe File created C:\Windows\SysWOW64\Giljinne.exe Gijncn32.exe File opened for modification C:\Windows\SysWOW64\Afbpph32.exe Amjkgbhe.exe File opened for modification C:\Windows\SysWOW64\Pbefbn32.exe Ojjanlod.exe File opened for modification C:\Windows\SysWOW64\Dchcdn32.exe Dnkjlg32.exe File created C:\Windows\SysWOW64\Enecjk32.dll Leoofkdo.exe File created C:\Windows\SysWOW64\Qjjikafh.exe Process not Found File opened for modification C:\Windows\SysWOW64\Eqinehcq.exe Process not Found File opened for modification C:\Windows\SysWOW64\Icfaia32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Neohbe32.exe Nlfdjphd.exe File created C:\Windows\SysWOW64\Cdpfafje.dll Ikplopnp.exe File created C:\Windows\SysWOW64\Nqhfdj32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Lbieejff.exe Ldedlfhl.exe File created C:\Windows\SysWOW64\Odqiaa32.exe Oncqik32.exe File created C:\Windows\SysWOW64\Fiiono32.exe Fhhbffkk.exe File created C:\Windows\SysWOW64\Knhkok32.dll Process not Found File created C:\Windows\SysWOW64\Nokjpc32.dll Process not Found File created C:\Windows\SysWOW64\Eddlcgjb.exe Eklgjbca.exe File opened for modification C:\Windows\SysWOW64\Lfeegfkf.exe Lpkmkl32.exe File created C:\Windows\SysWOW64\Geadee32.exe Process not Found File created C:\Windows\SysWOW64\Idcbkh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hdbhgf32.exe Process not Found File created C:\Windows\SysWOW64\Ddjpjj32.exe Domgache.exe File created C:\Windows\SysWOW64\Aihenoef.exe Akdedkfl.exe File opened for modification C:\Windows\SysWOW64\Fddeifgj.exe Fogmaoib.exe File created C:\Windows\SysWOW64\Gelaggdd.exe Gmeificb.exe File created C:\Windows\SysWOW64\Oaajnjla.exe Process not Found File created C:\Windows\SysWOW64\Nombfb32.dll Process not Found File created C:\Windows\SysWOW64\Ojlmgg32.exe Oqdioaqf.exe File created C:\Windows\SysWOW64\Lbgnie32.dll Jihgdd32.exe File opened for modification C:\Windows\SysWOW64\Gpjodq32.exe Ffbkkkcb.exe File opened for modification C:\Windows\SysWOW64\Jbgdcapi.exe Jknlfg32.exe File created C:\Windows\SysWOW64\Oinldeif.dll Pgfbhb32.exe File created C:\Windows\SysWOW64\Bodbfd32.dll Fqbbig32.exe File created C:\Windows\SysWOW64\Ngkqooop.exe Process not Found File opened for modification C:\Windows\SysWOW64\Fgdikkaa.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mideho32.exe Lplqoiai.exe File created C:\Windows\SysWOW64\Nagjpd32.dll Oqfeda32.exe File opened for modification C:\Windows\SysWOW64\Ckdnpicb.exe Ceclmc32.exe File created C:\Windows\SysWOW64\Hbgjoo32.exe Hhmioa32.exe File created C:\Windows\SysWOW64\Mcmpkj32.exe Lgfpfi32.exe File opened for modification C:\Windows\SysWOW64\Fdoedp32.exe Fiiafg32.exe File created C:\Windows\SysWOW64\Mhfdgf32.dll Iqgofo32.exe File opened for modification C:\Windows\SysWOW64\Cgcpomdk.exe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 4624 2188 Process not Found 1762 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikmob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhenlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edljfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmhnqjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffbkkkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnphlc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpdlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdbmkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndjloanf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohgnoeii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmihk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdlkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgdagelg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhcpkmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcfkip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbpendha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flldei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgclfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkjkkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eljkqfko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngmbfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldkkali.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdabip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlffcdnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chccfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nabegpbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbegpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhejed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alojlgii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifchhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnheniaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paelcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdajgfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miphjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pamnpahp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dolondiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqfeda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmbpda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlogojjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfmfjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anebhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3652 Process not Found -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcdnajj.dll" Anebhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghpnihbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljajnmoo.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddgljced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfngafnm.dll" Phiekdeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfnclgkn.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjeodhmf.dll" Abfmecba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbincq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhgdig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldkficpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldopcg32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhoikfbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jecinj32.dll" Bpgmhkfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdnabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlcbpie.dll" Oeipje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Celocqfm.dll" Mekfmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkdhoj32.dll" Heiaqjhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kiaacp32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bodhlane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjndif32.dll" Igjckcbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbdobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plmdeaaf.dll" Pnbeacbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmhncg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckdnpicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqckaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goidmibg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plennkkh.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gokpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqlhbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epblob32.dll" Hgjdcghp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apheke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enmplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mklhpfho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npbpae32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbabac32.dll" Hiccbfoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgfjml32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdfakk32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dppiddie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpfmbo32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pggalnfm.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kicednho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iccqedfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moelic32.dll" Okjoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okjoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ammjekmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinnen32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Geghlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bolkqj32.dll" Cbpncn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onhlfc32.dll" Moijkk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2604 wrote to memory of 2240 2604 5df4c8d3db4b6ecd60b9a93ad6b4e3154165e69a086a5674618b3fd4af19aa0f.exe 29 PID 2604 wrote to memory of 2240 2604 5df4c8d3db4b6ecd60b9a93ad6b4e3154165e69a086a5674618b3fd4af19aa0f.exe 29 PID 2604 wrote to memory of 2240 2604 5df4c8d3db4b6ecd60b9a93ad6b4e3154165e69a086a5674618b3fd4af19aa0f.exe 29 PID 2604 wrote to memory of 2240 2604 5df4c8d3db4b6ecd60b9a93ad6b4e3154165e69a086a5674618b3fd4af19aa0f.exe 29 PID 2240 wrote to memory of 1192 2240 Hgjdcghp.exe 30 PID 2240 wrote to memory of 1192 2240 Hgjdcghp.exe 30 PID 2240 wrote to memory of 1192 2240 Hgjdcghp.exe 30 PID 2240 wrote to memory of 1192 2240 Hgjdcghp.exe 30 PID 1192 wrote to memory of 2796 1192 Hpbilmop.exe 31 PID 1192 wrote to memory of 2796 1192 Hpbilmop.exe 31 PID 1192 wrote to memory of 2796 1192 Hpbilmop.exe 31 PID 1192 wrote to memory of 2796 1192 Hpbilmop.exe 31 PID 2796 wrote to memory of 2808 2796 Hjkneb32.exe 32 PID 2796 wrote to memory of 2808 2796 Hjkneb32.exe 32 PID 2796 wrote to memory of 2808 2796 Hjkneb32.exe 32 PID 2796 wrote to memory of 2808 2796 Hjkneb32.exe 32 PID 2808 wrote to memory of 2704 2808 Hkljljko.exe 33 PID 2808 wrote to memory of 2704 2808 Hkljljko.exe 33 PID 2808 wrote to memory of 2704 2808 Hkljljko.exe 33 PID 2808 wrote to memory of 2704 2808 Hkljljko.exe 33 PID 2704 wrote to memory of 2832 2704 Hdgkkppm.exe 34 PID 2704 wrote to memory of 2832 2704 Hdgkkppm.exe 34 PID 2704 wrote to memory of 2832 2704 Hdgkkppm.exe 34 PID 2704 wrote to memory of 2832 2704 Hdgkkppm.exe 34 PID 2832 wrote to memory of 2732 2832 Ikcpmieg.exe 35 PID 2832 wrote to memory of 2732 2832 Ikcpmieg.exe 35 PID 2832 wrote to memory of 2732 2832 Ikcpmieg.exe 35 PID 2832 wrote to memory of 2732 2832 Ikcpmieg.exe 35 PID 2732 wrote to memory of 1836 2732 Indiodbh.exe 36 PID 2732 wrote to memory of 1836 2732 Indiodbh.exe 36 PID 2732 wrote to memory of 1836 2732 Indiodbh.exe 36 PID 2732 wrote to memory of 1836 2732 Indiodbh.exe 36 PID 1836 wrote to memory of 1992 1836 Iglngj32.exe 37 PID 1836 wrote to memory of 1992 1836 Iglngj32.exe 37 PID 1836 wrote to memory of 1992 1836 Iglngj32.exe 37 PID 1836 wrote to memory of 1992 1836 Iglngj32.exe 37 PID 1992 wrote to memory of 2384 1992 Igojmjgf.exe 38 PID 1992 wrote to memory of 2384 1992 Igojmjgf.exe 38 PID 1992 wrote to memory of 2384 1992 Igojmjgf.exe 38 PID 1992 wrote to memory of 2384 1992 Igojmjgf.exe 38 PID 2384 wrote to memory of 2912 2384 Iqgofo32.exe 39 PID 2384 wrote to memory of 2912 2384 Iqgofo32.exe 39 PID 2384 wrote to memory of 2912 2384 Iqgofo32.exe 39 PID 2384 wrote to memory of 2912 2384 Iqgofo32.exe 39 PID 2912 wrote to memory of 1636 2912 Jollgl32.exe 40 PID 2912 wrote to memory of 1636 2912 Jollgl32.exe 40 PID 2912 wrote to memory of 1636 2912 Jollgl32.exe 40 PID 2912 wrote to memory of 1636 2912 Jollgl32.exe 40 PID 1636 wrote to memory of 2080 1636 Joohmk32.exe 41 PID 1636 wrote to memory of 2080 1636 Joohmk32.exe 41 PID 1636 wrote to memory of 2080 1636 Joohmk32.exe 41 PID 1636 wrote to memory of 2080 1636 Joohmk32.exe 41 PID 2080 wrote to memory of 2552 2080 Jkeialfp.exe 42 PID 2080 wrote to memory of 2552 2080 Jkeialfp.exe 42 PID 2080 wrote to memory of 2552 2080 Jkeialfp.exe 42 PID 2080 wrote to memory of 2552 2080 Jkeialfp.exe 42 PID 2552 wrote to memory of 2452 2552 Jabajc32.exe 43 PID 2552 wrote to memory of 2452 2552 Jabajc32.exe 43 PID 2552 wrote to memory of 2452 2552 Jabajc32.exe 43 PID 2552 wrote to memory of 2452 2552 Jabajc32.exe 43 PID 2452 wrote to memory of 648 2452 Jadnoc32.exe 44 PID 2452 wrote to memory of 648 2452 Jadnoc32.exe 44 PID 2452 wrote to memory of 648 2452 Jadnoc32.exe 44 PID 2452 wrote to memory of 648 2452 Jadnoc32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\5df4c8d3db4b6ecd60b9a93ad6b4e3154165e69a086a5674618b3fd4af19aa0f.exe"C:\Users\Admin\AppData\Local\Temp\5df4c8d3db4b6ecd60b9a93ad6b4e3154165e69a086a5674618b3fd4af19aa0f.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Hgjdcghp.exeC:\Windows\system32\Hgjdcghp.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Hpbilmop.exeC:\Windows\system32\Hpbilmop.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1192 -
C:\Windows\SysWOW64\Hjkneb32.exeC:\Windows\system32\Hjkneb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Hkljljko.exeC:\Windows\system32\Hkljljko.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Hdgkkppm.exeC:\Windows\system32\Hdgkkppm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Ikcpmieg.exeC:\Windows\system32\Ikcpmieg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Indiodbh.exeC:\Windows\system32\Indiodbh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Iglngj32.exeC:\Windows\system32\Iglngj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Igojmjgf.exeC:\Windows\system32\Igojmjgf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\SysWOW64\Iqgofo32.exeC:\Windows\system32\Iqgofo32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Jollgl32.exeC:\Windows\system32\Jollgl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Joohmk32.exeC:\Windows\system32\Joohmk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Jkeialfp.exeC:\Windows\system32\Jkeialfp.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Jabajc32.exeC:\Windows\system32\Jabajc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Jadnoc32.exeC:\Windows\system32\Jadnoc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Kfccmini.exeC:\Windows\system32\Kfccmini.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:648 -
C:\Windows\SysWOW64\Kffpcilf.exeC:\Windows\system32\Kffpcilf.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2296 -
C:\Windows\SysWOW64\Kigidd32.exeC:\Windows\system32\Kigidd32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Kbonmjph.exeC:\Windows\system32\Kbonmjph.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Kfmfchfo.exeC:\Windows\system32\Kfmfchfo.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Lljolodf.exeC:\Windows\system32\Lljolodf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Lllkaobc.exeC:\Windows\system32\Lllkaobc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:788 -
C:\Windows\SysWOW64\Lojhmjag.exeC:\Windows\system32\Lojhmjag.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1236 -
C:\Windows\SysWOW64\Lkahbkgk.exeC:\Windows\system32\Lkahbkgk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Lheilofe.exeC:\Windows\system32\Lheilofe.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Mpcjfa32.exeC:\Windows\system32\Mpcjfa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Mkhocj32.exeC:\Windows\system32\Mkhocj32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Mojdlm32.exeC:\Windows\system32\Mojdlm32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1660 -
C:\Windows\SysWOW64\Miphjf32.exeC:\Windows\system32\Miphjf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Makmnh32.exeC:\Windows\system32\Makmnh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Meiedg32.exeC:\Windows\system32\Meiedg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Nkhkbmco.exeC:\Windows\system32\Nkhkbmco.exe33⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Npecjdaf.exeC:\Windows\system32\Npecjdaf.exe34⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Ndclpb32.exeC:\Windows\system32\Ndclpb32.exe35⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ngcebnen.exeC:\Windows\system32\Ngcebnen.exe36⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Ocjfgo32.exeC:\Windows\system32\Ocjfgo32.exe37⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ohgnoeii.exeC:\Windows\system32\Ohgnoeii.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Ojgkih32.exeC:\Windows\system32\Ojgkih32.exe39⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Omgckcmm.exeC:\Windows\system32\Omgckcmm.exe40⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe41⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Pmecdgbk.exeC:\Windows\system32\Pmecdgbk.exe42⤵
- Executes dropped EXE
PID:3056 -
C:\Windows\SysWOW64\Pgjgapaa.exeC:\Windows\system32\Pgjgapaa.exe43⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Pbdhbnnp.exeC:\Windows\system32\Pbdhbnnp.exe44⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Pllmkcdp.exeC:\Windows\system32\Pllmkcdp.exe45⤵
- Executes dropped EXE
PID:1068 -
C:\Windows\SysWOW64\Qnmfmoaa.exeC:\Windows\system32\Qnmfmoaa.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1104 -
C:\Windows\SysWOW64\Qhejed32.exeC:\Windows\system32\Qhejed32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1756 -
C:\Windows\SysWOW64\Ahhgkdfo.exeC:\Windows\system32\Ahhgkdfo.exe48⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Aelgdhei.exeC:\Windows\system32\Aelgdhei.exe49⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Aendjh32.exeC:\Windows\system32\Aendjh32.exe50⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Ajkmbo32.exeC:\Windows\system32\Ajkmbo32.exe51⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Apheke32.exeC:\Windows\system32\Apheke32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Amledj32.exeC:\Windows\system32\Amledj32.exe53⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe54⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Aibfik32.exeC:\Windows\system32\Aibfik32.exe55⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Bdhjfc32.exeC:\Windows\system32\Bdhjfc32.exe56⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Boakgapg.exeC:\Windows\system32\Boakgapg.exe57⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe58⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Bodhlane.exeC:\Windows\system32\Bodhlane.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:2308 -
C:\Windows\SysWOW64\Bhlmef32.exeC:\Windows\system32\Bhlmef32.exe60⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Bofebqlb.exeC:\Windows\system32\Bofebqlb.exe61⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Bhoikfbb.exeC:\Windows\system32\Bhoikfbb.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2252 -
C:\Windows\SysWOW64\Bnkbcmaj.exeC:\Windows\system32\Bnkbcmaj.exe63⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Ckoblapc.exeC:\Windows\system32\Ckoblapc.exe64⤵
- Executes dropped EXE
PID:824 -
C:\Windows\SysWOW64\Chccfe32.exeC:\Windows\system32\Chccfe32.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Cnpknl32.exeC:\Windows\system32\Cnpknl32.exe66⤵PID:1840
-
C:\Windows\SysWOW64\Ckdlgq32.exeC:\Windows\system32\Ckdlgq32.exe67⤵PID:1716
-
C:\Windows\SysWOW64\Clehoiam.exeC:\Windows\system32\Clehoiam.exe68⤵PID:616
-
C:\Windows\SysWOW64\Cgklma32.exeC:\Windows\system32\Cgklma32.exe69⤵PID:112
-
C:\Windows\SysWOW64\Cpcaeghc.exeC:\Windows\system32\Cpcaeghc.exe70⤵PID:2448
-
C:\Windows\SysWOW64\Cfpinnfj.exeC:\Windows\system32\Cfpinnfj.exe71⤵PID:636
-
C:\Windows\SysWOW64\Dohnfc32.exeC:\Windows\system32\Dohnfc32.exe72⤵PID:2772
-
C:\Windows\SysWOW64\Djnbdlla.exeC:\Windows\system32\Djnbdlla.exe73⤵PID:2864
-
C:\Windows\SysWOW64\Dokjlcjh.exeC:\Windows\system32\Dokjlcjh.exe74⤵PID:2820
-
C:\Windows\SysWOW64\Dfecim32.exeC:\Windows\system32\Dfecim32.exe75⤵PID:2696
-
C:\Windows\SysWOW64\Domgache.exeC:\Windows\system32\Domgache.exe76⤵
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Ddjpjj32.exeC:\Windows\system32\Ddjpjj32.exe77⤵PID:1372
-
C:\Windows\SysWOW64\Dopdgb32.exeC:\Windows\system32\Dopdgb32.exe78⤵PID:2656
-
C:\Windows\SysWOW64\Ddlloi32.exeC:\Windows\system32\Ddlloi32.exe79⤵PID:2184
-
C:\Windows\SysWOW64\Dbpmin32.exeC:\Windows\system32\Dbpmin32.exe80⤵PID:1972
-
C:\Windows\SysWOW64\Dcaiqfib.exeC:\Windows\system32\Dcaiqfib.exe81⤵PID:3052
-
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe82⤵PID:2236
-
C:\Windows\SysWOW64\Ejnnbpol.exeC:\Windows\system32\Ejnnbpol.exe83⤵PID:604
-
C:\Windows\SysWOW64\Ecfcle32.exeC:\Windows\system32\Ecfcle32.exe84⤵PID:2032
-
C:\Windows\SysWOW64\Eickdlcd.exeC:\Windows\system32\Eickdlcd.exe85⤵PID:932
-
C:\Windows\SysWOW64\Efglmpbn.exeC:\Windows\system32\Efglmpbn.exe86⤵PID:2508
-
C:\Windows\SysWOW64\Ekcdegqe.exeC:\Windows\system32\Ekcdegqe.exe87⤵PID:892
-
C:\Windows\SysWOW64\Epamlegl.exeC:\Windows\system32\Epamlegl.exe88⤵PID:1592
-
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe89⤵PID:2920
-
C:\Windows\SysWOW64\Feqbilcq.exeC:\Windows\system32\Feqbilcq.exe90⤵PID:2804
-
C:\Windows\SysWOW64\Flkjffkm.exeC:\Windows\system32\Flkjffkm.exe91⤵PID:2680
-
C:\Windows\SysWOW64\Fagcnmie.exeC:\Windows\system32\Fagcnmie.exe92⤵PID:2120
-
C:\Windows\SysWOW64\Fhakkg32.exeC:\Windows\system32\Fhakkg32.exe93⤵PID:1720
-
C:\Windows\SysWOW64\Fajpdmgb.exeC:\Windows\system32\Fajpdmgb.exe94⤵PID:3008
-
C:\Windows\SysWOW64\Fjbdmbmb.exeC:\Windows\system32\Fjbdmbmb.exe95⤵PID:820
-
C:\Windows\SysWOW64\Fpoleilj.exeC:\Windows\system32\Fpoleilj.exe96⤵PID:1376
-
C:\Windows\SysWOW64\Fjdqbbkp.exeC:\Windows\system32\Fjdqbbkp.exe97⤵PID:2564
-
C:\Windows\SysWOW64\Gdmekg32.exeC:\Windows\system32\Gdmekg32.exe98⤵PID:1084
-
C:\Windows\SysWOW64\Gijncn32.exeC:\Windows\system32\Gijncn32.exe99⤵
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Giljinne.exeC:\Windows\system32\Giljinne.exe100⤵PID:2628
-
C:\Windows\SysWOW64\Gbdobc32.exeC:\Windows\system32\Gbdobc32.exe101⤵
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Glmckikf.exeC:\Windows\system32\Glmckikf.exe102⤵PID:1620
-
C:\Windows\SysWOW64\Gokpgd32.exeC:\Windows\system32\Gokpgd32.exe103⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Gkbplepn.exeC:\Windows\system32\Gkbplepn.exe104⤵PID:2960
-
C:\Windows\SysWOW64\Hegdinpd.exeC:\Windows\system32\Hegdinpd.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Hanenoeh.exeC:\Windows\system32\Hanenoeh.exe106⤵PID:1884
-
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe107⤵PID:1508
-
C:\Windows\SysWOW64\Hgbdge32.exeC:\Windows\system32\Hgbdge32.exe108⤵PID:2456
-
C:\Windows\SysWOW64\Icidlf32.exeC:\Windows\system32\Icidlf32.exe109⤵PID:588
-
C:\Windows\SysWOW64\Ikfffh32.exeC:\Windows\system32\Ikfffh32.exe110⤵PID:1672
-
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe111⤵PID:2012
-
C:\Windows\SysWOW64\Idojon32.exeC:\Windows\system32\Idojon32.exe112⤵PID:2272
-
C:\Windows\SysWOW64\Ingogcke.exeC:\Windows\system32\Ingogcke.exe113⤵PID:952
-
C:\Windows\SysWOW64\Injlmcib.exeC:\Windows\system32\Injlmcib.exe114⤵PID:2540
-
C:\Windows\SysWOW64\Jknlfg32.exeC:\Windows\system32\Jknlfg32.exe115⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Jbgdcapi.exeC:\Windows\system32\Jbgdcapi.exe116⤵PID:2652
-
C:\Windows\SysWOW64\Jkpilg32.exeC:\Windows\system32\Jkpilg32.exe117⤵PID:2764
-
C:\Windows\SysWOW64\Jdhmel32.exeC:\Windows\system32\Jdhmel32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1400 -
C:\Windows\SysWOW64\Jnqanbcj.exeC:\Windows\system32\Jnqanbcj.exe119⤵PID:3044
-
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe120⤵PID:1092
-
C:\Windows\SysWOW64\Jjgbbc32.exeC:\Windows\system32\Jjgbbc32.exe121⤵PID:2492
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-