Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 19:31
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe
-
Size
72KB
-
MD5
fc6f93cf35b8223e247fa125bf14b300
-
SHA1
bb7ac7c45e08268ea392fe21879ea6f0236ff0d4
-
SHA256
fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696e
-
SHA512
b3328b19f662565d00410c793f063c31a99e82a2cbb9c04ba3b601e6af626c3b96435c21a8a2479c6497ff3a33527261d865749f857bf2e4c4dea135ec221447
-
SSDEEP
1536:cv+CTwjqYIMtzZx0A9jiQ1NqNxLe0/n80aWBhgW2wB2L3U6+lWCWQ+:lltkYik0E0aWBJ2wak6+bWQ+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjcaha32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kapohbfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdemk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkggmldl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phnpagdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmjaohol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inmmbc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcqlkjae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knmdeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnomjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nggggoda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlgimqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojbbmnhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jokqnhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmhkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Japciodd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmeiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eegkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omnipjni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbogqoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dekdikhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdnild32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiafee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iieepbje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mciabmlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdpfadlm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgaebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egajnfoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcghkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpilg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjdkjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kechdf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odedge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkoicb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncmcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elkofg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimbkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modlbmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajmjcoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmdbnnlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkbcbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnkffeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Daplkmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdompf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhccm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfnecgp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iknafhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fchkbg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimpkcdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elgfkhpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fccglehn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpbaa32.exe -
Executes dropped EXE 64 IoCs
pid Process 1920 Fjjpjgjj.exe 3032 Flhmfbim.exe 2316 Fogibnha.exe 2824 Fhomkcoa.exe 2732 Goiehm32.exe 2108 Gbhbdi32.exe 2348 Gjojef32.exe 2788 Gkpfmnlb.exe 1440 Gcgnnlle.exe 2356 Gdhkfd32.exe 1656 Ghdgfbkl.exe 2060 Gkbcbn32.exe 1696 Gblkoham.exe 2004 Gifclb32.exe 2676 Gkephn32.exe 2116 Gncldi32.exe 408 Gqahqd32.exe 2928 Gkglnm32.exe 988 Gneijien.exe 688 Gepafc32.exe 1800 Gcbabpcf.exe 1520 Hjlioj32.exe 1716 Hmkeke32.exe 2908 Hqfaldbo.exe 2568 Hgpjhn32.exe 2536 Hfcjdkpg.exe 1584 Hahnac32.exe 2432 Hgbfnngi.exe 488 Hfegij32.exe 2828 Hmoofdea.exe 2652 Hpnkbpdd.exe 2400 Hblgnkdh.exe 2612 Hjcppidk.exe 2736 Hmalldcn.exe 352 Hpphhp32.exe 848 Hboddk32.exe 544 Hfjpdjjo.exe 1444 Hlgimqhf.exe 1996 Hpbdmo32.exe 2032 Iflmjihl.exe 840 Iikifegp.exe 1804 Ipeaco32.exe 2996 Iafnjg32.exe 3004 Ijnbcmkk.exe 2036 Ibejdjln.exe 548 Iedfqeka.exe 1644 Ihbcmaje.exe 2288 Ijqoilii.exe 2940 Iakgefqe.exe 3024 Idicbbpi.exe 2544 Ihdpbq32.exe 2416 Ijclol32.exe 2500 Ioohokoo.exe 2932 Imahkg32.exe 2632 Idkpganf.exe 3060 Ihglhp32.exe 632 Ifjlcmmj.exe 1848 Iihiphln.exe 1492 Jmdepg32.exe 472 Jaoqqflp.exe 2300 Jdnmma32.exe 2216 Jbqmhnbo.exe 1044 Jkhejkcq.exe 2396 Jmfafgbd.exe -
Loads dropped DLL 64 IoCs
pid Process 2380 fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe 2380 fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe 1920 Fjjpjgjj.exe 1920 Fjjpjgjj.exe 3032 Flhmfbim.exe 3032 Flhmfbim.exe 2316 Fogibnha.exe 2316 Fogibnha.exe 2824 Fhomkcoa.exe 2824 Fhomkcoa.exe 2732 Goiehm32.exe 2732 Goiehm32.exe 2108 Gbhbdi32.exe 2108 Gbhbdi32.exe 2348 Gjojef32.exe 2348 Gjojef32.exe 2788 Gkpfmnlb.exe 2788 Gkpfmnlb.exe 1440 Gcgnnlle.exe 1440 Gcgnnlle.exe 2356 Gdhkfd32.exe 2356 Gdhkfd32.exe 1656 Ghdgfbkl.exe 1656 Ghdgfbkl.exe 2060 Gkbcbn32.exe 2060 Gkbcbn32.exe 1696 Gblkoham.exe 1696 Gblkoham.exe 2004 Gifclb32.exe 2004 Gifclb32.exe 2676 Gkephn32.exe 2676 Gkephn32.exe 2116 Gncldi32.exe 2116 Gncldi32.exe 408 Gqahqd32.exe 408 Gqahqd32.exe 2928 Gkglnm32.exe 2928 Gkglnm32.exe 988 Gneijien.exe 988 Gneijien.exe 688 Gepafc32.exe 688 Gepafc32.exe 1800 Gcbabpcf.exe 1800 Gcbabpcf.exe 1520 Hjlioj32.exe 1520 Hjlioj32.exe 1716 Hmkeke32.exe 1716 Hmkeke32.exe 2908 Hqfaldbo.exe 2908 Hqfaldbo.exe 2568 Hgpjhn32.exe 2568 Hgpjhn32.exe 2536 Hfcjdkpg.exe 2536 Hfcjdkpg.exe 1584 Hahnac32.exe 1584 Hahnac32.exe 2432 Hgbfnngi.exe 2432 Hgbfnngi.exe 488 Hfegij32.exe 488 Hfegij32.exe 2828 Hmoofdea.exe 2828 Hmoofdea.exe 2652 Hpnkbpdd.exe 2652 Hpnkbpdd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Apppkekc.exe Anadojlo.exe File created C:\Windows\SysWOW64\Iebldo32.exe Ibcphc32.exe File created C:\Windows\SysWOW64\Faphfl32.dll Ijaaae32.exe File created C:\Windows\SysWOW64\Ohncbdbd.exe Odchbe32.exe File created C:\Windows\SysWOW64\Ieofkp32.exe Iacjjacb.exe File created C:\Windows\SysWOW64\Lkbmbl32.exe Lhcafa32.exe File created C:\Windows\SysWOW64\Ipfpae32.dll Apkgpf32.exe File created C:\Windows\SysWOW64\Oehgjfhi.exe Oalkih32.exe File created C:\Windows\SysWOW64\Aahfdihn.exe Anljck32.exe File created C:\Windows\SysWOW64\Hnajpcii.dll Lklgbadb.exe File opened for modification C:\Windows\SysWOW64\Jmgghnmp.dll Ooabmbbe.exe File created C:\Windows\SysWOW64\Cfmhdpnc.exe Cnfqccna.exe File created C:\Windows\SysWOW64\Acejfl32.dll Kpfplo32.exe File opened for modification C:\Windows\SysWOW64\Kljdkpfl.exe Kilgoe32.exe File created C:\Windows\SysWOW64\Nggggoda.exe Nppofado.exe File created C:\Windows\SysWOW64\Jlkngc32.exe Jimbkh32.exe File opened for modification C:\Windows\SysWOW64\Ekhmcelc.exe Ehjqgjmp.exe File opened for modification C:\Windows\SysWOW64\Gmeeepjp.exe Gnbejb32.exe File created C:\Windows\SysWOW64\Jamkdghb.dll Kpojkp32.exe File created C:\Windows\SysWOW64\Obgmpo32.dll Bnapnm32.exe File created C:\Windows\SysWOW64\Bdgoqijf.dll Gonale32.exe File created C:\Windows\SysWOW64\Edeomgho.dll Nbhhdnlh.exe File created C:\Windows\SysWOW64\Qjeeidhg.dll Offmipej.exe File opened for modification C:\Windows\SysWOW64\Gnbejb32.exe Gfkmie32.exe File opened for modification C:\Windows\SysWOW64\Godaakic.exe Gmeeepjp.exe File opened for modification C:\Windows\SysWOW64\Nnnbni32.exe Njbfnjeg.exe File opened for modification C:\Windows\SysWOW64\Aknngo32.exe Ahpbkd32.exe File opened for modification C:\Windows\SysWOW64\Dgnjqe32.exe Dcbnpgkh.exe File created C:\Windows\SysWOW64\Kkmmlgik.exe Khnapkjg.exe File opened for modification C:\Windows\SysWOW64\Gkephn32.exe Gifclb32.exe File created C:\Windows\SysWOW64\Jhbold32.exe Jbefcm32.exe File opened for modification C:\Windows\SysWOW64\Pcljmdmj.exe Pdjjag32.exe File created C:\Windows\SysWOW64\Qpbglhjq.exe Qndkpmkm.exe File created C:\Windows\SysWOW64\Codebccd.dll Qemldifo.exe File created C:\Windows\SysWOW64\Fdiqpigl.exe Fefqdl32.exe File opened for modification C:\Windows\SysWOW64\Hclfag32.exe Hoqjqhjf.exe File created C:\Windows\SysWOW64\Ihdpbq32.exe Idicbbpi.exe File opened for modification C:\Windows\SysWOW64\Ahpifj32.exe Ajmijmnn.exe File created C:\Windows\SysWOW64\Andgop32.exe Aoagccfn.exe File opened for modification C:\Windows\SysWOW64\Ephbal32.exe Eaebeoan.exe File opened for modification C:\Windows\SysWOW64\Hqkmplen.exe Hnmacpfj.exe File created C:\Windows\SysWOW64\Effeckcj.dll Hahnac32.exe File opened for modification C:\Windows\SysWOW64\Akcomepg.exe Ahebaiac.exe File created C:\Windows\SysWOW64\Agihgp32.exe Aobpfb32.exe File opened for modification C:\Windows\SysWOW64\Fkhbgbkc.exe Fglfgd32.exe File created C:\Windows\SysWOW64\Ikfbbjdj.exe Hcojam32.exe File created C:\Windows\SysWOW64\Aihgmjad.dll Aphjjf32.exe File created C:\Windows\SysWOW64\Flhmfbim.exe Fjjpjgjj.exe File created C:\Windows\SysWOW64\Mkkeeecj.dll Flhmfbim.exe File opened for modification C:\Windows\SysWOW64\Jefpeh32.exe Jajcdjca.exe File created C:\Windows\SysWOW64\Mbhlek32.exe Mjaddn32.exe File opened for modification C:\Windows\SysWOW64\Oecmogln.exe Ofqmcj32.exe File created C:\Windows\SysWOW64\Faffik32.dll Bbjpil32.exe File created C:\Windows\SysWOW64\Djjjga32.exe Dlgjldnm.exe File opened for modification C:\Windows\SysWOW64\Hcjilgdb.exe Honnki32.exe File created C:\Windows\SysWOW64\Hqfaldbo.exe Hmkeke32.exe File opened for modification C:\Windows\SysWOW64\Boljgg32.exe Bqijljfd.exe File created C:\Windows\SysWOW64\Legaoehg.exe Laleof32.exe File opened for modification C:\Windows\SysWOW64\Modlbmmn.exe Mkipao32.exe File opened for modification C:\Windows\SysWOW64\Ifmocb32.exe Iocgfhhc.exe File created C:\Windows\SysWOW64\Mjcccnbp.dll Iaimipjl.exe File created C:\Windows\SysWOW64\Mqehjecl.exe Mbchni32.exe File opened for modification C:\Windows\SysWOW64\Hnhgha32.exe Hjmlhbbg.exe File opened for modification C:\Windows\SysWOW64\Jbfilffm.exe Jcciqi32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 10116 10092 WerFault.exe 989 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihglhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmqmod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbchni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piabdiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikqnlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldmleam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncinap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefjdgjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmplen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmqapci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cinafkkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kechdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anadojlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdhefpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehhdaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmcpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqgddm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnejim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpflkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhdggom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mklcadfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcljmdmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfqccna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekdchf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foolgh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblkoham.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkolakkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclfag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mobfgdcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnecigcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klecfkff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmdepg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hofngkga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdecea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imaapa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oniebmda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agihgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinhdmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmlael32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckdgjeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajmjcoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoebgcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajcdjca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldpbpgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apmcefmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdnbbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnjicjbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agihgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnofgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclebc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkopj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibcphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcqcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goiehm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eheglk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djocbqpb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Andpoahc.dll" Kgqocoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eepejpil.dll" Cagienkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pojhbfni.dll" Jaecod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldjbkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aogfepif.dll" Ngdjaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npfdjdfc.dll" Njeccjcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cofdbf32.dll" Pcljmdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Agjobffl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ghofam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkggbgh.dll" Jfdhmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehlpleg.dll" Kbbobkol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iedfqeka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Goiebopf.dll" Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmeeepjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfabnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgedmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obokcqhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmdlck32.dll" Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Looghene.dll" Jhmofo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eplpdepa.dll" Jnmiag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkpfmnlb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcppidk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlgimqhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjclbek.dll" Achjibcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjipagod.dll" Eaebeoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mblbnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhkipdeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoebgcol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iipejmko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcijqc32.dll" Gkephn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckhnnjob.dll" Iflmjihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdegfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chnlno32.dll" Gnnlocgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpboqdk.dll" Mqjefamk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll" Dnpciaef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkbmbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdlkggmp.dll" Legaoehg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fknodfcm.dll" Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjmif32.dll" Anjnnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfpfdeon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imlhebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gphfihaj.dll" Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfblih32.dll" Ooabmbbe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijphofem.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jajmjcoe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldokfakl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Canipj32.dll" Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmahlfd.dll" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flclam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfnjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gonnhc32.dll" Mdogedmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emoldlmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpnkbpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diijaiep.dll" Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghanagbo.dll" Mgbaml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njgpij32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1920 2380 fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe 30 PID 2380 wrote to memory of 1920 2380 fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe 30 PID 2380 wrote to memory of 1920 2380 fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe 30 PID 2380 wrote to memory of 1920 2380 fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe 30 PID 1920 wrote to memory of 3032 1920 Fjjpjgjj.exe 31 PID 1920 wrote to memory of 3032 1920 Fjjpjgjj.exe 31 PID 1920 wrote to memory of 3032 1920 Fjjpjgjj.exe 31 PID 1920 wrote to memory of 3032 1920 Fjjpjgjj.exe 31 PID 3032 wrote to memory of 2316 3032 Flhmfbim.exe 32 PID 3032 wrote to memory of 2316 3032 Flhmfbim.exe 32 PID 3032 wrote to memory of 2316 3032 Flhmfbim.exe 32 PID 3032 wrote to memory of 2316 3032 Flhmfbim.exe 32 PID 2316 wrote to memory of 2824 2316 Fogibnha.exe 33 PID 2316 wrote to memory of 2824 2316 Fogibnha.exe 33 PID 2316 wrote to memory of 2824 2316 Fogibnha.exe 33 PID 2316 wrote to memory of 2824 2316 Fogibnha.exe 33 PID 2824 wrote to memory of 2732 2824 Fhomkcoa.exe 34 PID 2824 wrote to memory of 2732 2824 Fhomkcoa.exe 34 PID 2824 wrote to memory of 2732 2824 Fhomkcoa.exe 34 PID 2824 wrote to memory of 2732 2824 Fhomkcoa.exe 34 PID 2732 wrote to memory of 2108 2732 Goiehm32.exe 35 PID 2732 wrote to memory of 2108 2732 Goiehm32.exe 35 PID 2732 wrote to memory of 2108 2732 Goiehm32.exe 35 PID 2732 wrote to memory of 2108 2732 Goiehm32.exe 35 PID 2108 wrote to memory of 2348 2108 Gbhbdi32.exe 36 PID 2108 wrote to memory of 2348 2108 Gbhbdi32.exe 36 PID 2108 wrote to memory of 2348 2108 Gbhbdi32.exe 36 PID 2108 wrote to memory of 2348 2108 Gbhbdi32.exe 36 PID 2348 wrote to memory of 2788 2348 Gjojef32.exe 37 PID 2348 wrote to memory of 2788 2348 Gjojef32.exe 37 PID 2348 wrote to memory of 2788 2348 Gjojef32.exe 37 PID 2348 wrote to memory of 2788 2348 Gjojef32.exe 37 PID 2788 wrote to memory of 1440 2788 Gkpfmnlb.exe 38 PID 2788 wrote to memory of 1440 2788 Gkpfmnlb.exe 38 PID 2788 wrote to memory of 1440 2788 Gkpfmnlb.exe 38 PID 2788 wrote to memory of 1440 2788 Gkpfmnlb.exe 38 PID 1440 wrote to memory of 2356 1440 Gcgnnlle.exe 39 PID 1440 wrote to memory of 2356 1440 Gcgnnlle.exe 39 PID 1440 wrote to memory of 2356 1440 Gcgnnlle.exe 39 PID 1440 wrote to memory of 2356 1440 Gcgnnlle.exe 39 PID 2356 wrote to memory of 1656 2356 Gdhkfd32.exe 40 PID 2356 wrote to memory of 1656 2356 Gdhkfd32.exe 40 PID 2356 wrote to memory of 1656 2356 Gdhkfd32.exe 40 PID 2356 wrote to memory of 1656 2356 Gdhkfd32.exe 40 PID 1656 wrote to memory of 2060 1656 Ghdgfbkl.exe 41 PID 1656 wrote to memory of 2060 1656 Ghdgfbkl.exe 41 PID 1656 wrote to memory of 2060 1656 Ghdgfbkl.exe 41 PID 1656 wrote to memory of 2060 1656 Ghdgfbkl.exe 41 PID 2060 wrote to memory of 1696 2060 Gkbcbn32.exe 42 PID 2060 wrote to memory of 1696 2060 Gkbcbn32.exe 42 PID 2060 wrote to memory of 1696 2060 Gkbcbn32.exe 42 PID 2060 wrote to memory of 1696 2060 Gkbcbn32.exe 42 PID 1696 wrote to memory of 2004 1696 Gblkoham.exe 43 PID 1696 wrote to memory of 2004 1696 Gblkoham.exe 43 PID 1696 wrote to memory of 2004 1696 Gblkoham.exe 43 PID 1696 wrote to memory of 2004 1696 Gblkoham.exe 43 PID 2004 wrote to memory of 2676 2004 Gifclb32.exe 44 PID 2004 wrote to memory of 2676 2004 Gifclb32.exe 44 PID 2004 wrote to memory of 2676 2004 Gifclb32.exe 44 PID 2004 wrote to memory of 2676 2004 Gifclb32.exe 44 PID 2676 wrote to memory of 2116 2676 Gkephn32.exe 45 PID 2676 wrote to memory of 2116 2676 Gkephn32.exe 45 PID 2676 wrote to memory of 2116 2676 Gkephn32.exe 45 PID 2676 wrote to memory of 2116 2676 Gkephn32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe"C:\Users\Admin\AppData\Local\Temp\fa1e0e1bfea044ba9fad3df9981e448f0b74694d8e7089968d2182edf7f2696eN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Fjjpjgjj.exeC:\Windows\system32\Fjjpjgjj.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Flhmfbim.exeC:\Windows\system32\Flhmfbim.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Fogibnha.exeC:\Windows\system32\Fogibnha.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Fhomkcoa.exeC:\Windows\system32\Fhomkcoa.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\SysWOW64\Goiehm32.exeC:\Windows\system32\Goiehm32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Gbhbdi32.exeC:\Windows\system32\Gbhbdi32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Gkpfmnlb.exeC:\Windows\system32\Gkpfmnlb.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Gcgnnlle.exeC:\Windows\system32\Gcgnnlle.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\Ghdgfbkl.exeC:\Windows\system32\Ghdgfbkl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Windows\SysWOW64\Gkbcbn32.exeC:\Windows\system32\Gkbcbn32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Gblkoham.exeC:\Windows\system32\Gblkoham.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Gifclb32.exeC:\Windows\system32\Gifclb32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Gkephn32.exeC:\Windows\system32\Gkephn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Gncldi32.exeC:\Windows\system32\Gncldi32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2116 -
C:\Windows\SysWOW64\Gqahqd32.exeC:\Windows\system32\Gqahqd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:408 -
C:\Windows\SysWOW64\Gkglnm32.exeC:\Windows\system32\Gkglnm32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Gneijien.exeC:\Windows\system32\Gneijien.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:988 -
C:\Windows\SysWOW64\Gepafc32.exeC:\Windows\system32\Gepafc32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Gcbabpcf.exeC:\Windows\system32\Gcbabpcf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Hjlioj32.exeC:\Windows\system32\Hjlioj32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1520 -
C:\Windows\SysWOW64\Hmkeke32.exeC:\Windows\system32\Hmkeke32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1716 -
C:\Windows\SysWOW64\Hqfaldbo.exeC:\Windows\system32\Hqfaldbo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Hfcjdkpg.exeC:\Windows\system32\Hfcjdkpg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2536 -
C:\Windows\SysWOW64\Hahnac32.exeC:\Windows\system32\Hahnac32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Hgbfnngi.exeC:\Windows\system32\Hgbfnngi.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Hfegij32.exeC:\Windows\system32\Hfegij32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:488 -
C:\Windows\SysWOW64\Hmoofdea.exeC:\Windows\system32\Hmoofdea.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2828 -
C:\Windows\SysWOW64\Hpnkbpdd.exeC:\Windows\system32\Hpnkbpdd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Hblgnkdh.exeC:\Windows\system32\Hblgnkdh.exe33⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Hjcppidk.exeC:\Windows\system32\Hjcppidk.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Hmalldcn.exeC:\Windows\system32\Hmalldcn.exe35⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Hpphhp32.exeC:\Windows\system32\Hpphhp32.exe36⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe37⤵
- Executes dropped EXE
PID:848 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe38⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1444 -
C:\Windows\SysWOW64\Hpbdmo32.exeC:\Windows\system32\Hpbdmo32.exe40⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:2032 -
C:\Windows\SysWOW64\Iikifegp.exeC:\Windows\system32\Iikifegp.exe42⤵
- Executes dropped EXE
PID:840 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe44⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Ijnbcmkk.exeC:\Windows\system32\Ijnbcmkk.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:3004 -
C:\Windows\SysWOW64\Ibejdjln.exeC:\Windows\system32\Ibejdjln.exe46⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:548 -
C:\Windows\SysWOW64\Ihbcmaje.exeC:\Windows\system32\Ihbcmaje.exe48⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe49⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe50⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Idicbbpi.exeC:\Windows\system32\Idicbbpi.exe51⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe52⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Ijclol32.exeC:\Windows\system32\Ijclol32.exe53⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Ioohokoo.exeC:\Windows\system32\Ioohokoo.exe54⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Imahkg32.exeC:\Windows\system32\Imahkg32.exe55⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Idkpganf.exeC:\Windows\system32\Idkpganf.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Ihglhp32.exeC:\Windows\system32\Ihglhp32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe58⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1848 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1492 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe61⤵
- Executes dropped EXE
PID:472 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe62⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Jbqmhnbo.exeC:\Windows\system32\Jbqmhnbo.exe63⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe64⤵
- Executes dropped EXE
PID:1044 -
C:\Windows\SysWOW64\Jmfafgbd.exeC:\Windows\system32\Jmfafgbd.exe65⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe66⤵
- System Location Discovery: System Language Discovery
PID:2084 -
C:\Windows\SysWOW64\Jpdnbbah.exeC:\Windows\system32\Jpdnbbah.exe67⤵PID:1324
-
C:\Windows\SysWOW64\Jdpjba32.exeC:\Windows\system32\Jdpjba32.exe68⤵PID:816
-
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe69⤵PID:2164
-
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe70⤵PID:1552
-
C:\Windows\SysWOW64\Jimbkh32.exeC:\Windows\system32\Jimbkh32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe72⤵PID:2816
-
C:\Windows\SysWOW64\Jpgjgboe.exeC:\Windows\system32\Jpgjgboe.exe73⤵PID:2948
-
C:\Windows\SysWOW64\Jbefcm32.exeC:\Windows\system32\Jbefcm32.exe74⤵
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe75⤵PID:2152
-
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe76⤵PID:1308
-
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe77⤵PID:1712
-
C:\Windows\SysWOW64\Jajcdjca.exeC:\Windows\system32\Jajcdjca.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe79⤵PID:1064
-
C:\Windows\SysWOW64\Jhdlad32.exeC:\Windows\system32\Jhdlad32.exe80⤵PID:1508
-
C:\Windows\SysWOW64\Jondnnbk.exeC:\Windows\system32\Jondnnbk.exe81⤵PID:764
-
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe82⤵PID:3000
-
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe83⤵PID:288
-
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe84⤵PID:1380
-
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe85⤵PID:2388
-
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2244 -
C:\Windows\SysWOW64\Khielcfh.exeC:\Windows\system32\Khielcfh.exe87⤵PID:2468
-
C:\Windows\SysWOW64\Kglehp32.exeC:\Windows\system32\Kglehp32.exe88⤵
- Modifies registry class
PID:2860 -
C:\Windows\SysWOW64\Kkgahoel.exeC:\Windows\system32\Kkgahoel.exe89⤵PID:2784
-
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe90⤵PID:2260
-
C:\Windows\SysWOW64\Kaajei32.exeC:\Windows\system32\Kaajei32.exe91⤵PID:1928
-
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1524 -
C:\Windows\SysWOW64\Khkbbc32.exeC:\Windows\system32\Khkbbc32.exe93⤵PID:2956
-
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe94⤵PID:1288
-
C:\Windows\SysWOW64\Knhjjj32.exeC:\Windows\system32\Knhjjj32.exe95⤵PID:1956
-
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe96⤵PID:2336
-
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe97⤵PID:344
-
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe98⤵
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe99⤵PID:572
-
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe100⤵PID:3052
-
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe101⤵PID:2884
-
C:\Windows\SysWOW64\Kgclio32.exeC:\Windows\system32\Kgclio32.exe102⤵PID:2804
-
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe103⤵PID:2412
-
C:\Windows\SysWOW64\Kjahej32.exeC:\Windows\system32\Kjahej32.exe104⤵PID:1152
-
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1736 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe106⤵PID:1592
-
C:\Windows\SysWOW64\Lonpma32.exeC:\Windows\system32\Lonpma32.exe107⤵PID:2960
-
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe108⤵PID:1748
-
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe109⤵
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe110⤵PID:1904
-
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe111⤵PID:1212
-
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe112⤵PID:2964
-
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe113⤵PID:3064
-
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe114⤵
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe115⤵PID:1700
-
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe116⤵
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe117⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe118⤵PID:1080
-
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe119⤵PID:2576
-
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe120⤵PID:2372
-
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2968
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-