Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
96s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 07:06
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe
-
Size
62KB
-
MD5
5f17241311e6041ff96cb7b883a1fe00
-
SHA1
85508da5cd7358f6450ea5abe373c809a7352436
-
SHA256
24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566b
-
SHA512
af502609ad75f3808f75db23bd4bb537588c67db575b04eb1559880fb26055c31f9a9dcafe4ebe6747a166bac40999553dddb95b46c33c60f486bd635b73d247
-
SSDEEP
1536:s8+Bi0FBmSXtpaPgsRl3xoA3IxIDAOoSN5Tecy+ve8Cy:v0qctplY1xeLSN4cfve8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcqfifp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfalaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aplkah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epipql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjhchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjlqpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnfhfmhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iickckcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eclcon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anhbdpje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpbabf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klbdiokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feccqime.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlanhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpmgao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eqcjaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcamln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdjioh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haemloni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmjaadjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfklolh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaipmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djqcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpfnckhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bimbql32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iebmpcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Piemih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eleliepj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjilde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nalldh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhlnahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jogjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojclibo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnminke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhcej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdnjaibm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfeqli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcjjkkji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkobgm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjhgdqef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pflbpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnkblm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aogmdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejfllhao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffqqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaaoqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcblgbfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkahbmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eagbnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipcjje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jiinmnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnlbgq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffjljmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Podbgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggdfff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjfgalcq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhifmcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndnplk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgnelll.exe -
Executes dropped EXE 64 IoCs
pid Process 2744 Hhmhcigh.exe 2828 Haemloni.exe 2536 Hhoeii32.exe 2720 Hajfgnjc.exe 2932 Honfqb32.exe 436 Hgiked32.exe 2080 Hbnpbm32.exe 3056 Imhqbkbm.exe 568 Ifpelq32.exe 1720 Iqfiii32.exe 1160 Iqhfnifq.exe 328 Iickckcl.exe 2976 Iblola32.exe 780 Jbnlaqhi.exe 1808 Jacibm32.exe 1864 Jgmaog32.exe 1792 Jjnjqb32.exe 2456 Jgbjjf32.exe 1164 Jnlbgq32.exe 2436 Kgdgpfnf.exe 1568 Kckhdg32.exe 2988 Kcmdjgbh.exe 1612 Kmficl32.exe 2668 Kbbakc32.exe 2676 Klkfdi32.exe 2524 Kecjmodq.exe 2184 Kjpceebh.exe 2376 Ldhgnk32.exe 1744 Lhfpdi32.exe 1032 Lmcilp32.exe 872 Lglmefcg.exe 2108 Lpdankjg.exe 1688 Lgnjke32.exe 2240 Lpfnckhe.exe 528 Lgpfpe32.exe 2980 Miocmq32.exe 3040 Mpikik32.exe 1420 Miapbpmb.exe 1928 Mpkhoj32.exe 2600 Maldfbjn.exe 1816 Mlahdkjc.exe 2692 Mopdpg32.exe 1732 Maoalb32.exe 1788 Mldeik32.exe 2052 Mneaacno.exe 1704 Meljbqna.exe 2544 Mhkfnlme.exe 2812 Mkibjgli.exe 2528 Macjgadf.exe 2632 Nhmbdl32.exe 2884 Njnokdaq.exe 2472 Naegmabc.exe 2584 Ngbpehpj.exe 2480 Nlohmonb.exe 1484 Ncipjieo.exe 848 Nnodgbed.exe 776 Nopaoj32.exe 1368 Njeelc32.exe 900 Nqpmimbe.exe 2300 Nbqjqehd.exe 1352 Nhkbmo32.exe 1748 Obcffefa.exe 1444 Okbapi32.exe 2956 Pcnfdl32.exe -
Loads dropped DLL 64 IoCs
pid Process 3064 24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe 3064 24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe 2744 Hhmhcigh.exe 2744 Hhmhcigh.exe 2828 Haemloni.exe 2828 Haemloni.exe 2536 Hhoeii32.exe 2536 Hhoeii32.exe 2720 Hajfgnjc.exe 2720 Hajfgnjc.exe 2932 Honfqb32.exe 2932 Honfqb32.exe 436 Hgiked32.exe 436 Hgiked32.exe 2080 Hbnpbm32.exe 2080 Hbnpbm32.exe 3056 Imhqbkbm.exe 3056 Imhqbkbm.exe 568 Ifpelq32.exe 568 Ifpelq32.exe 1720 Iqfiii32.exe 1720 Iqfiii32.exe 1160 Iqhfnifq.exe 1160 Iqhfnifq.exe 328 Iickckcl.exe 328 Iickckcl.exe 2976 Iblola32.exe 2976 Iblola32.exe 780 Jbnlaqhi.exe 780 Jbnlaqhi.exe 1808 Jacibm32.exe 1808 Jacibm32.exe 1864 Jgmaog32.exe 1864 Jgmaog32.exe 1792 Jjnjqb32.exe 1792 Jjnjqb32.exe 2456 Jgbjjf32.exe 2456 Jgbjjf32.exe 1164 Jnlbgq32.exe 1164 Jnlbgq32.exe 2436 Kgdgpfnf.exe 2436 Kgdgpfnf.exe 1568 Kckhdg32.exe 1568 Kckhdg32.exe 2988 Kcmdjgbh.exe 2988 Kcmdjgbh.exe 1612 Kmficl32.exe 1612 Kmficl32.exe 2668 Kbbakc32.exe 2668 Kbbakc32.exe 2676 Klkfdi32.exe 2676 Klkfdi32.exe 2524 Kecjmodq.exe 2524 Kecjmodq.exe 2184 Kjpceebh.exe 2184 Kjpceebh.exe 2376 Ldhgnk32.exe 2376 Ldhgnk32.exe 1744 Lhfpdi32.exe 1744 Lhfpdi32.exe 1032 Lmcilp32.exe 1032 Lmcilp32.exe 872 Lglmefcg.exe 872 Lglmefcg.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hnmcli32.exe Gaplfinb.exe File created C:\Windows\SysWOW64\Lijepc32.exe Lmcdkbao.exe File created C:\Windows\SysWOW64\Edhbjjhn.exe Elmmegkb.exe File created C:\Windows\SysWOW64\Eedohjpf.dll Hbengc32.exe File created C:\Windows\SysWOW64\Gielchpp.exe Gomhkb32.exe File opened for modification C:\Windows\SysWOW64\Cgqmpkfg.exe Clkicbfa.exe File opened for modification C:\Windows\SysWOW64\Bepjjn32.exe Bbannb32.exe File opened for modification C:\Windows\SysWOW64\Fjhgidjk.exe Fqpbpo32.exe File created C:\Windows\SysWOW64\Gindjqnc.exe Gbdlnf32.exe File created C:\Windows\SysWOW64\Cjqglf32.exe Bmmgbbeq.exe File opened for modification C:\Windows\SysWOW64\Ajapoqmf.exe Aplkah32.exe File created C:\Windows\SysWOW64\Hefginae.exe Hlnbqijd.exe File created C:\Windows\SysWOW64\Keedbkkd.dll Mekanbol.exe File opened for modification C:\Windows\SysWOW64\Qiekadkl.exe Qdhcinme.exe File opened for modification C:\Windows\SysWOW64\Olehbh32.exe Ojdlkp32.exe File created C:\Windows\SysWOW64\Iomgfhen.dll Fmbgageq.exe File created C:\Windows\SysWOW64\Bbannb32.exe Bpbabf32.exe File created C:\Windows\SysWOW64\Flccjn32.dll Ipameehe.exe File created C:\Windows\SysWOW64\Gfdhck32.exe Gecklbih.exe File created C:\Windows\SysWOW64\Nhkpockm.dll Opbopn32.exe File created C:\Windows\SysWOW64\Hoakai32.dll Kaieai32.exe File created C:\Windows\SysWOW64\Eebendko.dll Ekppjmia.exe File created C:\Windows\SysWOW64\Mgmbff32.dll Iaaaiobc.exe File opened for modification C:\Windows\SysWOW64\Ikbndqnc.exe Iamjghnm.exe File opened for modification C:\Windows\SysWOW64\Dflmpebj.exe Ddjphm32.exe File opened for modification C:\Windows\SysWOW64\Mcendc32.exe Mfamko32.exe File created C:\Windows\SysWOW64\Miocmq32.exe Lgpfpe32.exe File created C:\Windows\SysWOW64\Iiipeb32.exe Ileoknhh.exe File opened for modification C:\Windows\SysWOW64\Egkgad32.exe Eaooin32.exe File opened for modification C:\Windows\SysWOW64\Bncpffdn.exe Bblpae32.exe File created C:\Windows\SysWOW64\Iknkfi32.dll Njjieace.exe File created C:\Windows\SysWOW64\Maldfbjn.exe Mpkhoj32.exe File created C:\Windows\SysWOW64\Ejohdbok.exe Dpgckm32.exe File created C:\Windows\SysWOW64\Akpkok32.exe Aknnil32.exe File created C:\Windows\SysWOW64\Loocanbe.exe Liekddkh.exe File opened for modification C:\Windows\SysWOW64\Hjhlnahk.exe Gjephakn.exe File created C:\Windows\SysWOW64\Kgmmoieh.dll Elgioe32.exe File created C:\Windows\SysWOW64\Ieaqnecd.dll Iecohl32.exe File created C:\Windows\SysWOW64\Ejdphkml.dll Meljbqna.exe File created C:\Windows\SysWOW64\Imcfjg32.exe Hkbmil32.exe File created C:\Windows\SysWOW64\Nojnea32.dll Pqdelh32.exe File opened for modification C:\Windows\SysWOW64\Imchcplm.exe Hamgno32.exe File created C:\Windows\SysWOW64\Dahobdpe.exe Cafbmdbh.exe File opened for modification C:\Windows\SysWOW64\Dmffhd32.exe Dpbenpqh.exe File opened for modification C:\Windows\SysWOW64\Hgeenb32.exe Hojqjp32.exe File created C:\Windows\SysWOW64\Ojoligof.dll Plndcmmj.exe File opened for modification C:\Windows\SysWOW64\Okijhmcm.exe Oobiclmh.exe File opened for modification C:\Windows\SysWOW64\Lbhphdab.exe Lojclibo.exe File created C:\Windows\SysWOW64\Lqmliqfj.exe Lbhphdab.exe File created C:\Windows\SysWOW64\Bdibjakn.dll Ppegdapd.exe File created C:\Windows\SysWOW64\Ekjeio32.dll Bblpae32.exe File created C:\Windows\SysWOW64\Bnemlf32.exe Bcpiombe.exe File created C:\Windows\SysWOW64\Qaofgc32.exe Qpniokan.exe File created C:\Windows\SysWOW64\Nelgfoke.dll Jmibmhoj.exe File created C:\Windows\SysWOW64\Eocfmh32.exe Efkbdbai.exe File opened for modification C:\Windows\SysWOW64\Aaogbh32.exe Qamjmh32.exe File opened for modification C:\Windows\SysWOW64\Gielchpp.exe Gomhkb32.exe File created C:\Windows\SysWOW64\Cnflae32.exe Ckhpejbf.exe File created C:\Windows\SysWOW64\Pjblfjdp.dll Fheoiqgi.exe File created C:\Windows\SysWOW64\Flefhg32.dll Enngdgim.exe File created C:\Windows\SysWOW64\Ibadnhmb.exe Iiipeb32.exe File created C:\Windows\SysWOW64\Odnmig32.dll Jjilde32.exe File created C:\Windows\SysWOW64\Nqakim32.exe Nijcgp32.exe File created C:\Windows\SysWOW64\Qfikod32.exe Pchbmigj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4448 4128 WerFault.exe 787 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boobki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pigklmqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfikod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iefeaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Honfqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglmefcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqinhcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgjpcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilddl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcnilhap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldkeoo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhdfdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdjioh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njeelc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ablbjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icoepohq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfniee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deiipp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdlnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbkgig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcgik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Himionmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjfli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiekadkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohengmcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekddck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiobadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maldfbjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlboca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdplfflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajapoqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bppdlgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fohphgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpocno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlqpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meljbqna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lamjph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mehbpjjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhpca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlnbqijd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkonkpqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckecpjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncgollm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aepnkjcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qckalamk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppjjcogn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aifjgdkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojkhjabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngcanq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elmmegkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfcbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcgaill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjfkbhae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kihcakpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhmhcigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gminbfoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgdciiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aonjpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflbpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjphm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acpjga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojclibo.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhfjadim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bakdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilpkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lenapcbd.dll" Nbgakd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkdckgpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eidchjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Caoflo32.dll" Ipcjje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imkqmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kocodbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mffdnf32.dll" Jacibm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jkjaaglp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omjeba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbejjfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihggkhle.dll" Ngcanq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afpchl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionqcpbl.dll" Cjljpjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgqmpkfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplbamdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mcjlap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Behinlkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libghd32.dll" Ndnplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Miapbpmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkfcmj32.dll" Padccpal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eifobe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfmqigba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eagbnh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Podbgo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipameehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pncjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmbgageq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dilddl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmabknal.dll" Fgcpkldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcdbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnkaj32.dll" Kckhdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nopaoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jogjgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pamibjoj.dll" Lojclibo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agcekn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lpfnckhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Moiihmhq.dll" Nhmbdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngbpehpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgnpjkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eaangfjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnflae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkgldm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmpia32.dll" Kgelahmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gppnejgk.dll" Aaogbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aglhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllgegfe.dll" Kgdgpfnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qchmll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbnlaqhi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkaane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpkfchgk.dll" Bjfkbhae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dekhnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oiqegb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkapkq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Copljmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmpigl32.dll" Ppdfimji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnohgfgb.dll" Ncjbba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlfpln32.dll" Denknngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcopkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dpidibpf.dll" Kmficl32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3064 wrote to memory of 2744 3064 24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe 30 PID 3064 wrote to memory of 2744 3064 24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe 30 PID 3064 wrote to memory of 2744 3064 24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe 30 PID 3064 wrote to memory of 2744 3064 24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe 30 PID 2744 wrote to memory of 2828 2744 Hhmhcigh.exe 31 PID 2744 wrote to memory of 2828 2744 Hhmhcigh.exe 31 PID 2744 wrote to memory of 2828 2744 Hhmhcigh.exe 31 PID 2744 wrote to memory of 2828 2744 Hhmhcigh.exe 31 PID 2828 wrote to memory of 2536 2828 Haemloni.exe 32 PID 2828 wrote to memory of 2536 2828 Haemloni.exe 32 PID 2828 wrote to memory of 2536 2828 Haemloni.exe 32 PID 2828 wrote to memory of 2536 2828 Haemloni.exe 32 PID 2536 wrote to memory of 2720 2536 Hhoeii32.exe 33 PID 2536 wrote to memory of 2720 2536 Hhoeii32.exe 33 PID 2536 wrote to memory of 2720 2536 Hhoeii32.exe 33 PID 2536 wrote to memory of 2720 2536 Hhoeii32.exe 33 PID 2720 wrote to memory of 2932 2720 Hajfgnjc.exe 34 PID 2720 wrote to memory of 2932 2720 Hajfgnjc.exe 34 PID 2720 wrote to memory of 2932 2720 Hajfgnjc.exe 34 PID 2720 wrote to memory of 2932 2720 Hajfgnjc.exe 34 PID 2932 wrote to memory of 436 2932 Honfqb32.exe 35 PID 2932 wrote to memory of 436 2932 Honfqb32.exe 35 PID 2932 wrote to memory of 436 2932 Honfqb32.exe 35 PID 2932 wrote to memory of 436 2932 Honfqb32.exe 35 PID 436 wrote to memory of 2080 436 Hgiked32.exe 36 PID 436 wrote to memory of 2080 436 Hgiked32.exe 36 PID 436 wrote to memory of 2080 436 Hgiked32.exe 36 PID 436 wrote to memory of 2080 436 Hgiked32.exe 36 PID 2080 wrote to memory of 3056 2080 Hbnpbm32.exe 37 PID 2080 wrote to memory of 3056 2080 Hbnpbm32.exe 37 PID 2080 wrote to memory of 3056 2080 Hbnpbm32.exe 37 PID 2080 wrote to memory of 3056 2080 Hbnpbm32.exe 37 PID 3056 wrote to memory of 568 3056 Imhqbkbm.exe 38 PID 3056 wrote to memory of 568 3056 Imhqbkbm.exe 38 PID 3056 wrote to memory of 568 3056 Imhqbkbm.exe 38 PID 3056 wrote to memory of 568 3056 Imhqbkbm.exe 38 PID 568 wrote to memory of 1720 568 Ifpelq32.exe 39 PID 568 wrote to memory of 1720 568 Ifpelq32.exe 39 PID 568 wrote to memory of 1720 568 Ifpelq32.exe 39 PID 568 wrote to memory of 1720 568 Ifpelq32.exe 39 PID 1720 wrote to memory of 1160 1720 Iqfiii32.exe 40 PID 1720 wrote to memory of 1160 1720 Iqfiii32.exe 40 PID 1720 wrote to memory of 1160 1720 Iqfiii32.exe 40 PID 1720 wrote to memory of 1160 1720 Iqfiii32.exe 40 PID 1160 wrote to memory of 328 1160 Iqhfnifq.exe 41 PID 1160 wrote to memory of 328 1160 Iqhfnifq.exe 41 PID 1160 wrote to memory of 328 1160 Iqhfnifq.exe 41 PID 1160 wrote to memory of 328 1160 Iqhfnifq.exe 41 PID 328 wrote to memory of 2976 328 Iickckcl.exe 42 PID 328 wrote to memory of 2976 328 Iickckcl.exe 42 PID 328 wrote to memory of 2976 328 Iickckcl.exe 42 PID 328 wrote to memory of 2976 328 Iickckcl.exe 42 PID 2976 wrote to memory of 780 2976 Iblola32.exe 43 PID 2976 wrote to memory of 780 2976 Iblola32.exe 43 PID 2976 wrote to memory of 780 2976 Iblola32.exe 43 PID 2976 wrote to memory of 780 2976 Iblola32.exe 43 PID 780 wrote to memory of 1808 780 Jbnlaqhi.exe 44 PID 780 wrote to memory of 1808 780 Jbnlaqhi.exe 44 PID 780 wrote to memory of 1808 780 Jbnlaqhi.exe 44 PID 780 wrote to memory of 1808 780 Jbnlaqhi.exe 44 PID 1808 wrote to memory of 1864 1808 Jacibm32.exe 45 PID 1808 wrote to memory of 1864 1808 Jacibm32.exe 45 PID 1808 wrote to memory of 1864 1808 Jacibm32.exe 45 PID 1808 wrote to memory of 1864 1808 Jacibm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe"C:\Users\Admin\AppData\Local\Temp\24789e6d90fed4b5d3f5e4461a41d76dde958c6a0b28a20952d58a691838566bN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Haemloni.exeC:\Windows\system32\Haemloni.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\SysWOW64\Hhoeii32.exeC:\Windows\system32\Hhoeii32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Hajfgnjc.exeC:\Windows\system32\Hajfgnjc.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Honfqb32.exeC:\Windows\system32\Honfqb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Hgiked32.exeC:\Windows\system32\Hgiked32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\Hbnpbm32.exeC:\Windows\system32\Hbnpbm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Ifpelq32.exeC:\Windows\system32\Ifpelq32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:568 -
C:\Windows\SysWOW64\Iqfiii32.exeC:\Windows\system32\Iqfiii32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Iickckcl.exeC:\Windows\system32\Iickckcl.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:328 -
C:\Windows\SysWOW64\Iblola32.exeC:\Windows\system32\Iblola32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Jbnlaqhi.exeC:\Windows\system32\Jbnlaqhi.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Jacibm32.exeC:\Windows\system32\Jacibm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\SysWOW64\Jgmaog32.exeC:\Windows\system32\Jgmaog32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1864 -
C:\Windows\SysWOW64\Jjnjqb32.exeC:\Windows\system32\Jjnjqb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1792 -
C:\Windows\SysWOW64\Jgbjjf32.exeC:\Windows\system32\Jgbjjf32.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Jnlbgq32.exeC:\Windows\system32\Jnlbgq32.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2436 -
C:\Windows\SysWOW64\Kckhdg32.exeC:\Windows\system32\Kckhdg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1568 -
C:\Windows\SysWOW64\Kcmdjgbh.exeC:\Windows\system32\Kcmdjgbh.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2988 -
C:\Windows\SysWOW64\Kmficl32.exeC:\Windows\system32\Kmficl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Kbbakc32.exeC:\Windows\system32\Kbbakc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Klkfdi32.exeC:\Windows\system32\Klkfdi32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Kecjmodq.exeC:\Windows\system32\Kecjmodq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Kjpceebh.exeC:\Windows\system32\Kjpceebh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1744 -
C:\Windows\SysWOW64\Lmcilp32.exeC:\Windows\system32\Lmcilp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1032 -
C:\Windows\SysWOW64\Lglmefcg.exeC:\Windows\system32\Lglmefcg.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:872 -
C:\Windows\SysWOW64\Lpdankjg.exeC:\Windows\system32\Lpdankjg.exe33⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Lgnjke32.exeC:\Windows\system32\Lgnjke32.exe34⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Lpfnckhe.exeC:\Windows\system32\Lpfnckhe.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Lgpfpe32.exeC:\Windows\system32\Lgpfpe32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:528 -
C:\Windows\SysWOW64\Miocmq32.exeC:\Windows\system32\Miocmq32.exe37⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Mpikik32.exeC:\Windows\system32\Mpikik32.exe38⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Mpkhoj32.exeC:\Windows\system32\Mpkhoj32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1928 -
C:\Windows\SysWOW64\Maldfbjn.exeC:\Windows\system32\Maldfbjn.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2600 -
C:\Windows\SysWOW64\Mlahdkjc.exeC:\Windows\system32\Mlahdkjc.exe42⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Mopdpg32.exeC:\Windows\system32\Mopdpg32.exe43⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Maoalb32.exeC:\Windows\system32\Maoalb32.exe44⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Mldeik32.exeC:\Windows\system32\Mldeik32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Mneaacno.exeC:\Windows\system32\Mneaacno.exe46⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Meljbqna.exeC:\Windows\system32\Meljbqna.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Mhkfnlme.exeC:\Windows\system32\Mhkfnlme.exe48⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Mkibjgli.exeC:\Windows\system32\Mkibjgli.exe49⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Macjgadf.exeC:\Windows\system32\Macjgadf.exe50⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Nhmbdl32.exeC:\Windows\system32\Nhmbdl32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe52⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Naegmabc.exeC:\Windows\system32\Naegmabc.exe53⤵
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Ngbpehpj.exeC:\Windows\system32\Ngbpehpj.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe55⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ncipjieo.exeC:\Windows\system32\Ncipjieo.exe56⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Nnodgbed.exeC:\Windows\system32\Nnodgbed.exe57⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Nopaoj32.exeC:\Windows\system32\Nopaoj32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:776 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1368 -
C:\Windows\SysWOW64\Nqpmimbe.exeC:\Windows\system32\Nqpmimbe.exe60⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Nbqjqehd.exeC:\Windows\system32\Nbqjqehd.exe61⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe62⤵
- Executes dropped EXE
PID:1352 -
C:\Windows\SysWOW64\Obcffefa.exeC:\Windows\system32\Obcffefa.exe63⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe64⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe65⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Pflbpg32.exeC:\Windows\system32\Pflbpg32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Pncjad32.exeC:\Windows\system32\Pncjad32.exe67⤵
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Ppdfimji.exeC:\Windows\system32\Ppdfimji.exe68⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe69⤵PID:1976
-
C:\Windows\SysWOW64\Padccpal.exeC:\Windows\system32\Padccpal.exe70⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe71⤵PID:2160
-
C:\Windows\SysWOW64\Piohgbng.exeC:\Windows\system32\Piohgbng.exe72⤵PID:1300
-
C:\Windows\SysWOW64\Plndcmmj.exeC:\Windows\system32\Plndcmmj.exe73⤵
- Drops file in System32 directory
PID:2628 -
C:\Windows\SysWOW64\Pcdldknm.exeC:\Windows\system32\Pcdldknm.exe74⤵PID:2844
-
C:\Windows\SysWOW64\Pefhlcdk.exeC:\Windows\system32\Pefhlcdk.exe75⤵PID:3008
-
C:\Windows\SysWOW64\Ppkmjlca.exeC:\Windows\system32\Ppkmjlca.exe76⤵PID:2112
-
C:\Windows\SysWOW64\Pbjifgcd.exeC:\Windows\system32\Pbjifgcd.exe77⤵PID:1756
-
C:\Windows\SysWOW64\Pidaba32.exeC:\Windows\system32\Pidaba32.exe78⤵PID:888
-
C:\Windows\SysWOW64\Qpniokan.exeC:\Windows\system32\Qpniokan.exe79⤵
- Drops file in System32 directory
PID:1848 -
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe80⤵PID:1768
-
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe81⤵PID:2076
-
C:\Windows\SysWOW64\Qbobaf32.exeC:\Windows\system32\Qbobaf32.exe82⤵PID:2788
-
C:\Windows\SysWOW64\Qdpohodn.exeC:\Windows\system32\Qdpohodn.exe83⤵PID:2984
-
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe84⤵PID:2716
-
C:\Windows\SysWOW64\Aeokba32.exeC:\Windows\system32\Aeokba32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Ahngomkd.exeC:\Windows\system32\Ahngomkd.exe86⤵PID:2612
-
C:\Windows\SysWOW64\Amjpgdik.exeC:\Windows\system32\Amjpgdik.exe87⤵PID:2856
-
C:\Windows\SysWOW64\Apilcoho.exeC:\Windows\system32\Apilcoho.exe88⤵PID:912
-
C:\Windows\SysWOW64\Aiaqle32.exeC:\Windows\system32\Aiaqle32.exe89⤵PID:2096
-
C:\Windows\SysWOW64\Apkihofl.exeC:\Windows\system32\Apkihofl.exe90⤵PID:1548
-
C:\Windows\SysWOW64\Ajamfh32.exeC:\Windows\system32\Ajamfh32.exe91⤵PID:2392
-
C:\Windows\SysWOW64\Albjnplq.exeC:\Windows\system32\Albjnplq.exe92⤵PID:2340
-
C:\Windows\SysWOW64\Ablbjj32.exeC:\Windows\system32\Ablbjj32.exe93⤵
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Aifjgdkj.exeC:\Windows\system32\Aifjgdkj.exe94⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Aldfcpjn.exeC:\Windows\system32\Aldfcpjn.exe95⤵PID:2236
-
C:\Windows\SysWOW64\Bfjkphjd.exeC:\Windows\system32\Bfjkphjd.exe96⤵PID:2476
-
C:\Windows\SysWOW64\Blgcio32.exeC:\Windows\system32\Blgcio32.exe97⤵PID:2944
-
C:\Windows\SysWOW64\Bbqkeioh.exeC:\Windows\system32\Bbqkeioh.exe98⤵PID:884
-
C:\Windows\SysWOW64\Bikcbc32.exeC:\Windows\system32\Bikcbc32.exe99⤵PID:2908
-
C:\Windows\SysWOW64\Bklpjlmc.exeC:\Windows\system32\Bklpjlmc.exe100⤵PID:1728
-
C:\Windows\SysWOW64\Bhpqcpkm.exeC:\Windows\system32\Bhpqcpkm.exe101⤵PID:596
-
C:\Windows\SysWOW64\Bceeqi32.exeC:\Windows\system32\Bceeqi32.exe102⤵PID:2012
-
C:\Windows\SysWOW64\Bedamd32.exeC:\Windows\system32\Bedamd32.exe103⤵PID:1448
-
C:\Windows\SysWOW64\Bkqiek32.exeC:\Windows\system32\Bkqiek32.exe104⤵PID:2864
-
C:\Windows\SysWOW64\Bakaaepk.exeC:\Windows\system32\Bakaaepk.exe105⤵PID:2328
-
C:\Windows\SysWOW64\Bdinnqon.exeC:\Windows\system32\Bdinnqon.exe106⤵PID:376
-
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe107⤵
- System Location Discovery: System Language Discovery
PID:1256 -
C:\Windows\SysWOW64\Camnge32.exeC:\Windows\system32\Camnge32.exe108⤵PID:2244
-
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe109⤵PID:2580
-
C:\Windows\SysWOW64\Ckecpjdh.exeC:\Windows\system32\Ckecpjdh.exe110⤵
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\Caokmd32.exeC:\Windows\system32\Caokmd32.exe111⤵PID:2972
-
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe112⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe113⤵
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:368 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe115⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe116⤵
- Modifies registry class
PID:1832 -
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe117⤵PID:2404
-
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2280 -
C:\Windows\SysWOW64\Djafaf32.exeC:\Windows\system32\Djafaf32.exe119⤵PID:2928
-
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1604 -
C:\Windows\SysWOW64\Dlboca32.exeC:\Windows\system32\Dlboca32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-