Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
142s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 23:44
Behavioral task
behavioral1
Sample
b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da.exe
-
Size
337KB
-
MD5
19cc142890890d0d71c5fd31b335cd1c
-
SHA1
ade81b2af6d2ec35cd78cd087383dd35e59fb5ab
-
SHA256
b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da
-
SHA512
451963d0c91f65b65062ceb8c9d454fc59a680645d58f423bef2cf06efa58de37909e05219fa0694369f6f08da6a2ef91975a8d867ad0f544f49bacacc3a576d
-
SSDEEP
3072:Gpix28LZRbI2lgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc09:ECRs2l1+fIyG5jZkCwi8r
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmfhjmho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpndkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmloigln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jljgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alfdcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajgfnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogdhpkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aecdpmbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifajif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcdmikma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pikkfilp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oimpnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gqkqbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbccklmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iamjghnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efbpihoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nncaejie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdgmbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjnigb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmhjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqcaoghl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgmfjdbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nffcebdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpbgghhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghihfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chofhm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhlgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlqfqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqlbnnej.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dadcppbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcakbjpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagfffbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmighemp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifloeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kemgqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imaglc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khkmba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfmahkhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnlnmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbhbfmkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgodjico.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddnfql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phmfpddb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgphke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fehmlh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfdbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onqaonnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckjmpko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcjmcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpegka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhljpmlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccolja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeiggk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcdmikma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmcpqfba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcekbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmqieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfldno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjccbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccceeqfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgdbpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afqeaemk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdmhfpkg.exe -
Executes dropped EXE 64 IoCs
pid Process 2820 Kenjgi32.exe 2780 Kgocid32.exe 2924 Lffmpp32.exe 2644 Lbmnea32.exe 2432 Mkohjbah.exe 1844 Mdgmbhgh.exe 2360 Mlgkbi32.exe 1720 Npechhgd.exe 2680 Nhebhipj.exe 2200 Ogmkne32.exe 2176 Ofdeeb32.exe 2136 Ogdaod32.exe 3040 Pfnhkq32.exe 2440 Pajeanhf.exe 1592 Qghgigkn.exe 296 Apclnj32.exe 1740 Ahcjmkbo.exe 1372 Ajdcofop.exe 2316 Bobleeef.exe 1112 Bfmqigba.exe 276 Bkkioeig.exe 1716 Clfhml32.exe 2404 Clhecl32.exe 1736 Chofhm32.exe 1928 Dajgfboj.exe 1676 Dpaqmnap.exe 2740 Dhleaq32.exe 2788 Dhobgp32.exe 2592 Elmkmo32.exe 936 Edjlgq32.exe 1156 Ebnmpemq.exe 2224 Efpbih32.exe 2568 Fphgbn32.exe 2896 Fichqckn.exe 1964 Fiedfb32.exe 2836 Fbpfeh32.exe 2364 Ghmnmo32.exe 1080 Glkgcmbg.exe 2988 Gmoppefc.exe 988 Gieaef32.exe 932 Gbnenk32.exe 1108 Gihnkejd.exe 1860 Hijjpeha.exe 2000 Hfnkji32.exe 2252 Hpfoboml.exe 1864 Hhadgakg.exe 1588 Hdhdlbpk.exe 1884 Hmqieh32.exe 2848 Hehafe32.exe 2944 Iopeoknn.exe 2692 Igkjcm32.exe 2624 Inebpgbf.exe 2144 Idokma32.exe 2184 Ipfkabpg.exe 572 Ijopjhfh.exe 568 Ilmlfcel.exe 2620 Ipkema32.exe 2228 Jhfjadim.exe 1316 Jaonji32.exe 1608 Jdogldmo.exe 1072 Jbcgeilh.exe 848 Jhmpbc32.exe 1820 Jddqgdii.exe 1968 Kmoekf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2140 b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da.exe 2140 b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da.exe 2820 Kenjgi32.exe 2820 Kenjgi32.exe 2780 Kgocid32.exe 2780 Kgocid32.exe 2924 Lffmpp32.exe 2924 Lffmpp32.exe 2644 Lbmnea32.exe 2644 Lbmnea32.exe 2432 Mkohjbah.exe 2432 Mkohjbah.exe 1844 Mdgmbhgh.exe 1844 Mdgmbhgh.exe 2360 Mlgkbi32.exe 2360 Mlgkbi32.exe 1720 Npechhgd.exe 1720 Npechhgd.exe 2680 Nhebhipj.exe 2680 Nhebhipj.exe 2200 Ogmkne32.exe 2200 Ogmkne32.exe 2176 Ofdeeb32.exe 2176 Ofdeeb32.exe 2136 Ogdaod32.exe 2136 Ogdaod32.exe 3040 Pfnhkq32.exe 3040 Pfnhkq32.exe 2440 Pajeanhf.exe 2440 Pajeanhf.exe 1592 Qghgigkn.exe 1592 Qghgigkn.exe 296 Apclnj32.exe 296 Apclnj32.exe 1740 Ahcjmkbo.exe 1740 Ahcjmkbo.exe 1372 Ajdcofop.exe 1372 Ajdcofop.exe 2316 Bobleeef.exe 2316 Bobleeef.exe 1112 Bfmqigba.exe 1112 Bfmqigba.exe 276 Bkkioeig.exe 276 Bkkioeig.exe 1716 Clfhml32.exe 1716 Clfhml32.exe 2404 Clhecl32.exe 2404 Clhecl32.exe 1736 Chofhm32.exe 1736 Chofhm32.exe 2856 Dckcnj32.exe 2856 Dckcnj32.exe 1676 Dpaqmnap.exe 1676 Dpaqmnap.exe 2740 Dhleaq32.exe 2740 Dhleaq32.exe 2788 Dhobgp32.exe 2788 Dhobgp32.exe 2592 Elmkmo32.exe 2592 Elmkmo32.exe 936 Edjlgq32.exe 936 Edjlgq32.exe 1156 Ebnmpemq.exe 1156 Ebnmpemq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Bopplhfm.dll Pnllnk32.exe File opened for modification C:\Windows\SysWOW64\Ihlbih32.exe Iigehk32.exe File opened for modification C:\Windows\SysWOW64\Ompgqonl.exe Ohcohh32.exe File created C:\Windows\SysWOW64\Olnnai32.dll Jddqgdii.exe File created C:\Windows\SysWOW64\Ejccaofe.dll Iokahhac.exe File opened for modification C:\Windows\SysWOW64\Fmjkbfnh.exe Fpfkhbon.exe File created C:\Windows\SysWOW64\Dcjmcd32.exe Dibhjokm.exe File created C:\Windows\SysWOW64\Fnafdc32.exe Fqnfkoen.exe File created C:\Windows\SysWOW64\Gbfhcf32.exe Gjkcod32.exe File created C:\Windows\SysWOW64\Dlpaod32.dll Oacdmpan.exe File created C:\Windows\SysWOW64\Caqfiloi.exe Cfgehn32.exe File created C:\Windows\SysWOW64\Gfldno32.exe Ffjghppi.exe File created C:\Windows\SysWOW64\Mjneoljh.dll Pjjmonac.exe File opened for modification C:\Windows\SysWOW64\Fikgda32.exe Fnafdc32.exe File created C:\Windows\SysWOW64\Mklago32.dll Bepjjn32.exe File created C:\Windows\SysWOW64\Ffeejokj.dll Kbppdfmk.exe File opened for modification C:\Windows\SysWOW64\Eekdmk32.exe Eeiggk32.exe File opened for modification C:\Windows\SysWOW64\Ojlife32.exe Oacdmpan.exe File opened for modification C:\Windows\SysWOW64\Gjolpkhj.exe Gkiooocb.exe File created C:\Windows\SysWOW64\Pomihp32.dll Cqqbgoba.exe File created C:\Windows\SysWOW64\Ofdeeb32.exe Ogmkne32.exe File created C:\Windows\SysWOW64\Hgcmgfgc.dll Fiedfb32.exe File created C:\Windows\SysWOW64\Flpkll32.exe Fefboabg.exe File opened for modification C:\Windows\SysWOW64\Fehmlh32.exe Fcjqpm32.exe File created C:\Windows\SysWOW64\Qnpjec32.dll Maejpj32.exe File opened for modification C:\Windows\SysWOW64\Onocon32.exe Okqgcb32.exe File opened for modification C:\Windows\SysWOW64\Bmbkid32.exe Aonjpp32.exe File created C:\Windows\SysWOW64\Eemjqoee.dll Echlmh32.exe File created C:\Windows\SysWOW64\Cohlnkeg.exe Ccakij32.exe File opened for modification C:\Windows\SysWOW64\Qqldpfmh.exe Pnllnk32.exe File created C:\Windows\SysWOW64\Gpqlke32.dll Cfekkgla.exe File opened for modification C:\Windows\SysWOW64\Kenjgi32.exe b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da.exe File created C:\Windows\SysWOW64\Hplmnbjm.dll Nacmpj32.exe File created C:\Windows\SysWOW64\Ibhkmf32.dll Ddcadd32.exe File opened for modification C:\Windows\SysWOW64\Lbnbfb32.exe Lfgaaa32.exe File created C:\Windows\SysWOW64\Khfnln32.dll Cfknjfbl.exe File opened for modification C:\Windows\SysWOW64\Qoqhncgp.exe Qbmhdp32.exe File created C:\Windows\SysWOW64\Qkgjae32.dll Hffjng32.exe File opened for modification C:\Windows\SysWOW64\Lkoidcaj.exe Leaallcb.exe File opened for modification C:\Windows\SysWOW64\Onlooh32.exe Omjbihpn.exe File created C:\Windows\SysWOW64\Nnpofe32.exe Nicfnn32.exe File created C:\Windows\SysWOW64\Kfcahmfc.dll Eipjmk32.exe File created C:\Windows\SysWOW64\Iioloaac.dll Hdqhambg.exe File created C:\Windows\SysWOW64\Kfimea32.dll Cfoellgb.exe File opened for modification C:\Windows\SysWOW64\Bjgdfg32.exe Bblpae32.exe File created C:\Windows\SysWOW64\Kkomepon.exe Jmkmlk32.exe File opened for modification C:\Windows\SysWOW64\Nhebhipj.exe Npechhgd.exe File created C:\Windows\SysWOW64\Elmkmo32.exe Dhobgp32.exe File created C:\Windows\SysWOW64\Ddpbfl32.exe Dkhnmfle.exe File opened for modification C:\Windows\SysWOW64\Kghoan32.exe Knpkhhhg.exe File created C:\Windows\SysWOW64\Kfjibdbf.exe Kgelahmn.exe File created C:\Windows\SysWOW64\Fimamm32.dll Alhaho32.exe File created C:\Windows\SysWOW64\Eebendko.dll Eiocbd32.exe File created C:\Windows\SysWOW64\Jhlgnd32.exe Jlegic32.exe File created C:\Windows\SysWOW64\Qnogkqfo.dll Hehafe32.exe File opened for modification C:\Windows\SysWOW64\Coldmfkf.exe Cipleo32.exe File created C:\Windows\SysWOW64\Lbchijge.dll Pafpjljk.exe File created C:\Windows\SysWOW64\Bqhmkq32.dll Nkhhie32.exe File opened for modification C:\Windows\SysWOW64\Ikmjnnah.exe Iniidj32.exe File created C:\Windows\SysWOW64\Hqkmahpp.exe Hfalaj32.exe File opened for modification C:\Windows\SysWOW64\Ombhgljn.exe Npngng32.exe File created C:\Windows\SysWOW64\Jaahgd32.exe Jmcpqfba.exe File created C:\Windows\SysWOW64\Ojgado32.exe Onqaonnc.exe File created C:\Windows\SysWOW64\Mfqkgc32.dll Kjakhcne.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1612 3816 WerFault.exe 720 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffjng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjjmeie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cegbce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmfkbeoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkoidcaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npngng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpmhgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajgfboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdknfiea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdqhambg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ninjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niqgof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqendf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdlbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamjghnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjpglfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fichqckn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nogjbbma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqknqleg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bakdjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doamhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieppjclf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpmifoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqcaoghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khkdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcojbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndgbgefh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enagnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnpeijla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfoellgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgmiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpedmhfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmgodc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgmfjdbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqlbnnej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jncenh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioaobjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfldno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kphpdhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnpofe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iekbmfdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngafdepl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnegldo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elaego32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffjghppi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafpjljk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbekpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdjfmolo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qqldpfmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedene32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhfjadim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgpff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgaoic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikcicfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnnobl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqkqbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnfjpib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qajiek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdcofop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iigehk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnodjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccjehkek.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cjfgalcq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfieec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Inebpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Majdkifd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jgjojj32.dll" Okgnna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhobldaf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhleaq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkgjae32.dll" Hffjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikmfihln.dll" Kkfjpemb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhdlbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oacqge32.dll" Bdehgnqc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmlmpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeejokj.dll" Kbppdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgfcc32.dll" Jlgaek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmbkid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bebiifka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnkekfkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbkchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gloibpen.dll" Lddjmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apclnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pqbifhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmoppefc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emncci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pbkgegad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckopch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccjehkek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pfnhkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalmek32.dll" Bobleeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnglef32.dll" Jbcgeilh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edohki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqifpf32.dll" Gfldno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhfoleio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Abldll32.dll" Aafnpkii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgdkbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iaehne32.dll" Hmqieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpmjjhmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qgbbec32.dll" Phoeomjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkgqpjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Keodflee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onlooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajghbjhl.dll" Iigehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkdfdn32.dll" Emilqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Glbcpokl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhfkhon.dll" Elmkmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbfpkj32.dll" Fichqckn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nddeae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfimoh32.dll" Ckhbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epfbbghh.dll" Eekdmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgmbbkij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hehconob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kghkppbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opcboqhc.dll" Moloidjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kphipide.dll" Dibhjokm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdqlkhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faonqiod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfknjfbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Effidg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghcbga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oiahpkdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pddlggin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmqieh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkpcbecl.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2140 wrote to memory of 2820 2140 b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da.exe 30 PID 2140 wrote to memory of 2820 2140 b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da.exe 30 PID 2140 wrote to memory of 2820 2140 b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da.exe 30 PID 2140 wrote to memory of 2820 2140 b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da.exe 30 PID 2820 wrote to memory of 2780 2820 Kenjgi32.exe 31 PID 2820 wrote to memory of 2780 2820 Kenjgi32.exe 31 PID 2820 wrote to memory of 2780 2820 Kenjgi32.exe 31 PID 2820 wrote to memory of 2780 2820 Kenjgi32.exe 31 PID 2780 wrote to memory of 2924 2780 Kgocid32.exe 32 PID 2780 wrote to memory of 2924 2780 Kgocid32.exe 32 PID 2780 wrote to memory of 2924 2780 Kgocid32.exe 32 PID 2780 wrote to memory of 2924 2780 Kgocid32.exe 32 PID 2924 wrote to memory of 2644 2924 Lffmpp32.exe 33 PID 2924 wrote to memory of 2644 2924 Lffmpp32.exe 33 PID 2924 wrote to memory of 2644 2924 Lffmpp32.exe 33 PID 2924 wrote to memory of 2644 2924 Lffmpp32.exe 33 PID 2644 wrote to memory of 2432 2644 Lbmnea32.exe 34 PID 2644 wrote to memory of 2432 2644 Lbmnea32.exe 34 PID 2644 wrote to memory of 2432 2644 Lbmnea32.exe 34 PID 2644 wrote to memory of 2432 2644 Lbmnea32.exe 34 PID 2432 wrote to memory of 1844 2432 Mkohjbah.exe 35 PID 2432 wrote to memory of 1844 2432 Mkohjbah.exe 35 PID 2432 wrote to memory of 1844 2432 Mkohjbah.exe 35 PID 2432 wrote to memory of 1844 2432 Mkohjbah.exe 35 PID 1844 wrote to memory of 2360 1844 Mdgmbhgh.exe 36 PID 1844 wrote to memory of 2360 1844 Mdgmbhgh.exe 36 PID 1844 wrote to memory of 2360 1844 Mdgmbhgh.exe 36 PID 1844 wrote to memory of 2360 1844 Mdgmbhgh.exe 36 PID 2360 wrote to memory of 1720 2360 Mlgkbi32.exe 37 PID 2360 wrote to memory of 1720 2360 Mlgkbi32.exe 37 PID 2360 wrote to memory of 1720 2360 Mlgkbi32.exe 37 PID 2360 wrote to memory of 1720 2360 Mlgkbi32.exe 37 PID 1720 wrote to memory of 2680 1720 Npechhgd.exe 38 PID 1720 wrote to memory of 2680 1720 Npechhgd.exe 38 PID 1720 wrote to memory of 2680 1720 Npechhgd.exe 38 PID 1720 wrote to memory of 2680 1720 Npechhgd.exe 38 PID 2680 wrote to memory of 2200 2680 Nhebhipj.exe 39 PID 2680 wrote to memory of 2200 2680 Nhebhipj.exe 39 PID 2680 wrote to memory of 2200 2680 Nhebhipj.exe 39 PID 2680 wrote to memory of 2200 2680 Nhebhipj.exe 39 PID 2200 wrote to memory of 2176 2200 Ogmkne32.exe 40 PID 2200 wrote to memory of 2176 2200 Ogmkne32.exe 40 PID 2200 wrote to memory of 2176 2200 Ogmkne32.exe 40 PID 2200 wrote to memory of 2176 2200 Ogmkne32.exe 40 PID 2176 wrote to memory of 2136 2176 Ofdeeb32.exe 41 PID 2176 wrote to memory of 2136 2176 Ofdeeb32.exe 41 PID 2176 wrote to memory of 2136 2176 Ofdeeb32.exe 41 PID 2176 wrote to memory of 2136 2176 Ofdeeb32.exe 41 PID 2136 wrote to memory of 3040 2136 Ogdaod32.exe 42 PID 2136 wrote to memory of 3040 2136 Ogdaod32.exe 42 PID 2136 wrote to memory of 3040 2136 Ogdaod32.exe 42 PID 2136 wrote to memory of 3040 2136 Ogdaod32.exe 42 PID 3040 wrote to memory of 2440 3040 Pfnhkq32.exe 43 PID 3040 wrote to memory of 2440 3040 Pfnhkq32.exe 43 PID 3040 wrote to memory of 2440 3040 Pfnhkq32.exe 43 PID 3040 wrote to memory of 2440 3040 Pfnhkq32.exe 43 PID 2440 wrote to memory of 1592 2440 Pajeanhf.exe 44 PID 2440 wrote to memory of 1592 2440 Pajeanhf.exe 44 PID 2440 wrote to memory of 1592 2440 Pajeanhf.exe 44 PID 2440 wrote to memory of 1592 2440 Pajeanhf.exe 44 PID 1592 wrote to memory of 296 1592 Qghgigkn.exe 45 PID 1592 wrote to memory of 296 1592 Qghgigkn.exe 45 PID 1592 wrote to memory of 296 1592 Qghgigkn.exe 45 PID 1592 wrote to memory of 296 1592 Qghgigkn.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da.exe"C:\Users\Admin\AppData\Local\Temp\b1653fbf265e1ed38a10357fa45a4c75bbb36986ddf28d14a786d49f0099d9da.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Kenjgi32.exeC:\Windows\system32\Kenjgi32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Mkohjbah.exeC:\Windows\system32\Mkohjbah.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Mdgmbhgh.exeC:\Windows\system32\Mdgmbhgh.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Mlgkbi32.exeC:\Windows\system32\Mlgkbi32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Npechhgd.exeC:\Windows\system32\Npechhgd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Nhebhipj.exeC:\Windows\system32\Nhebhipj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Ogmkne32.exeC:\Windows\system32\Ogmkne32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\Ofdeeb32.exeC:\Windows\system32\Ofdeeb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Ogdaod32.exeC:\Windows\system32\Ogdaod32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Pfnhkq32.exeC:\Windows\system32\Pfnhkq32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Pajeanhf.exeC:\Windows\system32\Pajeanhf.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\Qghgigkn.exeC:\Windows\system32\Qghgigkn.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Apclnj32.exeC:\Windows\system32\Apclnj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:296 -
C:\Windows\SysWOW64\Ahcjmkbo.exeC:\Windows\system32\Ahcjmkbo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1740 -
C:\Windows\SysWOW64\Ajdcofop.exeC:\Windows\system32\Ajdcofop.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\Bobleeef.exeC:\Windows\system32\Bobleeef.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Bfmqigba.exeC:\Windows\system32\Bfmqigba.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1112 -
C:\Windows\SysWOW64\Bkkioeig.exeC:\Windows\system32\Bkkioeig.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Clfhml32.exeC:\Windows\system32\Clfhml32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1716 -
C:\Windows\SysWOW64\Clhecl32.exeC:\Windows\system32\Clhecl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Chofhm32.exeC:\Windows\system32\Chofhm32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Dajgfboj.exeC:\Windows\system32\Dajgfboj.exe26⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe27⤵
- Loads dropped DLL
PID:2856 -
C:\Windows\SysWOW64\Dpaqmnap.exeC:\Windows\system32\Dpaqmnap.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Dhleaq32.exeC:\Windows\system32\Dhleaq32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Dhobgp32.exeC:\Windows\system32\Dhobgp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2788 -
C:\Windows\SysWOW64\Elmkmo32.exeC:\Windows\system32\Elmkmo32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Edjlgq32.exeC:\Windows\system32\Edjlgq32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Ebnmpemq.exeC:\Windows\system32\Ebnmpemq.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Efpbih32.exeC:\Windows\system32\Efpbih32.exe34⤵
- Executes dropped EXE
PID:2224 -
C:\Windows\SysWOW64\Fphgbn32.exeC:\Windows\system32\Fphgbn32.exe35⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Fichqckn.exeC:\Windows\system32\Fichqckn.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2896 -
C:\Windows\SysWOW64\Fiedfb32.exeC:\Windows\system32\Fiedfb32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1964 -
C:\Windows\SysWOW64\Fbpfeh32.exeC:\Windows\system32\Fbpfeh32.exe38⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Ghmnmo32.exeC:\Windows\system32\Ghmnmo32.exe39⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Glkgcmbg.exeC:\Windows\system32\Glkgcmbg.exe40⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Gmoppefc.exeC:\Windows\system32\Gmoppefc.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2988 -
C:\Windows\SysWOW64\Gieaef32.exeC:\Windows\system32\Gieaef32.exe42⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Gbnenk32.exeC:\Windows\system32\Gbnenk32.exe43⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Gihnkejd.exeC:\Windows\system32\Gihnkejd.exe44⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Hijjpeha.exeC:\Windows\system32\Hijjpeha.exe45⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Hfnkji32.exeC:\Windows\system32\Hfnkji32.exe46⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Hpfoboml.exeC:\Windows\system32\Hpfoboml.exe47⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Hhadgakg.exeC:\Windows\system32\Hhadgakg.exe48⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Hdhdlbpk.exeC:\Windows\system32\Hdhdlbpk.exe49⤵
- Executes dropped EXE
PID:1588 -
C:\Windows\SysWOW64\Hmqieh32.exeC:\Windows\system32\Hmqieh32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1884 -
C:\Windows\SysWOW64\Hehafe32.exeC:\Windows\system32\Hehafe32.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Iopeoknn.exeC:\Windows\system32\Iopeoknn.exe52⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Igkjcm32.exeC:\Windows\system32\Igkjcm32.exe53⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Inebpgbf.exeC:\Windows\system32\Inebpgbf.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Idokma32.exeC:\Windows\system32\Idokma32.exe55⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Ipfkabpg.exeC:\Windows\system32\Ipfkabpg.exe56⤵
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Ijopjhfh.exeC:\Windows\system32\Ijopjhfh.exe57⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Ilmlfcel.exeC:\Windows\system32\Ilmlfcel.exe58⤵
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Ipkema32.exeC:\Windows\system32\Ipkema32.exe59⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Jhfjadim.exeC:\Windows\system32\Jhfjadim.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2228 -
C:\Windows\SysWOW64\Jaonji32.exeC:\Windows\system32\Jaonji32.exe61⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Jdogldmo.exeC:\Windows\system32\Jdogldmo.exe62⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Jbcgeilh.exeC:\Windows\system32\Jbcgeilh.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1072 -
C:\Windows\SysWOW64\Jhmpbc32.exeC:\Windows\system32\Jhmpbc32.exe64⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Jddqgdii.exeC:\Windows\system32\Jddqgdii.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1820 -
C:\Windows\SysWOW64\Kmoekf32.exeC:\Windows\system32\Kmoekf32.exe66⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Kjcedj32.exeC:\Windows\system32\Kjcedj32.exe67⤵PID:1752
-
C:\Windows\SysWOW64\Kckjmpko.exeC:\Windows\system32\Kckjmpko.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2488 -
C:\Windows\SysWOW64\Kihbfg32.exeC:\Windows\system32\Kihbfg32.exe69⤵PID:880
-
C:\Windows\SysWOW64\Kbqgolpf.exeC:\Windows\system32\Kbqgolpf.exe70⤵PID:1488
-
C:\Windows\SysWOW64\Lajmkhai.exeC:\Windows\system32\Lajmkhai.exe71⤵PID:2948
-
C:\Windows\SysWOW64\Lgiobadq.exeC:\Windows\system32\Lgiobadq.exe72⤵PID:2732
-
C:\Windows\SysWOW64\Monjcp32.exeC:\Windows\system32\Monjcp32.exe73⤵PID:2600
-
C:\Windows\SysWOW64\Mhfoleio.exeC:\Windows\system32\Mhfoleio.exe74⤵
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Mejoei32.exeC:\Windows\system32\Mejoei32.exe75⤵PID:2148
-
C:\Windows\SysWOW64\Memlki32.exeC:\Windows\system32\Memlki32.exe76⤵PID:1092
-
C:\Windows\SysWOW64\Nkjdcp32.exeC:\Windows\system32\Nkjdcp32.exe77⤵PID:2076
-
C:\Windows\SysWOW64\Nacmpj32.exeC:\Windows\system32\Nacmpj32.exe78⤵
- Drops file in System32 directory
PID:1708 -
C:\Windows\SysWOW64\Nklaipbj.exeC:\Windows\system32\Nklaipbj.exe79⤵PID:1988
-
C:\Windows\SysWOW64\Nddeae32.exeC:\Windows\system32\Nddeae32.exe80⤵
- Modifies registry class
PID:1828 -
C:\Windows\SysWOW64\Ndgbgefh.exeC:\Windows\system32\Ndgbgefh.exe81⤵
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Nmogpj32.exeC:\Windows\system32\Nmogpj32.exe82⤵PID:1880
-
C:\Windows\SysWOW64\Nmacej32.exeC:\Windows\system32\Nmacej32.exe83⤵PID:1996
-
C:\Windows\SysWOW64\Ogjhnp32.exeC:\Windows\system32\Ogjhnp32.exe84⤵PID:1244
-
C:\Windows\SysWOW64\Olgpff32.exeC:\Windows\system32\Olgpff32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2408 -
C:\Windows\SysWOW64\Oikapk32.exeC:\Windows\system32\Oikapk32.exe86⤵PID:2416
-
C:\Windows\SysWOW64\Oogiha32.exeC:\Windows\system32\Oogiha32.exe87⤵PID:2708
-
C:\Windows\SysWOW64\Ohpnag32.exeC:\Windows\system32\Ohpnag32.exe88⤵PID:2860
-
C:\Windows\SysWOW64\Okqgcb32.exeC:\Windows\system32\Okqgcb32.exe89⤵
- Drops file in System32 directory
PID:2752 -
C:\Windows\SysWOW64\Onocon32.exeC:\Windows\system32\Onocon32.exe90⤵PID:1712
-
C:\Windows\SysWOW64\Ojfcdo32.exeC:\Windows\system32\Ojfcdo32.exe91⤵PID:2100
-
C:\Windows\SysWOW64\Pqplqile.exeC:\Windows\system32\Pqplqile.exe92⤵PID:2908
-
C:\Windows\SysWOW64\Pncljmko.exeC:\Windows\system32\Pncljmko.exe93⤵PID:524
-
C:\Windows\SysWOW64\Pqbifhjb.exeC:\Windows\system32\Pqbifhjb.exe94⤵
- Modifies registry class
PID:1824 -
C:\Windows\SysWOW64\Pjjmonac.exeC:\Windows\system32\Pjjmonac.exe95⤵
- Drops file in System32 directory
PID:2456 -
C:\Windows\SysWOW64\Pgnnhbpm.exeC:\Windows\system32\Pgnnhbpm.exe96⤵PID:780
-
C:\Windows\SysWOW64\Pcenmcea.exeC:\Windows\system32\Pcenmcea.exe97⤵PID:1808
-
C:\Windows\SysWOW64\Pkpcbecl.exeC:\Windows\system32\Pkpcbecl.exe98⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Qkbpgeai.exeC:\Windows\system32\Qkbpgeai.exe99⤵PID:1260
-
C:\Windows\SysWOW64\Qbmhdp32.exeC:\Windows\system32\Qbmhdp32.exe100⤵
- Drops file in System32 directory
PID:1020 -
C:\Windows\SysWOW64\Qoqhncgp.exeC:\Windows\system32\Qoqhncgp.exe101⤵PID:2816
-
C:\Windows\SysWOW64\Qqbeel32.exeC:\Windows\system32\Qqbeel32.exe102⤵PID:1992
-
C:\Windows\SysWOW64\Aadakl32.exeC:\Windows\system32\Aadakl32.exe103⤵PID:2744
-
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe104⤵PID:1536
-
C:\Windows\SysWOW64\Aafnpkii.exeC:\Windows\system32\Aafnpkii.exe105⤵
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Acggbffj.exeC:\Windows\system32\Acggbffj.exe106⤵PID:2196
-
C:\Windows\SysWOW64\Aakhkj32.exeC:\Windows\system32\Aakhkj32.exe107⤵PID:2340
-
C:\Windows\SysWOW64\Abldccka.exeC:\Windows\system32\Abldccka.exe108⤵PID:2380
-
C:\Windows\SysWOW64\Bboahbio.exeC:\Windows\system32\Bboahbio.exe109⤵PID:2996
-
C:\Windows\SysWOW64\Biiiempl.exeC:\Windows\system32\Biiiempl.exe110⤵PID:1340
-
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe111⤵
- Drops file in System32 directory
PID:2508 -
C:\Windows\SysWOW64\Bnhncclq.exeC:\Windows\system32\Bnhncclq.exe112⤵PID:964
-
C:\Windows\SysWOW64\Bjoohdbd.exeC:\Windows\system32\Bjoohdbd.exe113⤵PID:2292
-
C:\Windows\SysWOW64\Bedcembk.exeC:\Windows\system32\Bedcembk.exe114⤵PID:2824
-
C:\Windows\SysWOW64\Bakdjn32.exeC:\Windows\system32\Bakdjn32.exe115⤵
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Cooddbfh.exeC:\Windows\system32\Cooddbfh.exe116⤵PID:2608
-
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe117⤵PID:2088
-
C:\Windows\SysWOW64\Ckhbnb32.exeC:\Windows\system32\Ckhbnb32.exe118⤵
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Cbcfbege.exeC:\Windows\system32\Cbcfbege.exe119⤵PID:2528
-
C:\Windows\SysWOW64\Cllkkk32.exeC:\Windows\system32\Cllkkk32.exe120⤵PID:2536
-
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe121⤵
- System Location Discovery: System Language Discovery
PID:1300
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-