Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
93s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
30/09/2024, 17:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe
-
Size
77KB
-
MD5
d8fb22e8645a71622bd3b0cdd7768570
-
SHA1
2e3675f3139df036c076496502501fad13676a36
-
SHA256
3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320db
-
SHA512
cfc4fafc5e5ba161a9f690889e251c8ddc1ce3042f07d94fe712fa27b0eb26d4550b982800449bfa6f83cb1edfa2ba757b79eef31afee01047f42546ba28f706
-
SSDEEP
768:7c/cYUTo4tz1Z/MR+cVaNVgnglrcqTPCI4yMQ8clxdsZ2p/1H5pVTXdnh2F4g85D:gHUBggjFk2LtRwfi+TjRC/
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhbebj32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehlhih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiekog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgmdec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpclce32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfqnbjfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbekii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphnnafb.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmdblp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hppeim32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iojkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gihpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebkbbmqj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkofga32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnblnlhl.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khbiello.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdaile32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akdilipp.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijmad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnamjhk.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qclmck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aadghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbaclegm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaebef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihkjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kedlip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekbjo32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbaclegm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbkkik32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlmchoan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlppno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klggli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqfbpb32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gicgpelg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apmhiq32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Objkmkjj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oonlfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciqnk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddcebe32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoioli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kolabf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dinael32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bajqda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihmfco32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kidben32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocnabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amcehdod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfkbfd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckpamabg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgiohbfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khiofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqeioiam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njedbjej.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omopjcjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pblajhje.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmblagmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcclncbh.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mablfnne.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nblolm32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cajjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbmohmoh.exe -
Executes dropped EXE 64 IoCs
pid Process 4840 Pfiddm32.exe 1460 Pmblagmf.exe 2892 Ppahmb32.exe 1552 Qhhpop32.exe 1888 Qobhkjdi.exe 1688 Qpcecb32.exe 3420 Qfmmplad.exe 1628 Qodeajbg.exe 4132 Qpeahb32.exe 736 Afpjel32.exe 3152 Aogbfi32.exe 3000 Aphnnafb.exe 1404 Ahofoogd.exe 5100 Aoioli32.exe 2920 Apjkcadp.exe 3500 Akpoaj32.exe 2576 Apmhiq32.exe 1252 Aonhghjl.exe 4472 Adkqoohc.exe 4808 Akdilipp.exe 3680 Amcehdod.exe 4772 Apaadpng.exe 3496 Bgkiaj32.exe 1868 Bobabg32.exe 3244 Bpdnjple.exe 4660 Bgnffj32.exe 3052 Boenhgdd.exe 4372 Bhmbqm32.exe 4460 Bklomh32.exe 4080 Bogkmgba.exe 4676 Bphgeo32.exe 3568 Bhpofl32.exe 1096 Bknlbhhe.exe 1908 Bgelgi32.exe 2040 Bajqda32.exe 3964 Cpmapodj.exe 4272 Ckbemgcp.exe 4012 Conanfli.exe 2780 Cdkifmjq.exe 3560 Chfegk32.exe 2096 Cncnob32.exe 1520 Cpbjkn32.exe 4380 Ckgohf32.exe 632 Cocjiehd.exe 4020 Cpdgqmnb.exe 4688 Chkobkod.exe 4408 Coegoe32.exe 2072 Cacckp32.exe 2500 Chnlgjlb.exe 4732 Cogddd32.exe 3228 Dafppp32.exe 4288 Dddllkbf.exe 1568 Dgcihgaj.exe 2872 Dkndie32.exe 2948 Dnmaea32.exe 4696 Dhbebj32.exe 3688 Dolmodpi.exe 3256 Dakikoom.exe 3468 Dggbcf32.exe 800 Dnajppda.exe 1420 Damfao32.exe 3728 Dgjoif32.exe 4964 Dbocfo32.exe 5052 Dglkoeio.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nhegig32.exe Njbgmjgl.exe File created C:\Windows\SysWOW64\Gggikgqe.dll Nqfbpb32.exe File opened for modification C:\Windows\SysWOW64\Fgjhpcmo.exe Fqppci32.exe File opened for modification C:\Windows\SysWOW64\Fgmdec32.exe Fijdjfdb.exe File created C:\Windows\SysWOW64\Gpmenm32.dll Iahgad32.exe File created C:\Windows\SysWOW64\Bhcmal32.dll Mablfnne.exe File opened for modification C:\Windows\SysWOW64\Abmjqe32.exe Apnndj32.exe File created C:\Windows\SysWOW64\Bbaclegm.exe Bapgdm32.exe File created C:\Windows\SysWOW64\Conanfli.exe Ckbemgcp.exe File created C:\Windows\SysWOW64\Jpbjfjci.exe Jhkbdmbg.exe File created C:\Windows\SysWOW64\Kamjda32.exe Koonge32.exe File created C:\Windows\SysWOW64\Kcoccc32.exe Kocgbend.exe File opened for modification C:\Windows\SysWOW64\Khlklj32.exe Kemooo32.exe File created C:\Windows\SysWOW64\Pjjfdfbb.exe Pbcncibp.exe File created C:\Windows\SysWOW64\Bhpofl32.exe Bphgeo32.exe File created C:\Windows\SysWOW64\Fkofga32.exe Fgcjfbed.exe File opened for modification C:\Windows\SysWOW64\Haodle32.exe Hnphoj32.exe File created C:\Windows\SysWOW64\Pcgdhkem.exe Pplhhm32.exe File opened for modification C:\Windows\SysWOW64\Qjffpe32.exe Qclmck32.exe File opened for modification C:\Windows\SysWOW64\Ckidcpjl.exe Cgmhcaac.exe File opened for modification C:\Windows\SysWOW64\Gicgpelg.exe Gegkpf32.exe File opened for modification C:\Windows\SysWOW64\Glfmgp32.exe Gihpkd32.exe File created C:\Windows\SysWOW64\Mablfnne.exe Mledmg32.exe File created C:\Windows\SysWOW64\Jekjcaef.exe Jaonbc32.exe File created C:\Windows\SysWOW64\Pjcikejg.exe Pblajhje.exe File opened for modification C:\Windows\SysWOW64\Cgfbbb32.exe Cbkfbcpb.exe File created C:\Windows\SysWOW64\Jlkidpke.dll Chfegk32.exe File opened for modification C:\Windows\SysWOW64\Hnphoj32.exe Hhfpbpdo.exe File opened for modification C:\Windows\SysWOW64\Bdapehop.exe Bpedeiff.exe File created C:\Windows\SysWOW64\Dglkoeio.exe Dbocfo32.exe File opened for modification C:\Windows\SysWOW64\Hppeim32.exe Hhimhobl.exe File opened for modification C:\Windows\SysWOW64\Mpclce32.exe Mlhqcgnk.exe File opened for modification C:\Windows\SysWOW64\Mlljnf32.exe Mhanngbl.exe File created C:\Windows\SysWOW64\Naagioah.dll Nckkfp32.exe File created C:\Windows\SysWOW64\Dkndie32.exe Dgcihgaj.exe File opened for modification C:\Windows\SysWOW64\Fajbjh32.exe Fnkfmm32.exe File opened for modification C:\Windows\SysWOW64\Lcmodajm.exe Llcghg32.exe File created C:\Windows\SysWOW64\Inmdohhp.dll Koajmepf.exe File created C:\Windows\SysWOW64\Pabcflhd.dll Lhqefjpo.exe File created C:\Windows\SysWOW64\Adgmoigj.exe Aplaoj32.exe File created C:\Windows\SysWOW64\Bpdnjple.exe Bobabg32.exe File created C:\Windows\SysWOW64\Ekiapmnp.dll Cacckp32.exe File created C:\Windows\SysWOW64\Gihpkd32.exe Gbnhoj32.exe File opened for modification C:\Windows\SysWOW64\Ddcebe32.exe Dmjmekgn.exe File created C:\Windows\SysWOW64\Gpmomo32.exe Gicgpelg.exe File opened for modification C:\Windows\SysWOW64\Pmphaaln.exe Pjaleemj.exe File opened for modification C:\Windows\SysWOW64\Cdaile32.exe Cpfmlghd.exe File created C:\Windows\SysWOW64\Hiacacpg.exe Hajkqfoe.exe File created C:\Windows\SysWOW64\Flmlag32.dll Jekjcaef.exe File created C:\Windows\SysWOW64\Ejnnldhi.dll Cajjjk32.exe File created C:\Windows\SysWOW64\Pnbmhkia.dll Abmjqe32.exe File created C:\Windows\SysWOW64\Caqpkjcl.exe Ckggnp32.exe File created C:\Windows\SysWOW64\Bklomh32.exe Bhmbqm32.exe File created C:\Windows\SysWOW64\Kpqfid32.dll Gnblnlhl.exe File created C:\Windows\SysWOW64\Eeclnmik.dll Lafmjp32.exe File created C:\Windows\SysWOW64\Qpeahb32.exe Qodeajbg.exe File opened for modification C:\Windows\SysWOW64\Cpbjkn32.exe Cncnob32.exe File created C:\Windows\SysWOW64\Epoaed32.dll Dakikoom.exe File created C:\Windows\SysWOW64\Dhlbgmif.dll Pcgdhkem.exe File opened for modification C:\Windows\SysWOW64\Ojnfihmo.exe Ofckhj32.exe File opened for modification C:\Windows\SysWOW64\Bipecnkd.exe Bkmeha32.exe File opened for modification C:\Windows\SysWOW64\Cmbgdl32.exe Cgiohbfi.exe File created C:\Windows\SysWOW64\Dgbanq32.exe Ddcebe32.exe File created C:\Windows\SysWOW64\Khnhommq.dll Jbepme32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9300 9164 WerFault.exe 442 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egcaod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjhmhhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfobp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbaclegm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgqmnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddllkbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkfmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacngdgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafmjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhanngbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphgeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haodle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhenai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcmodajm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfpell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifppdpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apaadpng.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfmgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieagmcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpcinld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbhmbdle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhqefjpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgelgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqcejcha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qclmck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledepn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gicgpelg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpnakk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbkfbcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cienon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklomh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehbnigjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjhpcmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbojlfdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlljnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmphaaln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmdkcnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dafppp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfbaalbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckkfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkbdmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmapodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hajkqfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lllagh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obqanjdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdapehop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogkmgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpmomo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnlodjpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnhajba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfldgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnamjhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnfihmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oonlfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doccpcja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdaile32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cajjjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jekjcaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadghn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acccdj32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cidcnbjk.dll" Fnfmbmbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hajkqfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlikkkhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpiedk32.dll" Pciqnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfkeihph.dll" Pmbegqjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mgqaip32.dll" Dinael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hikemehi.dll" Ckbemgcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cinclj32.dll" Dolmodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flpoofmk.dll" Gegkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jafdcbge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khgbqkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnbmhkia.dll" Abmjqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dodebo32.dll" Cgklmacf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafphi32.dll" Pfiddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qpeahb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbojlfdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kemooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaebef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lojmcdgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncmhko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afcmfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Chfegk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hbnckkha.dll" Eqiibjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gndick32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hifmmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jeapcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Afpjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iohmnmmb.dll" Akdilipp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpdnjple.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmncdk32.dll" Bphgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgcjfbed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihkjno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lohqnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgjoif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gihpkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpceplkl.dll" Haaaaeim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kifojnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlmadjhb.dll" Pjaleemj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkikinpo.dll" Dbocfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oonlfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhcali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeaknci.dll" Akpoaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cogddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalhik32.dll" Dafppp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqppci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacepg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nknjec32.dll" Kadpdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaeidf32.dll" Lohqnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljgmjm32.dll" Ocnabm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qckcba32.dll" Pqbala32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icpjna32.dll" Caqpkjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dafppp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipbaol32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipihpkkd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmlla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpmapodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebdlangb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enpfan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieagmcmq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkpemq32.dll" Jeocna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inmdohhp.dll" Koajmepf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Anlkecaj.dll" Pcbkml32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2908 wrote to memory of 4840 2908 3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe 82 PID 2908 wrote to memory of 4840 2908 3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe 82 PID 2908 wrote to memory of 4840 2908 3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe 82 PID 4840 wrote to memory of 1460 4840 Pfiddm32.exe 83 PID 4840 wrote to memory of 1460 4840 Pfiddm32.exe 83 PID 4840 wrote to memory of 1460 4840 Pfiddm32.exe 83 PID 1460 wrote to memory of 2892 1460 Pmblagmf.exe 84 PID 1460 wrote to memory of 2892 1460 Pmblagmf.exe 84 PID 1460 wrote to memory of 2892 1460 Pmblagmf.exe 84 PID 2892 wrote to memory of 1552 2892 Ppahmb32.exe 85 PID 2892 wrote to memory of 1552 2892 Ppahmb32.exe 85 PID 2892 wrote to memory of 1552 2892 Ppahmb32.exe 85 PID 1552 wrote to memory of 1888 1552 Qhhpop32.exe 86 PID 1552 wrote to memory of 1888 1552 Qhhpop32.exe 86 PID 1552 wrote to memory of 1888 1552 Qhhpop32.exe 86 PID 1888 wrote to memory of 1688 1888 Qobhkjdi.exe 87 PID 1888 wrote to memory of 1688 1888 Qobhkjdi.exe 87 PID 1888 wrote to memory of 1688 1888 Qobhkjdi.exe 87 PID 1688 wrote to memory of 3420 1688 Qpcecb32.exe 88 PID 1688 wrote to memory of 3420 1688 Qpcecb32.exe 88 PID 1688 wrote to memory of 3420 1688 Qpcecb32.exe 88 PID 3420 wrote to memory of 1628 3420 Qfmmplad.exe 89 PID 3420 wrote to memory of 1628 3420 Qfmmplad.exe 89 PID 3420 wrote to memory of 1628 3420 Qfmmplad.exe 89 PID 1628 wrote to memory of 4132 1628 Qodeajbg.exe 90 PID 1628 wrote to memory of 4132 1628 Qodeajbg.exe 90 PID 1628 wrote to memory of 4132 1628 Qodeajbg.exe 90 PID 4132 wrote to memory of 736 4132 Qpeahb32.exe 91 PID 4132 wrote to memory of 736 4132 Qpeahb32.exe 91 PID 4132 wrote to memory of 736 4132 Qpeahb32.exe 91 PID 736 wrote to memory of 3152 736 Afpjel32.exe 92 PID 736 wrote to memory of 3152 736 Afpjel32.exe 92 PID 736 wrote to memory of 3152 736 Afpjel32.exe 92 PID 3152 wrote to memory of 3000 3152 Aogbfi32.exe 93 PID 3152 wrote to memory of 3000 3152 Aogbfi32.exe 93 PID 3152 wrote to memory of 3000 3152 Aogbfi32.exe 93 PID 3000 wrote to memory of 1404 3000 Aphnnafb.exe 94 PID 3000 wrote to memory of 1404 3000 Aphnnafb.exe 94 PID 3000 wrote to memory of 1404 3000 Aphnnafb.exe 94 PID 1404 wrote to memory of 5100 1404 Ahofoogd.exe 95 PID 1404 wrote to memory of 5100 1404 Ahofoogd.exe 95 PID 1404 wrote to memory of 5100 1404 Ahofoogd.exe 95 PID 5100 wrote to memory of 2920 5100 Aoioli32.exe 96 PID 5100 wrote to memory of 2920 5100 Aoioli32.exe 96 PID 5100 wrote to memory of 2920 5100 Aoioli32.exe 96 PID 2920 wrote to memory of 3500 2920 Apjkcadp.exe 97 PID 2920 wrote to memory of 3500 2920 Apjkcadp.exe 97 PID 2920 wrote to memory of 3500 2920 Apjkcadp.exe 97 PID 3500 wrote to memory of 2576 3500 Akpoaj32.exe 98 PID 3500 wrote to memory of 2576 3500 Akpoaj32.exe 98 PID 3500 wrote to memory of 2576 3500 Akpoaj32.exe 98 PID 2576 wrote to memory of 1252 2576 Apmhiq32.exe 99 PID 2576 wrote to memory of 1252 2576 Apmhiq32.exe 99 PID 2576 wrote to memory of 1252 2576 Apmhiq32.exe 99 PID 1252 wrote to memory of 4472 1252 Aonhghjl.exe 100 PID 1252 wrote to memory of 4472 1252 Aonhghjl.exe 100 PID 1252 wrote to memory of 4472 1252 Aonhghjl.exe 100 PID 4472 wrote to memory of 4808 4472 Adkqoohc.exe 101 PID 4472 wrote to memory of 4808 4472 Adkqoohc.exe 101 PID 4472 wrote to memory of 4808 4472 Adkqoohc.exe 101 PID 4808 wrote to memory of 3680 4808 Akdilipp.exe 102 PID 4808 wrote to memory of 3680 4808 Akdilipp.exe 102 PID 4808 wrote to memory of 3680 4808 Akdilipp.exe 102 PID 3680 wrote to memory of 4772 3680 Amcehdod.exe 103
Processes
-
C:\Users\Admin\AppData\Local\Temp\3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe"C:\Users\Admin\AppData\Local\Temp\3128b0d6284aa4012f129e93e75f9ee60f8ee7b7df85ea9881e9e4fcc4b320dbN.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Pfiddm32.exeC:\Windows\system32\Pfiddm32.exe2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\SysWOW64\Pmblagmf.exeC:\Windows\system32\Pmblagmf.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Qhhpop32.exeC:\Windows\system32\Qhhpop32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\Qobhkjdi.exeC:\Windows\system32\Qobhkjdi.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\SysWOW64\Qpcecb32.exeC:\Windows\system32\Qpcecb32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Qfmmplad.exeC:\Windows\system32\Qfmmplad.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\SysWOW64\Qodeajbg.exeC:\Windows\system32\Qodeajbg.exe9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\SysWOW64\Qpeahb32.exeC:\Windows\system32\Qpeahb32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4132 -
C:\Windows\SysWOW64\Afpjel32.exeC:\Windows\system32\Afpjel32.exe11⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\Aogbfi32.exeC:\Windows\system32\Aogbfi32.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3152 -
C:\Windows\SysWOW64\Aphnnafb.exeC:\Windows\system32\Aphnnafb.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Ahofoogd.exeC:\Windows\system32\Ahofoogd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Aoioli32.exeC:\Windows\system32\Aoioli32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Akpoaj32.exeC:\Windows\system32\Akpoaj32.exe17⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Apmhiq32.exeC:\Windows\system32\Apmhiq32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Aonhghjl.exeC:\Windows\system32\Aonhghjl.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Adkqoohc.exeC:\Windows\system32\Adkqoohc.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4472 -
C:\Windows\SysWOW64\Akdilipp.exeC:\Windows\system32\Akdilipp.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Windows\SysWOW64\Amcehdod.exeC:\Windows\system32\Amcehdod.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\Apaadpng.exeC:\Windows\system32\Apaadpng.exe23⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4772 -
C:\Windows\SysWOW64\Bgkiaj32.exeC:\Windows\system32\Bgkiaj32.exe24⤵
- Executes dropped EXE
PID:3496 -
C:\Windows\SysWOW64\Bobabg32.exeC:\Windows\system32\Bobabg32.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1868 -
C:\Windows\SysWOW64\Bpdnjple.exeC:\Windows\system32\Bpdnjple.exe26⤵
- Executes dropped EXE
- Modifies registry class
PID:3244 -
C:\Windows\SysWOW64\Bgnffj32.exeC:\Windows\system32\Bgnffj32.exe27⤵
- Executes dropped EXE
PID:4660 -
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe28⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Bhmbqm32.exeC:\Windows\system32\Bhmbqm32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4372 -
C:\Windows\SysWOW64\Bklomh32.exeC:\Windows\system32\Bklomh32.exe30⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4460 -
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe31⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4080 -
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe32⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4676 -
C:\Windows\SysWOW64\Bhpofl32.exeC:\Windows\system32\Bhpofl32.exe33⤵
- Executes dropped EXE
PID:3568 -
C:\Windows\SysWOW64\Bknlbhhe.exeC:\Windows\system32\Bknlbhhe.exe34⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Bgelgi32.exeC:\Windows\system32\Bgelgi32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Bajqda32.exeC:\Windows\system32\Bajqda32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2040 -
C:\Windows\SysWOW64\Cpmapodj.exeC:\Windows\system32\Cpmapodj.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Ckbemgcp.exeC:\Windows\system32\Ckbemgcp.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4272 -
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe39⤵
- Executes dropped EXE
PID:4012 -
C:\Windows\SysWOW64\Cdkifmjq.exeC:\Windows\system32\Cdkifmjq.exe40⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Chfegk32.exeC:\Windows\system32\Chfegk32.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:3560 -
C:\Windows\SysWOW64\Cncnob32.exeC:\Windows\system32\Cncnob32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2096 -
C:\Windows\SysWOW64\Cpbjkn32.exeC:\Windows\system32\Cpbjkn32.exe43⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Ckgohf32.exeC:\Windows\system32\Ckgohf32.exe44⤵
- Executes dropped EXE
PID:4380 -
C:\Windows\SysWOW64\Cocjiehd.exeC:\Windows\system32\Cocjiehd.exe45⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4020 -
C:\Windows\SysWOW64\Chkobkod.exeC:\Windows\system32\Chkobkod.exe47⤵
- Executes dropped EXE
PID:4688 -
C:\Windows\SysWOW64\Coegoe32.exeC:\Windows\system32\Coegoe32.exe48⤵
- Executes dropped EXE
PID:4408 -
C:\Windows\SysWOW64\Cacckp32.exeC:\Windows\system32\Cacckp32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2072 -
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe50⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:4732 -
C:\Windows\SysWOW64\Dafppp32.exeC:\Windows\system32\Dafppp32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Dddllkbf.exeC:\Windows\system32\Dddllkbf.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4288 -
C:\Windows\SysWOW64\Dgcihgaj.exeC:\Windows\system32\Dgcihgaj.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1568 -
C:\Windows\SysWOW64\Dkndie32.exeC:\Windows\system32\Dkndie32.exe55⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Dnmaea32.exeC:\Windows\system32\Dnmaea32.exe56⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Dhbebj32.exeC:\Windows\system32\Dhbebj32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:4696 -
C:\Windows\SysWOW64\Dolmodpi.exeC:\Windows\system32\Dolmodpi.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3688 -
C:\Windows\SysWOW64\Dakikoom.exeC:\Windows\system32\Dakikoom.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3256 -
C:\Windows\SysWOW64\Dggbcf32.exeC:\Windows\system32\Dggbcf32.exe60⤵
- Executes dropped EXE
PID:3468 -
C:\Windows\SysWOW64\Dnajppda.exeC:\Windows\system32\Dnajppda.exe61⤵
- Executes dropped EXE
PID:800 -
C:\Windows\SysWOW64\Damfao32.exeC:\Windows\system32\Damfao32.exe62⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Dgjoif32.exeC:\Windows\system32\Dgjoif32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:3728 -
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4964 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe65⤵
- Executes dropped EXE
PID:5052 -
C:\Windows\SysWOW64\Doccpcja.exeC:\Windows\system32\Doccpcja.exe66⤵
- System Location Discovery: System Language Discovery
PID:4756 -
C:\Windows\SysWOW64\Ebaplnie.exeC:\Windows\system32\Ebaplnie.exe67⤵PID:1804
-
C:\Windows\SysWOW64\Ehlhih32.exeC:\Windows\system32\Ehlhih32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3708 -
C:\Windows\SysWOW64\Ekjded32.exeC:\Windows\system32\Ekjded32.exe69⤵PID:828
-
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe70⤵
- Modifies registry class
PID:1256 -
C:\Windows\SysWOW64\Eqgmmk32.exeC:\Windows\system32\Eqgmmk32.exe71⤵PID:1076
-
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe72⤵PID:4328
-
C:\Windows\SysWOW64\Enkmfolf.exeC:\Windows\system32\Enkmfolf.exe73⤵PID:2524
-
C:\Windows\SysWOW64\Eqiibjlj.exeC:\Windows\system32\Eqiibjlj.exe74⤵
- Modifies registry class
PID:4712 -
C:\Windows\SysWOW64\Egcaod32.exeC:\Windows\system32\Egcaod32.exe75⤵
- System Location Discovery: System Language Discovery
PID:4084 -
C:\Windows\SysWOW64\Eojiqb32.exeC:\Windows\system32\Eojiqb32.exe76⤵PID:2008
-
C:\Windows\SysWOW64\Edgbii32.exeC:\Windows\system32\Edgbii32.exe77⤵PID:1216
-
C:\Windows\SysWOW64\Ehbnigjj.exeC:\Windows\system32\Ehbnigjj.exe78⤵
- System Location Discovery: System Language Discovery
PID:1828 -
C:\Windows\SysWOW64\Enpfan32.exeC:\Windows\system32\Enpfan32.exe79⤵
- Modifies registry class
PID:2300 -
C:\Windows\SysWOW64\Ebkbbmqj.exeC:\Windows\system32\Ebkbbmqj.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Eiekog32.exeC:\Windows\system32\Eiekog32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4040 -
C:\Windows\SysWOW64\Fooclapd.exeC:\Windows\system32\Fooclapd.exe82⤵PID:3872
-
C:\Windows\SysWOW64\Fbmohmoh.exeC:\Windows\system32\Fbmohmoh.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1048 -
C:\Windows\SysWOW64\Fqppci32.exeC:\Windows\system32\Fqppci32.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:1844 -
C:\Windows\SysWOW64\Fgjhpcmo.exeC:\Windows\system32\Fgjhpcmo.exe85⤵
- System Location Discovery: System Language Discovery
PID:384 -
C:\Windows\SysWOW64\Foapaa32.exeC:\Windows\system32\Foapaa32.exe86⤵PID:2248
-
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe87⤵
- Drops file in System32 directory
PID:4336 -
C:\Windows\SysWOW64\Fgmdec32.exeC:\Windows\system32\Fgmdec32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:964 -
C:\Windows\SysWOW64\Fnfmbmbi.exeC:\Windows\system32\Fnfmbmbi.exe89⤵
- Modifies registry class
PID:5000 -
C:\Windows\SysWOW64\Fqeioiam.exeC:\Windows\system32\Fqeioiam.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:412 -
C:\Windows\SysWOW64\Fofilp32.exeC:\Windows\system32\Fofilp32.exe91⤵PID:3448
-
C:\Windows\SysWOW64\Fbdehlip.exeC:\Windows\system32\Fbdehlip.exe92⤵PID:4924
-
C:\Windows\SysWOW64\Fganqbgg.exeC:\Windows\system32\Fganqbgg.exe93⤵PID:1324
-
C:\Windows\SysWOW64\Fkmjaa32.exeC:\Windows\system32\Fkmjaa32.exe94⤵PID:3412
-
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe95⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Fajbjh32.exeC:\Windows\system32\Fajbjh32.exe96⤵PID:2528
-
C:\Windows\SysWOW64\Fgcjfbed.exeC:\Windows\system32\Fgcjfbed.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Fkofga32.exeC:\Windows\system32\Fkofga32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1312 -
C:\Windows\SysWOW64\Gbiockdj.exeC:\Windows\system32\Gbiockdj.exe99⤵PID:3040
-
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe100⤵
- Drops file in System32 directory
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Gicgpelg.exeC:\Windows\system32\Gicgpelg.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4432 -
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe102⤵
- System Location Discovery: System Language Discovery
PID:4600 -
C:\Windows\SysWOW64\Gbkkik32.exeC:\Windows\system32\Gbkkik32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Gejhef32.exeC:\Windows\system32\Gejhef32.exe104⤵PID:3488
-
C:\Windows\SysWOW64\Gkdpbpih.exeC:\Windows\system32\Gkdpbpih.exe105⤵PID:1192
-
C:\Windows\SysWOW64\Gnblnlhl.exeC:\Windows\system32\Gnblnlhl.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4048 -
C:\Windows\SysWOW64\Gbnhoj32.exeC:\Windows\system32\Gbnhoj32.exe107⤵
- Drops file in System32 directory
PID:1484 -
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:4312 -
C:\Windows\SysWOW64\Glfmgp32.exeC:\Windows\system32\Glfmgp32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Gndick32.exeC:\Windows\system32\Gndick32.exe110⤵
- Modifies registry class
PID:4940 -
C:\Windows\SysWOW64\Gacepg32.exeC:\Windows\system32\Gacepg32.exe111⤵
- Modifies registry class
PID:5004 -
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Glhimp32.exeC:\Windows\system32\Glhimp32.exe113⤵PID:4876
-
C:\Windows\SysWOW64\Gbbajjlp.exeC:\Windows\system32\Gbbajjlp.exe114⤵PID:1924
-
C:\Windows\SysWOW64\Gaebef32.exeC:\Windows\system32\Gaebef32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Giljfddl.exeC:\Windows\system32\Giljfddl.exe116⤵PID:4476
-
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe117⤵PID:2472
-
C:\Windows\SysWOW64\Hnibokbd.exeC:\Windows\system32\Hnibokbd.exe118⤵PID:4664
-
C:\Windows\SysWOW64\Hahokfag.exeC:\Windows\system32\Hahokfag.exe119⤵PID:2436
-
C:\Windows\SysWOW64\Hioflcbj.exeC:\Windows\system32\Hioflcbj.exe120⤵PID:5132
-
C:\Windows\SysWOW64\Hlmchoan.exeC:\Windows\system32\Hlmchoan.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-