Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 05:29
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe
-
Size
1.9MB
-
MD5
fd9ae66b863dadc3f724cc2a1793a1f0
-
SHA1
c452513a2093e1b5962c39d5ada88c5ab7b8cacf
-
SHA256
62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5e
-
SHA512
e0b0719c7d85e711ae83aad6c81c6df567f491cd44d0dd583a5e6e613a3f43b8f75764a8a1325e80d58f54bad3129c49e664bc0a25908763172439dd30c48ad1
-
SSDEEP
24576:/NaaBNIVyeNIVy2jUKaNIVyeNIVy2jUtc9uO2NIVyeNIVy2jUKaNIVyeNIVy2jUO:2yj1yj3uOpyj1yjH
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgjldnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emaijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmohco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpohakbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnmienj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnefhpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgifgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcojam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhcafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhkeohhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daaenlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkmmlgik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpjbgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoblnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajehnk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmhkin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocgfhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbaice32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeqopcld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfbcidmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bddbjhlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmlkfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glklejoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feddombd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eibgpnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmmfnb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmaeho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcnahoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcfemmna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qejpoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggapbcne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klecfkff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koipglep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhdmph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hklhae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnnlocgk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iclbpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bchfhfeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmlddeio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feachqgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koflgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dokfme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blkjkflb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebnabb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feddombd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Honnki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hclfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibacbcgg.exe -
Executes dropped EXE 64 IoCs
pid Process 1440 Piicpk32.exe 2836 Pkjphcff.exe 2748 Qgjccb32.exe 2824 Qlgkki32.exe 2704 Bkhhhd32.exe 2596 Bjkhdacm.exe 2288 Bkjdndjo.exe 1376 Bniajoic.exe 776 Bqgmfkhg.exe 2780 Bgaebe32.exe 1632 Bqijljfd.exe 1780 Bchfhfeh.exe 2708 Bmpkqklh.exe 964 Boogmgkl.exe 444 Bigkel32.exe 1236 Coacbfii.exe 2000 Cfkloq32.exe 952 Cocphf32.exe 1304 Cfmhdpnc.exe 2060 Cileqlmg.exe 1500 Cpfmmf32.exe 2428 Cbdiia32.exe 2468 Cagienkb.exe 1756 Cinafkkd.exe 280 Cjonncab.exe 2144 Caifjn32.exe 2508 Cgcnghpl.exe 2168 Cnmfdb32.exe 2908 Calcpm32.exe 2668 Cgfkmgnj.exe 872 Dnpciaef.exe 896 Danpemej.exe 2336 Dhhhbg32.exe 2092 Diidjpbe.exe 1788 Dpcmgi32.exe 1276 Dbaice32.exe 1728 Dilapopb.exe 572 Dpeiligo.exe 3032 Dfpaic32.exe 900 Dmijfmfi.exe 2256 Dokfme32.exe 2660 Dfbnoc32.exe 1980 Dhckfkbh.exe 2996 Dpjbgh32.exe 2784 Dbiocd32.exe 2368 Eibgpnjk.exe 3104 Elacliin.exe 3164 Ebklic32.exe 3228 Eeiheo32.exe 3288 Elcpbigl.exe 3356 Eoblnd32.exe 3412 Eeldkonl.exe 3476 Ehjqgjmp.exe 3536 Ekhmcelc.exe 3596 Eabepp32.exe 3652 Edaalk32.exe 3704 Ekkjheja.exe 3760 Eaebeoan.exe 3808 Ecfnmh32.exe 3864 Eipgjaoi.exe 3916 Fpjofl32.exe 3968 Fgdgcfmb.exe 4024 Fmnopp32.exe 4076 Fckhhgcf.exe -
Loads dropped DLL 64 IoCs
pid Process 2016 62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe 2016 62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe 1440 Piicpk32.exe 1440 Piicpk32.exe 2836 Pkjphcff.exe 2836 Pkjphcff.exe 2748 Qgjccb32.exe 2748 Qgjccb32.exe 2824 Qlgkki32.exe 2824 Qlgkki32.exe 2704 Bkhhhd32.exe 2704 Bkhhhd32.exe 2596 Bjkhdacm.exe 2596 Bjkhdacm.exe 2288 Bkjdndjo.exe 2288 Bkjdndjo.exe 1376 Bniajoic.exe 1376 Bniajoic.exe 776 Bqgmfkhg.exe 776 Bqgmfkhg.exe 2780 Bgaebe32.exe 2780 Bgaebe32.exe 1632 Bqijljfd.exe 1632 Bqijljfd.exe 1780 Bchfhfeh.exe 1780 Bchfhfeh.exe 2708 Bmpkqklh.exe 2708 Bmpkqklh.exe 964 Boogmgkl.exe 964 Boogmgkl.exe 444 Bigkel32.exe 444 Bigkel32.exe 1236 Coacbfii.exe 1236 Coacbfii.exe 2000 Cfkloq32.exe 2000 Cfkloq32.exe 952 Cocphf32.exe 952 Cocphf32.exe 1304 Cfmhdpnc.exe 1304 Cfmhdpnc.exe 2060 Cileqlmg.exe 2060 Cileqlmg.exe 1500 Cpfmmf32.exe 1500 Cpfmmf32.exe 2428 Cbdiia32.exe 2428 Cbdiia32.exe 2468 Cagienkb.exe 2468 Cagienkb.exe 1756 Cinafkkd.exe 1756 Cinafkkd.exe 280 Cjonncab.exe 280 Cjonncab.exe 2144 Caifjn32.exe 2144 Caifjn32.exe 2508 Cgcnghpl.exe 2508 Cgcnghpl.exe 2168 Cnmfdb32.exe 2168 Cnmfdb32.exe 2908 Calcpm32.exe 2908 Calcpm32.exe 2668 Cgfkmgnj.exe 2668 Cgfkmgnj.exe 872 Dnpciaef.exe 872 Dnpciaef.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kpgionie.exe Kadica32.exe File opened for modification C:\Windows\SysWOW64\Eabepp32.exe Ekhmcelc.exe File created C:\Windows\SysWOW64\Oikbkegk.dll Hnnhngjf.exe File created C:\Windows\SysWOW64\Epaqjmil.dll Ohipla32.exe File created C:\Windows\SysWOW64\Jefndikl.dll Cgidfcdk.exe File opened for modification C:\Windows\SysWOW64\Bjkhdacm.exe Bkhhhd32.exe File opened for modification C:\Windows\SysWOW64\Cqaiph32.exe Cjhabndo.exe File opened for modification C:\Windows\SysWOW64\Qejpoi32.exe Popgboae.exe File created C:\Windows\SysWOW64\Jqgaapqd.dll Alageg32.exe File created C:\Windows\SysWOW64\Lpfhdddb.dll Ibacbcgg.exe File created C:\Windows\SysWOW64\Jpgmpk32.exe Jllqplnp.exe File created C:\Windows\SysWOW64\Ibcihh32.dll Bmpkqklh.exe File opened for modification C:\Windows\SysWOW64\Fpohakbp.exe Fiepea32.exe File created C:\Windows\SysWOW64\Gqcnln32.exe Gjifodii.exe File created C:\Windows\SysWOW64\Klhgfq32.exe Kenoifpb.exe File opened for modification C:\Windows\SysWOW64\Kidjdpie.exe Kambcbhb.exe File created C:\Windows\SysWOW64\Kfodfh32.exe Khldkllj.exe File opened for modification C:\Windows\SysWOW64\Gglbfg32.exe Gdnfjl32.exe File created C:\Windows\SysWOW64\Jbclgf32.exe Jpepkk32.exe File created C:\Windows\SysWOW64\Kobgmfjh.dll Iamfdo32.exe File created C:\Windows\SysWOW64\Aiomcb32.dll Kambcbhb.exe File opened for modification C:\Windows\SysWOW64\Ncfalqpm.exe Nbeedh32.exe File created C:\Windows\SysWOW64\Ofnpnkgf.exe Ncpdbohb.exe File opened for modification C:\Windows\SysWOW64\Ohdfqbio.exe Oajndh32.exe File created C:\Windows\SysWOW64\Nlqmdnof.dll Blkjkflb.exe File created C:\Windows\SysWOW64\Jnofgg32.exe Jplfkjbd.exe File opened for modification C:\Windows\SysWOW64\Fiepea32.exe Fckhhgcf.exe File created C:\Windows\SysWOW64\Hcojam32.exe Hbnmienj.exe File created C:\Windows\SysWOW64\Dkdmfe32.exe Difqji32.exe File created C:\Windows\SysWOW64\Mommgm32.dll Dgnjqe32.exe File opened for modification C:\Windows\SysWOW64\Khgkpl32.exe Kidjdpie.exe File created C:\Windows\SysWOW64\Gonnhc32.dll Mbqkiind.exe File created C:\Windows\SysWOW64\Nldhfnkd.dll Pmhejhao.exe File created C:\Windows\SysWOW64\Anjnnk32.exe Agpeaa32.exe File opened for modification C:\Windows\SysWOW64\Emaijk32.exe Ejcmmp32.exe File opened for modification C:\Windows\SysWOW64\Bigkel32.exe Boogmgkl.exe File opened for modification C:\Windows\SysWOW64\Nqmnjd32.exe Njbfnjeg.exe File created C:\Windows\SysWOW64\Goqnae32.exe Glbaei32.exe File created C:\Windows\SysWOW64\Acnlgajg.exe Aobpfb32.exe File created C:\Windows\SysWOW64\Eppefg32.exe Emaijk32.exe File created C:\Windows\SysWOW64\Ekhnnojb.dll Jfjolf32.exe File created C:\Windows\SysWOW64\Jmlddeio.exe Jhoklnkg.exe File created C:\Windows\SysWOW64\Kfibhjlj.exe Kpojkp32.exe File created C:\Windows\SysWOW64\Mjqmig32.exe Mcfemmna.exe File created C:\Windows\SysWOW64\Ncpdbohb.exe Nlilqbgp.exe File created C:\Windows\SysWOW64\Hiclkp32.exe Hnnhngjf.exe File created C:\Windows\SysWOW64\Adiijqhm.dll Phklaacg.exe File opened for modification C:\Windows\SysWOW64\Elkofg32.exe Eimcjl32.exe File opened for modification C:\Windows\SysWOW64\Jfohgepi.exe Jbclgf32.exe File created C:\Windows\SysWOW64\Nihcog32.exe Nggggoda.exe File created C:\Windows\SysWOW64\Peefcjlg.exe Pbgjgomc.exe File created C:\Windows\SysWOW64\Aknngo32.exe Addfkeid.exe File created C:\Windows\SysWOW64\Dbiocd32.exe Dpjbgh32.exe File created C:\Windows\SysWOW64\Fhjmfnok.exe Fapeic32.exe File created C:\Windows\SysWOW64\Kjaaeimj.dll Khohkamc.exe File opened for modification C:\Windows\SysWOW64\Lkdjglfo.exe Ldjbkb32.exe File created C:\Windows\SysWOW64\Jnokbe32.dll Dmkcil32.exe File created C:\Windows\SysWOW64\Nakpkfka.dll Hkmollme.exe File created C:\Windows\SysWOW64\Llmmpcfe.exe Ljnqdhga.exe File opened for modification C:\Windows\SysWOW64\Nbpghl32.exe Npbklabl.exe File opened for modification C:\Windows\SysWOW64\Dnefhpma.exe Dlgjldnm.exe File created C:\Windows\SysWOW64\Dgcgbb32.dll Jpgmpk32.exe File created C:\Windows\SysWOW64\Calcpm32.exe Cnmfdb32.exe File created C:\Windows\SysWOW64\Ppinkcnp.exe Pioeoi32.exe -
Program crash 1 IoCs
pid pid_target Process 8404 8380 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alddjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbgobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplfkjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbemboof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknngo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfohgepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khohkamc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njbfnjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebqngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclfag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kechdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojglhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeclg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkmmlgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkjheja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjgiidkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbnhihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qldhkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjqmig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhkipdeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkqlgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbaice32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebklic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnkdmec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jijokbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olkifaen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbmqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijphofem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkicbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inojhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfaeme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objjnkie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijbco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgcnahoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbpghl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlgjldnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feachqgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goqnae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlgkki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmehdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaejojjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaojnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofnpnkgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklaacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honnki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khldkllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kocpbfei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefqdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibacbcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkihbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclbpj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njbfnjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpjifjdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehjqgjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cocajj32.dll" Eogolc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibhicbao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkjdndjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Coacbfii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Omakjj32.dll" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbmmpj32.dll" Dokfme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjdldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Belhfdmi.dll" Hiclkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iphgln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbemboof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikdngobg.dll" Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knpbpo32.dll" Lhcafa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpbmqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqdodila.dll" Ebqngb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpbcek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kadica32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Koipglep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhfjjdjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohbikbkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Akpkmo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deakjjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iampng32.dll" Eemnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqijljfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfbcidmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kenoifpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhmcaf32.dll" Lgkkmm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjqmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmidng32.dll" Ponklpcg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eimcjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhfhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cinafkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mloiec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkbdabog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqapifjb.dll" Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olpecfkn.dll" Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pplqiiqb.dll" Fpjofl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbbccgmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fckkff32.dll" Kechdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlkggmp.dll" Lnqjnhge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldaomc32.dll" Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmbfkh32.dll" Giaidnkf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fabaocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpopbabj.dll" Hbnmienj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfoeil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hqgddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpjifjdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipbkjl32.dll" Kgcnahoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mkfclo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oecmogln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkddco32.dll" Inojhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onipnblf.dll" Mnglnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pioeoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feachqgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekhnnojb.dll" Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caefjg32.dll" Kekkiq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjifodii.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1440 2016 62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe 31 PID 2016 wrote to memory of 1440 2016 62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe 31 PID 2016 wrote to memory of 1440 2016 62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe 31 PID 2016 wrote to memory of 1440 2016 62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe 31 PID 1440 wrote to memory of 2836 1440 Piicpk32.exe 32 PID 1440 wrote to memory of 2836 1440 Piicpk32.exe 32 PID 1440 wrote to memory of 2836 1440 Piicpk32.exe 32 PID 1440 wrote to memory of 2836 1440 Piicpk32.exe 32 PID 2836 wrote to memory of 2748 2836 Pkjphcff.exe 33 PID 2836 wrote to memory of 2748 2836 Pkjphcff.exe 33 PID 2836 wrote to memory of 2748 2836 Pkjphcff.exe 33 PID 2836 wrote to memory of 2748 2836 Pkjphcff.exe 33 PID 2748 wrote to memory of 2824 2748 Qgjccb32.exe 34 PID 2748 wrote to memory of 2824 2748 Qgjccb32.exe 34 PID 2748 wrote to memory of 2824 2748 Qgjccb32.exe 34 PID 2748 wrote to memory of 2824 2748 Qgjccb32.exe 34 PID 2824 wrote to memory of 2704 2824 Qlgkki32.exe 35 PID 2824 wrote to memory of 2704 2824 Qlgkki32.exe 35 PID 2824 wrote to memory of 2704 2824 Qlgkki32.exe 35 PID 2824 wrote to memory of 2704 2824 Qlgkki32.exe 35 PID 2704 wrote to memory of 2596 2704 Bkhhhd32.exe 36 PID 2704 wrote to memory of 2596 2704 Bkhhhd32.exe 36 PID 2704 wrote to memory of 2596 2704 Bkhhhd32.exe 36 PID 2704 wrote to memory of 2596 2704 Bkhhhd32.exe 36 PID 2596 wrote to memory of 2288 2596 Bjkhdacm.exe 37 PID 2596 wrote to memory of 2288 2596 Bjkhdacm.exe 37 PID 2596 wrote to memory of 2288 2596 Bjkhdacm.exe 37 PID 2596 wrote to memory of 2288 2596 Bjkhdacm.exe 37 PID 2288 wrote to memory of 1376 2288 Bkjdndjo.exe 38 PID 2288 wrote to memory of 1376 2288 Bkjdndjo.exe 38 PID 2288 wrote to memory of 1376 2288 Bkjdndjo.exe 38 PID 2288 wrote to memory of 1376 2288 Bkjdndjo.exe 38 PID 1376 wrote to memory of 776 1376 Bniajoic.exe 39 PID 1376 wrote to memory of 776 1376 Bniajoic.exe 39 PID 1376 wrote to memory of 776 1376 Bniajoic.exe 39 PID 1376 wrote to memory of 776 1376 Bniajoic.exe 39 PID 776 wrote to memory of 2780 776 Bqgmfkhg.exe 40 PID 776 wrote to memory of 2780 776 Bqgmfkhg.exe 40 PID 776 wrote to memory of 2780 776 Bqgmfkhg.exe 40 PID 776 wrote to memory of 2780 776 Bqgmfkhg.exe 40 PID 2780 wrote to memory of 1632 2780 Bgaebe32.exe 41 PID 2780 wrote to memory of 1632 2780 Bgaebe32.exe 41 PID 2780 wrote to memory of 1632 2780 Bgaebe32.exe 41 PID 2780 wrote to memory of 1632 2780 Bgaebe32.exe 41 PID 1632 wrote to memory of 1780 1632 Bqijljfd.exe 42 PID 1632 wrote to memory of 1780 1632 Bqijljfd.exe 42 PID 1632 wrote to memory of 1780 1632 Bqijljfd.exe 42 PID 1632 wrote to memory of 1780 1632 Bqijljfd.exe 42 PID 1780 wrote to memory of 2708 1780 Bchfhfeh.exe 43 PID 1780 wrote to memory of 2708 1780 Bchfhfeh.exe 43 PID 1780 wrote to memory of 2708 1780 Bchfhfeh.exe 43 PID 1780 wrote to memory of 2708 1780 Bchfhfeh.exe 43 PID 2708 wrote to memory of 964 2708 Bmpkqklh.exe 44 PID 2708 wrote to memory of 964 2708 Bmpkqklh.exe 44 PID 2708 wrote to memory of 964 2708 Bmpkqklh.exe 44 PID 2708 wrote to memory of 964 2708 Bmpkqklh.exe 44 PID 964 wrote to memory of 444 964 Boogmgkl.exe 45 PID 964 wrote to memory of 444 964 Boogmgkl.exe 45 PID 964 wrote to memory of 444 964 Boogmgkl.exe 45 PID 964 wrote to memory of 444 964 Boogmgkl.exe 45 PID 444 wrote to memory of 1236 444 Bigkel32.exe 46 PID 444 wrote to memory of 1236 444 Bigkel32.exe 46 PID 444 wrote to memory of 1236 444 Bigkel32.exe 46 PID 444 wrote to memory of 1236 444 Bigkel32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe"C:\Users\Admin\AppData\Local\Temp\62c627a5ccc798e0269f1941df76d5b02668df2441ac6e0ff249ed4e5c919f5eN.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Piicpk32.exeC:\Windows\system32\Piicpk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Bkhhhd32.exeC:\Windows\system32\Bkhhhd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Bjkhdacm.exeC:\Windows\system32\Bjkhdacm.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Bqgmfkhg.exeC:\Windows\system32\Bqgmfkhg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Bgaebe32.exeC:\Windows\system32\Bgaebe32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Bqijljfd.exeC:\Windows\system32\Bqijljfd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Bchfhfeh.exeC:\Windows\system32\Bchfhfeh.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:444 -
C:\Windows\SysWOW64\Coacbfii.exeC:\Windows\system32\Coacbfii.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Cocphf32.exeC:\Windows\system32\Cocphf32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:952 -
C:\Windows\SysWOW64\Cfmhdpnc.exeC:\Windows\system32\Cfmhdpnc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1304 -
C:\Windows\SysWOW64\Cileqlmg.exeC:\Windows\system32\Cileqlmg.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Cpfmmf32.exeC:\Windows\system32\Cpfmmf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Cbdiia32.exeC:\Windows\system32\Cbdiia32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Cagienkb.exeC:\Windows\system32\Cagienkb.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Cinafkkd.exeC:\Windows\system32\Cinafkkd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Cjonncab.exeC:\Windows\system32\Cjonncab.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:280 -
C:\Windows\SysWOW64\Caifjn32.exeC:\Windows\system32\Caifjn32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2144 -
C:\Windows\SysWOW64\Cgcnghpl.exeC:\Windows\system32\Cgcnghpl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2508 -
C:\Windows\SysWOW64\Cnmfdb32.exeC:\Windows\system32\Cnmfdb32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2168 -
C:\Windows\SysWOW64\Calcpm32.exeC:\Windows\system32\Calcpm32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Cgfkmgnj.exeC:\Windows\system32\Cgfkmgnj.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Dnpciaef.exeC:\Windows\system32\Dnpciaef.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:872 -
C:\Windows\SysWOW64\Danpemej.exeC:\Windows\system32\Danpemej.exe33⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Dhhhbg32.exeC:\Windows\system32\Dhhhbg32.exe34⤵
- Executes dropped EXE
PID:2336 -
C:\Windows\SysWOW64\Diidjpbe.exeC:\Windows\system32\Diidjpbe.exe35⤵
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Dpcmgi32.exeC:\Windows\system32\Dpcmgi32.exe36⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1276 -
C:\Windows\SysWOW64\Dilapopb.exeC:\Windows\system32\Dilapopb.exe38⤵
- Executes dropped EXE
PID:1728 -
C:\Windows\SysWOW64\Dpeiligo.exeC:\Windows\system32\Dpeiligo.exe39⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Dfpaic32.exeC:\Windows\system32\Dfpaic32.exe40⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Dmijfmfi.exeC:\Windows\system32\Dmijfmfi.exe41⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Dokfme32.exeC:\Windows\system32\Dokfme32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2256 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe43⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe44⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Dpjbgh32.exeC:\Windows\system32\Dpjbgh32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Dbiocd32.exeC:\Windows\system32\Dbiocd32.exe46⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Eibgpnjk.exeC:\Windows\system32\Eibgpnjk.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe48⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Ebklic32.exeC:\Windows\system32\Ebklic32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3164 -
C:\Windows\SysWOW64\Eeiheo32.exeC:\Windows\system32\Eeiheo32.exe50⤵
- Executes dropped EXE
PID:3228 -
C:\Windows\SysWOW64\Elcpbigl.exeC:\Windows\system32\Elcpbigl.exe51⤵
- Executes dropped EXE
PID:3288 -
C:\Windows\SysWOW64\Eoblnd32.exeC:\Windows\system32\Eoblnd32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3356 -
C:\Windows\SysWOW64\Eeldkonl.exeC:\Windows\system32\Eeldkonl.exe53⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Ehjqgjmp.exeC:\Windows\system32\Ehjqgjmp.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:3476 -
C:\Windows\SysWOW64\Ekhmcelc.exeC:\Windows\system32\Ekhmcelc.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3536 -
C:\Windows\SysWOW64\Eabepp32.exeC:\Windows\system32\Eabepp32.exe56⤵
- Executes dropped EXE
PID:3596 -
C:\Windows\SysWOW64\Edaalk32.exeC:\Windows\system32\Edaalk32.exe57⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Ekkjheja.exeC:\Windows\system32\Ekkjheja.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3704 -
C:\Windows\SysWOW64\Eaebeoan.exeC:\Windows\system32\Eaebeoan.exe59⤵
- Executes dropped EXE
PID:3760 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe60⤵
- Executes dropped EXE
PID:3808 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe61⤵
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:3916 -
C:\Windows\SysWOW64\Fgdgcfmb.exeC:\Windows\system32\Fgdgcfmb.exe63⤵
- Executes dropped EXE
PID:3968 -
C:\Windows\SysWOW64\Fmnopp32.exeC:\Windows\system32\Fmnopp32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\Fckhhgcf.exeC:\Windows\system32\Fckhhgcf.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4076 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe66⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Fpohakbp.exeC:\Windows\system32\Fpohakbp.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3068 -
C:\Windows\SysWOW64\Fapeic32.exeC:\Windows\system32\Fapeic32.exe68⤵
- Drops file in System32 directory
PID:2452 -
C:\Windows\SysWOW64\Fhjmfnok.exeC:\Windows\system32\Fhjmfnok.exe69⤵PID:2344
-
C:\Windows\SysWOW64\Fkhibino.exeC:\Windows\system32\Fkhibino.exe70⤵PID:2680
-
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe71⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Fhljkm32.exeC:\Windows\system32\Fhljkm32.exe72⤵PID:1948
-
C:\Windows\SysWOW64\Fofbhgde.exeC:\Windows\system32\Fofbhgde.exe73⤵PID:2376
-
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe74⤵PID:3136
-
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe75⤵PID:3248
-
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe76⤵PID:3304
-
C:\Windows\SysWOW64\Ghacfmic.exeC:\Windows\system32\Ghacfmic.exe77⤵PID:3336
-
C:\Windows\SysWOW64\Gnnlocgk.exeC:\Windows\system32\Gnnlocgk.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3456 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe79⤵PID:3464
-
C:\Windows\SysWOW64\Gjdldd32.exeC:\Windows\system32\Gjdldd32.exe80⤵
- Modifies registry class
PID:3592 -
C:\Windows\SysWOW64\Gdjqamme.exeC:\Windows\system32\Gdjqamme.exe81⤵PID:3688
-
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe82⤵
- System Location Discovery: System Language Discovery
PID:3780 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe83⤵PID:3848
-
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:3900 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe85⤵PID:3964
-
C:\Windows\SysWOW64\Hbdjcffd.exeC:\Windows\system32\Hbdjcffd.exe86⤵PID:4004
-
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe87⤵PID:4012
-
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe88⤵
- Drops file in System32 directory
PID:4092 -
C:\Windows\SysWOW64\Hfbcidmk.exeC:\Windows\system32\Hfbcidmk.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe91⤵
- Drops file in System32 directory
PID:2164 -
C:\Windows\SysWOW64\Hiclkp32.exeC:\Windows\system32\Hiclkp32.exe92⤵
- Modifies registry class
PID:1760 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe93⤵PID:2616
-
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe94⤵PID:2968
-
C:\Windows\SysWOW64\Hkdemk32.exeC:\Windows\system32\Hkdemk32.exe95⤵PID:2892
-
C:\Windows\SysWOW64\Hbnmienj.exeC:\Windows\system32\Hbnmienj.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:3196 -
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3116 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe98⤵PID:3276
-
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe99⤵PID:3392
-
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe100⤵PID:3444
-
C:\Windows\SysWOW64\Ijkocg32.exeC:\Windows\system32\Ijkocg32.exe101⤵PID:3468
-
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe102⤵
- Modifies registry class
PID:3576 -
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe103⤵PID:3696
-
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe104⤵PID:3792
-
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe105⤵PID:3912
-
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe106⤵
- System Location Discovery: System Language Discovery
PID:3936 -
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe107⤵PID:4044
-
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe108⤵PID:2152
-
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe109⤵PID:1496
-
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe110⤵
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe111⤵PID:880
-
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe112⤵PID:2728
-
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe113⤵PID:2676
-
C:\Windows\SysWOW64\Jijokbfp.exeC:\Windows\system32\Jijokbfp.exe114⤵
- System Location Discovery: System Language Discovery
PID:704 -
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe115⤵PID:1640
-
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe116⤵
- Modifies registry class
PID:3188 -
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1792 -
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe118⤵
- Drops file in System32 directory
PID:3264 -
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3352 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe120⤵PID:2640
-
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe121⤵PID:3552
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-