Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18/09/2024, 21:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3.exe
-
Size
163KB
-
MD5
e215ae7dd79f3428a0e8240f6a748958
-
SHA1
9f6e6314c4611266c301f6873de2b1f47327eed8
-
SHA256
57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3
-
SHA512
b91400644cb69954955bec00f01ade900445822529ea12a406c620fcf2c2aeb2ed0d3aaf9cb98745a9635738c31c3ae8903e151e217571b4cb07b91e36eeb36f
-
SSDEEP
1536:P9uxgN1P5JPW4+54imjKC3270WxORolProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:QwP/imKgBWxO+ltOrWKDBr+yJb
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamdkfnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlnklcej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlnpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafdjmkq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klpdaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnmlcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objaha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdncmgbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qcachc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Illbhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jialfgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdghaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlgkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdbdqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkbgckgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbfook32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cenljmgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhfefgkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdhkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Padhdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgmpibam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giipab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gneijien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfliim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqipkhbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgchgb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aojabdlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eobchk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfmndn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhjjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pohhna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oekjjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opqoge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjpaop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenljmgq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgfkmgnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmpcgace.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nameek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Allefimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgpjhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgcmbcih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlfgcl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhmfbim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jeafjiop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jondnnbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglehp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iliebpfc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajcdjca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqpflg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2504 Dbncjf32.exe 264 Daacecfc.exe 1632 Dhkkbmnp.exe 2808 Dlfgcl32.exe 2864 Doecog32.exe 3024 Dacpkc32.exe 1676 Deollamj.exe 2496 Dfphcj32.exe 664 Dhpemm32.exe 2916 Diaaeepi.exe 2020 Dahifbpk.exe 1940 Ddfebnoo.exe 1332 Dicnkdnf.exe 3004 Edibhmml.exe 2636 Eejopecj.exe 2968 Eldglp32.exe 1088 Eobchk32.exe 868 Egikjh32.exe 1776 Eihgfd32.exe 1580 Ehkhaqpk.exe 1548 Epbpbnan.exe 884 Eacljf32.exe 1760 Eijdkcgn.exe 2564 Ehmdgp32.exe 1744 Eogmcjef.exe 2880 Ecbhdi32.exe 2620 Eddeladm.exe 1912 Edfbaabj.exe 2728 Fgdnnl32.exe 2352 Fkpjnkig.exe 2672 Fpmbfbgo.exe 1140 Fdiogq32.exe 2604 Fhdjgoha.exe 856 Fkbgckgd.exe 3060 Fjhcegll.exe 1860 Fncpef32.exe 1616 Fdmhbplb.exe 1768 Fjjpjgjj.exe 1044 Flhmfbim.exe 2512 Fcbecl32.exe 2956 Ffaaoh32.exe 2784 Fhomkcoa.exe 2800 Fqfemqod.exe 2116 Goiehm32.exe 2712 Gceailog.exe 2316 Gbhbdi32.exe 2420 Gjojef32.exe 1644 Gmmfaa32.exe 3008 Gkpfmnlb.exe 1928 Golbnm32.exe 1528 Gbjojh32.exe 1788 Gdhkfd32.exe 3064 Gmpcgace.exe 2200 Gkbcbn32.exe 2364 Gblkoham.exe 2084 Gdkgkcpq.exe 1968 Gifclb32.exe 680 Ggicgopd.exe 1936 Goplilpf.exe 1852 Gbohehoj.exe 760 Gdmdacnn.exe 2156 Giipab32.exe 1696 Ggkqmoma.exe 2184 Gkglnm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2348 57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3.exe 2348 57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3.exe 2504 Dbncjf32.exe 2504 Dbncjf32.exe 264 Daacecfc.exe 264 Daacecfc.exe 1632 Dhkkbmnp.exe 1632 Dhkkbmnp.exe 2808 Dlfgcl32.exe 2808 Dlfgcl32.exe 2864 Doecog32.exe 2864 Doecog32.exe 3024 Dacpkc32.exe 3024 Dacpkc32.exe 1676 Deollamj.exe 1676 Deollamj.exe 2496 Dfphcj32.exe 2496 Dfphcj32.exe 664 Dhpemm32.exe 664 Dhpemm32.exe 2916 Diaaeepi.exe 2916 Diaaeepi.exe 2020 Dahifbpk.exe 2020 Dahifbpk.exe 1940 Ddfebnoo.exe 1940 Ddfebnoo.exe 1332 Dicnkdnf.exe 1332 Dicnkdnf.exe 3004 Edibhmml.exe 3004 Edibhmml.exe 2636 Eejopecj.exe 2636 Eejopecj.exe 2968 Eldglp32.exe 2968 Eldglp32.exe 1088 Eobchk32.exe 1088 Eobchk32.exe 868 Egikjh32.exe 868 Egikjh32.exe 1776 Eihgfd32.exe 1776 Eihgfd32.exe 1580 Ehkhaqpk.exe 1580 Ehkhaqpk.exe 1548 Epbpbnan.exe 1548 Epbpbnan.exe 884 Eacljf32.exe 884 Eacljf32.exe 1760 Eijdkcgn.exe 1760 Eijdkcgn.exe 2564 Ehmdgp32.exe 2564 Ehmdgp32.exe 1744 Eogmcjef.exe 1744 Eogmcjef.exe 2880 Ecbhdi32.exe 2880 Ecbhdi32.exe 2620 Eddeladm.exe 2620 Eddeladm.exe 1912 Edfbaabj.exe 1912 Edfbaabj.exe 2728 Fgdnnl32.exe 2728 Fgdnnl32.exe 2352 Fkpjnkig.exe 2352 Fkpjnkig.exe 2672 Fpmbfbgo.exe 2672 Fpmbfbgo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cenljmgq.exe Cbppnbhm.exe File opened for modification C:\Windows\SysWOW64\Gblkoham.exe Gkbcbn32.exe File created C:\Windows\SysWOW64\Jkchmo32.exe Jlphbbbg.exe File created C:\Windows\SysWOW64\Jehlkhig.exe Jampjian.exe File created C:\Windows\SysWOW64\Kaompi32.exe Kncaojfb.exe File opened for modification C:\Windows\SysWOW64\Ncnngfna.exe Neknki32.exe File created C:\Windows\SysWOW64\Dcqlnqml.dll Kjokokha.exe File created C:\Windows\SysWOW64\Hcnfppba.dll Ohncbdbd.exe File created C:\Windows\SysWOW64\Qlgkki32.exe Qndkpmkm.exe File opened for modification C:\Windows\SysWOW64\Bgoime32.exe Bccmmf32.exe File created C:\Windows\SysWOW64\Dfphcj32.exe Deollamj.exe File opened for modification C:\Windows\SysWOW64\Ihniaa32.exe Ieomef32.exe File opened for modification C:\Windows\SysWOW64\Apgagg32.exe Allefimb.exe File opened for modification C:\Windows\SysWOW64\Afffenbp.exe Aakjdo32.exe File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe Bjpaop32.exe File created C:\Windows\SysWOW64\Cpqhdl32.dll Hgpjhn32.exe File opened for modification C:\Windows\SysWOW64\Jpgjgboe.exe Jlkngc32.exe File created C:\Windows\SysWOW64\Mlbakl32.dll Pkmlmbcd.exe File opened for modification C:\Windows\SysWOW64\Ckjamgmk.exe Cgoelh32.exe File opened for modification C:\Windows\SysWOW64\Cgfkmgnj.exe Ccjoli32.exe File created C:\Windows\SysWOW64\Pkaehb32.exe Pgfjhcge.exe File opened for modification C:\Windows\SysWOW64\Qndkpmkm.exe Qkfocaki.exe File created C:\Windows\SysWOW64\Dhkkbmnp.exe Daacecfc.exe File created C:\Windows\SysWOW64\Hfhcoj32.exe Hcigco32.exe File created C:\Windows\SysWOW64\Hakapcjd.dll Iefcfe32.exe File created C:\Windows\SysWOW64\Nlemad32.dll Mclebc32.exe File opened for modification C:\Windows\SysWOW64\Mfjann32.exe Mggabaea.exe File created C:\Windows\SysWOW64\Abmgjo32.exe Anbkipok.exe File opened for modification C:\Windows\SysWOW64\Iihiphln.exe Ijehdl32.exe File created C:\Windows\SysWOW64\Jlnklcej.exe Jhbold32.exe File opened for modification C:\Windows\SysWOW64\Njhfcp32.exe Nlefhcnc.exe File opened for modification C:\Windows\SysWOW64\Ojomdoof.exe Ofcqcp32.exe File created C:\Windows\SysWOW64\Aldhcb32.dll Qpbglhjq.exe File opened for modification C:\Windows\SysWOW64\Klngkfge.exe Knkgpi32.exe File created C:\Windows\SysWOW64\Mgjnhaco.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Lmdlck32.dll Bqeqqk32.exe File created C:\Windows\SysWOW64\Abpcooea.exe Andgop32.exe File created C:\Windows\SysWOW64\Hiablm32.dll Boogmgkl.exe File created C:\Windows\SysWOW64\Dhpemm32.exe Dfphcj32.exe File created C:\Windows\SysWOW64\Mjfnomde.exe Mfjann32.exe File created C:\Windows\SysWOW64\Nhjjgd32.exe Ncnngfna.exe File created C:\Windows\SysWOW64\Oibmpl32.exe Ojomdoof.exe File opened for modification C:\Windows\SysWOW64\Qcachc32.exe Qdncmgbj.exe File opened for modification C:\Windows\SysWOW64\Oekjjl32.exe Ofhjopbg.exe File created C:\Windows\SysWOW64\Ecbhdi32.exe Eogmcjef.exe File created C:\Windows\SysWOW64\Hjofdi32.exe Hfcjdkpg.exe File created C:\Windows\SysWOW64\Dejdjfjb.dll Hbaaik32.exe File created C:\Windows\SysWOW64\Kgqocoin.exe Kcecbq32.exe File opened for modification C:\Windows\SysWOW64\Mmgfqh32.exe Mikjpiim.exe File created C:\Windows\SysWOW64\Adnpkjde.exe Aqbdkk32.exe File created C:\Windows\SysWOW64\Dbncjf32.exe 57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3.exe File created C:\Windows\SysWOW64\Hmmbqegc.exe Hjofdi32.exe File opened for modification C:\Windows\SysWOW64\Iamdkfnc.exe Imahkg32.exe File opened for modification C:\Windows\SysWOW64\Kncaojfb.exe Koaqcn32.exe File created C:\Windows\SysWOW64\Nlqmmd32.exe Ngealejo.exe File created C:\Windows\SysWOW64\Eihgfd32.exe Egikjh32.exe File created C:\Windows\SysWOW64\Gnpincmg.dll Ifgpnmom.exe File created C:\Windows\SysWOW64\Aglfmjon.dll Aqbdkk32.exe File created C:\Windows\SysWOW64\Cdpkangm.dll Bfdenafn.exe File created C:\Windows\SysWOW64\Ohbamn32.dll Jbhcim32.exe File created C:\Windows\SysWOW64\Bcjcme32.exe Boogmgkl.exe File created C:\Windows\SysWOW64\Offmipej.exe Objaha32.exe File created C:\Windows\SysWOW64\Bjdkjpkb.exe Bbmcibjp.exe File created C:\Windows\SysWOW64\Cchbgi32.exe Ceebklai.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5796 5572 WerFault.exe 541 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaajei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqijljfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlfgcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmpcgace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpnmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jliaac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijehdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbekjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhbdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdefddb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbadjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfcjdkpg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcaimgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bccmmf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiaeiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dacpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqpflg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpadnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbofgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkqqnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piicpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkpfmnlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gneijien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlioj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihbcmaje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkgkcpq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opihgfop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbflno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieajkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmfbpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhlgmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nefdpjkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibmpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchbgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhcegll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjnhaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiaplin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alihaioe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompefj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgcmbcih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkhaqpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfafgbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadfkhkf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omklkkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knhjjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfphcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdiefffn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndqkleln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmpdlac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhmfbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pifbjn32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbncjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcjdhh32.dll" Fjhcegll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Loqmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbcoio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kagflkia.dll" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjfkcopd.dll" Pkjphcff.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Injndk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebmjlg32.dll" Ihbcmaje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmpbdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ameaio32.dll" Pdjjag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eacljf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olfcfe32.dll" Jkhejkcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acfmcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll" Alqnah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pacnfacn.dll" Ifjlcmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmdepg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knmdeioh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciffggmh.dll" Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odldga32.dll" Napbjjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgloog32.dll" Cbffoabe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnmlcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlkngc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaajei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhpglecl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkndhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdiefffn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjann32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Offmipej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bccmmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boogmgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boogmgkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppnnai32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Andgop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egikjh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idicbbpi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljiqocb.dll" Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oibmpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdgmlhha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckmnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldbofgme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olpilg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eibkmp32.dll" Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdoaqh32.dll" Ahpifj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aojabdlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjofdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iafnjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmicfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjbklf32.dll" Nefdpjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndqkleln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cddoqj32.dll" Mklcadfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leblqb32.dll" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlbjim32.dll" Pnbojmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnfddp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhdjgoha.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hpkompgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kongke32.dll" Ngealejo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmdlca32.dll" Offmipej.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2348 wrote to memory of 2504 2348 57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3.exe 30 PID 2348 wrote to memory of 2504 2348 57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3.exe 30 PID 2348 wrote to memory of 2504 2348 57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3.exe 30 PID 2348 wrote to memory of 2504 2348 57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3.exe 30 PID 2504 wrote to memory of 264 2504 Dbncjf32.exe 31 PID 2504 wrote to memory of 264 2504 Dbncjf32.exe 31 PID 2504 wrote to memory of 264 2504 Dbncjf32.exe 31 PID 2504 wrote to memory of 264 2504 Dbncjf32.exe 31 PID 264 wrote to memory of 1632 264 Daacecfc.exe 32 PID 264 wrote to memory of 1632 264 Daacecfc.exe 32 PID 264 wrote to memory of 1632 264 Daacecfc.exe 32 PID 264 wrote to memory of 1632 264 Daacecfc.exe 32 PID 1632 wrote to memory of 2808 1632 Dhkkbmnp.exe 33 PID 1632 wrote to memory of 2808 1632 Dhkkbmnp.exe 33 PID 1632 wrote to memory of 2808 1632 Dhkkbmnp.exe 33 PID 1632 wrote to memory of 2808 1632 Dhkkbmnp.exe 33 PID 2808 wrote to memory of 2864 2808 Dlfgcl32.exe 34 PID 2808 wrote to memory of 2864 2808 Dlfgcl32.exe 34 PID 2808 wrote to memory of 2864 2808 Dlfgcl32.exe 34 PID 2808 wrote to memory of 2864 2808 Dlfgcl32.exe 34 PID 2864 wrote to memory of 3024 2864 Doecog32.exe 35 PID 2864 wrote to memory of 3024 2864 Doecog32.exe 35 PID 2864 wrote to memory of 3024 2864 Doecog32.exe 35 PID 2864 wrote to memory of 3024 2864 Doecog32.exe 35 PID 3024 wrote to memory of 1676 3024 Dacpkc32.exe 36 PID 3024 wrote to memory of 1676 3024 Dacpkc32.exe 36 PID 3024 wrote to memory of 1676 3024 Dacpkc32.exe 36 PID 3024 wrote to memory of 1676 3024 Dacpkc32.exe 36 PID 1676 wrote to memory of 2496 1676 Deollamj.exe 37 PID 1676 wrote to memory of 2496 1676 Deollamj.exe 37 PID 1676 wrote to memory of 2496 1676 Deollamj.exe 37 PID 1676 wrote to memory of 2496 1676 Deollamj.exe 37 PID 2496 wrote to memory of 664 2496 Dfphcj32.exe 38 PID 2496 wrote to memory of 664 2496 Dfphcj32.exe 38 PID 2496 wrote to memory of 664 2496 Dfphcj32.exe 38 PID 2496 wrote to memory of 664 2496 Dfphcj32.exe 38 PID 664 wrote to memory of 2916 664 Dhpemm32.exe 39 PID 664 wrote to memory of 2916 664 Dhpemm32.exe 39 PID 664 wrote to memory of 2916 664 Dhpemm32.exe 39 PID 664 wrote to memory of 2916 664 Dhpemm32.exe 39 PID 2916 wrote to memory of 2020 2916 Diaaeepi.exe 40 PID 2916 wrote to memory of 2020 2916 Diaaeepi.exe 40 PID 2916 wrote to memory of 2020 2916 Diaaeepi.exe 40 PID 2916 wrote to memory of 2020 2916 Diaaeepi.exe 40 PID 2020 wrote to memory of 1940 2020 Dahifbpk.exe 41 PID 2020 wrote to memory of 1940 2020 Dahifbpk.exe 41 PID 2020 wrote to memory of 1940 2020 Dahifbpk.exe 41 PID 2020 wrote to memory of 1940 2020 Dahifbpk.exe 41 PID 1940 wrote to memory of 1332 1940 Ddfebnoo.exe 42 PID 1940 wrote to memory of 1332 1940 Ddfebnoo.exe 42 PID 1940 wrote to memory of 1332 1940 Ddfebnoo.exe 42 PID 1940 wrote to memory of 1332 1940 Ddfebnoo.exe 42 PID 1332 wrote to memory of 3004 1332 Dicnkdnf.exe 43 PID 1332 wrote to memory of 3004 1332 Dicnkdnf.exe 43 PID 1332 wrote to memory of 3004 1332 Dicnkdnf.exe 43 PID 1332 wrote to memory of 3004 1332 Dicnkdnf.exe 43 PID 3004 wrote to memory of 2636 3004 Edibhmml.exe 44 PID 3004 wrote to memory of 2636 3004 Edibhmml.exe 44 PID 3004 wrote to memory of 2636 3004 Edibhmml.exe 44 PID 3004 wrote to memory of 2636 3004 Edibhmml.exe 44 PID 2636 wrote to memory of 2968 2636 Eejopecj.exe 45 PID 2636 wrote to memory of 2968 2636 Eejopecj.exe 45 PID 2636 wrote to memory of 2968 2636 Eejopecj.exe 45 PID 2636 wrote to memory of 2968 2636 Eejopecj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3.exe"C:\Users\Admin\AppData\Local\Temp\57e16e1846e03f91a3276cbadd2aa7e538dc1de344a028f0a26550c064fb22b3.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Dbncjf32.exeC:\Windows\system32\Dbncjf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Daacecfc.exeC:\Windows\system32\Daacecfc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:264 -
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Doecog32.exeC:\Windows\system32\Doecog32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Dacpkc32.exeC:\Windows\system32\Dacpkc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Dhpemm32.exeC:\Windows\system32\Dhpemm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\SysWOW64\Diaaeepi.exeC:\Windows\system32\Diaaeepi.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Ddfebnoo.exeC:\Windows\system32\Ddfebnoo.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Dicnkdnf.exeC:\Windows\system32\Dicnkdnf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Edibhmml.exeC:\Windows\system32\Edibhmml.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Eejopecj.exeC:\Windows\system32\Eejopecj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Eldglp32.exeC:\Windows\system32\Eldglp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Egikjh32.exeC:\Windows\system32\Egikjh32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1776 -
C:\Windows\SysWOW64\Ehkhaqpk.exeC:\Windows\system32\Ehkhaqpk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1580 -
C:\Windows\SysWOW64\Epbpbnan.exeC:\Windows\system32\Epbpbnan.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Eacljf32.exeC:\Windows\system32\Eacljf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:884 -
C:\Windows\SysWOW64\Eijdkcgn.exeC:\Windows\system32\Eijdkcgn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Ehmdgp32.exeC:\Windows\system32\Ehmdgp32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2564 -
C:\Windows\SysWOW64\Eogmcjef.exeC:\Windows\system32\Eogmcjef.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2880 -
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Fkpjnkig.exeC:\Windows\system32\Fkpjnkig.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Fpmbfbgo.exeC:\Windows\system32\Fpmbfbgo.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Fdiogq32.exeC:\Windows\system32\Fdiogq32.exe33⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Fjhcegll.exeC:\Windows\system32\Fjhcegll.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3060 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe37⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Fdmhbplb.exeC:\Windows\system32\Fdmhbplb.exe38⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe39⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1044 -
C:\Windows\SysWOW64\Fcbecl32.exeC:\Windows\system32\Fcbecl32.exe41⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe42⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe43⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe44⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe45⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Gceailog.exeC:\Windows\system32\Gceailog.exe46⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe48⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Gmmfaa32.exeC:\Windows\system32\Gmmfaa32.exe49⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Golbnm32.exeC:\Windows\system32\Golbnm32.exe51⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Gbjojh32.exeC:\Windows\system32\Gbjojh32.exe52⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Gmpcgace.exeC:\Windows\system32\Gmpcgace.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2200 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe56⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Gdkgkcpq.exeC:\Windows\system32\Gdkgkcpq.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe58⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe59⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Goplilpf.exeC:\Windows\system32\Goplilpf.exe60⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Gbohehoj.exeC:\Windows\system32\Gbohehoj.exe61⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe62⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Giipab32.exeC:\Windows\system32\Giipab32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Ggkqmoma.exeC:\Windows\system32\Ggkqmoma.exe64⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe65⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Gqdefddb.exeC:\Windows\system32\Gqdefddb.exe68⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe69⤵PID:2036
-
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe70⤵PID:1288
-
C:\Windows\SysWOW64\Hkiicmdh.exeC:\Windows\system32\Hkiicmdh.exe71⤵PID:1712
-
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe72⤵
- System Location Discovery: System Language Discovery
PID:1304 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe73⤵PID:1924
-
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe74⤵PID:1920
-
C:\Windows\SysWOW64\Hebnlb32.exeC:\Windows\system32\Hebnlb32.exe75⤵PID:2948
-
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Hjofdi32.exeC:\Windows\system32\Hjofdi32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Hmmbqegc.exeC:\Windows\system32\Hmmbqegc.exe79⤵PID:1144
-
C:\Windows\SysWOW64\Hpkompgg.exeC:\Windows\system32\Hpkompgg.exe80⤵
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe81⤵PID:3044
-
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe82⤵PID:2264
-
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe83⤵PID:2812
-
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe84⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe85⤵PID:2756
-
C:\Windows\SysWOW64\Hcigco32.exeC:\Windows\system32\Hcigco32.exe86⤵
- Drops file in System32 directory
PID:2548 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe87⤵PID:2960
-
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe88⤵PID:3068
-
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe89⤵PID:1944
-
C:\Windows\SysWOW64\Hldlga32.exeC:\Windows\system32\Hldlga32.exe90⤵PID:3052
-
C:\Windows\SysWOW64\Hcldhnkk.exeC:\Windows\system32\Hcldhnkk.exe91⤵PID:2296
-
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe92⤵PID:2836
-
C:\Windows\SysWOW64\Hmdhad32.exeC:\Windows\system32\Hmdhad32.exe93⤵PID:2996
-
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe94⤵PID:1484
-
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe95⤵PID:316
-
C:\Windows\SysWOW64\Hbaaik32.exeC:\Windows\system32\Hbaaik32.exe96⤵
- Drops file in System32 directory
PID:1252 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe97⤵
- Drops file in System32 directory
PID:1720 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe98⤵PID:1716
-
C:\Windows\SysWOW64\Iliebpfc.exeC:\Windows\system32\Iliebpfc.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1640 -
C:\Windows\SysWOW64\Inhanl32.exeC:\Windows\system32\Inhanl32.exe100⤵PID:2912
-
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe101⤵
- Modifies registry class
PID:2760 -
C:\Windows\SysWOW64\Ieajkfmd.exeC:\Windows\system32\Ieajkfmd.exe102⤵
- System Location Discovery: System Language Discovery
PID:292 -
C:\Windows\SysWOW64\Ihpfgalh.exeC:\Windows\system32\Ihpfgalh.exe103⤵PID:1984
-
C:\Windows\SysWOW64\Illbhp32.exeC:\Windows\system32\Illbhp32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe105⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Iahkpg32.exeC:\Windows\system32\Iahkpg32.exe106⤵PID:820
-
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe107⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3000 -
C:\Windows\SysWOW64\Ilnomp32.exeC:\Windows\system32\Ilnomp32.exe108⤵PID:272
-
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe109⤵PID:1980
-
C:\Windows\SysWOW64\Imokehhl.exeC:\Windows\system32\Imokehhl.exe110⤵PID:1556
-
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe111⤵PID:1648
-
C:\Windows\SysWOW64\Iefcfe32.exeC:\Windows\system32\Iefcfe32.exe112⤵
- Drops file in System32 directory
PID:2640 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe113⤵
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe114⤵PID:2576
-
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe115⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1668 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe116⤵PID:1208
-
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe117⤵PID:1280
-
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe118⤵
- Drops file in System32 directory
PID:352 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe120⤵PID:2772
-
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe121⤵PID:2832
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-