Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 03:17
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe
-
Size
80KB
-
MD5
2b65ac76b0ff9d8ed82a70e8b39b4450
-
SHA1
68bac7691968af7a76a52a38f11638f73f80a439
-
SHA256
0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25
-
SHA512
bdb9dc079de6ea809e427f43538c78d5219edd58ef4019fe6a1b9c7490419ceda7c9b6dd89bab1e8f2f24a83436fa35f8e8879921e27a0e9069cb265c7e245f5
-
SSDEEP
1536:8Sqk6yXl1z7XRz5UekG3Wuycc2LMBJ9VqDlzVxyh+CbxMa:JqqzTROekG3nVGJ9IDlRxyhTb7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lelljepm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbbegl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oingii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fghngimj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcaqmkpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmnkpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odanqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfogneop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koogbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkebkjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhfdqb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjoiiffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfdbcing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndoifdp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqemeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lckpbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkhalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opmhqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlcbfnjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjnanhhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mffkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Manljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dchpnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giejkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hadhjaaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khglkqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nomphm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cikbjpqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iockhigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocihgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opebpdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgobcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioheci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngkaaolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgeabi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlcbfnjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Koogbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnofng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfbfaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ophoecoa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojghf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Doamhe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmgcepio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lomglo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miiaogio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekkpqnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpnkep32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcaqmkpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioaobjin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Majcoepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndoelpid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbdlnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdnkkmej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgoebmip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjmnmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbfobllj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmeecmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eplmflde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gabofn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbbiii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlmffa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngkaaolf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfodmhbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlmffa32.exe -
Executes dropped EXE 64 IoCs
pid Process 1132 Cbajme32.exe 2840 Cikbjpqd.exe 2816 Cgobcd32.exe 2968 Cimooo32.exe 2860 Cojghf32.exe 2748 Cgaoic32.exe 2276 Cipleo32.exe 2396 Clnhajlc.exe 2448 Dchpnd32.exe 2988 Dlpdfjjp.exe 2760 Dcjmcd32.exe 316 Deiipp32.exe 2664 Doamhe32.exe 1860 Dekeeonn.exe 2204 Dglbmg32.exe 788 Docjne32.exe 2148 Ddpbfl32.exe 2072 Dkjkcfjc.exe 2120 Dpgckm32.exe 2068 Dcepgh32.exe 1784 Ejohdbok.exe 2592 Epipql32.exe 1508 Ejadibmh.exe 3068 Eplmflde.exe 2884 Eqnillbb.exe 2168 Eclfhgaf.exe 2832 Ehinpnpm.exe 2824 Ekhjlioa.exe 2900 Ebabicfn.exe 2280 Ekjgbi32.exe 2688 Enhcnd32.exe 2176 Fhngkm32.exe 772 Fbfldc32.exe 2340 Fipdqmje.exe 1960 Fjaqhe32.exe 856 Fnmmidhm.exe 2612 Fdgefn32.exe 2356 Fgeabi32.exe 804 Fkambhgf.exe 2372 Feiaknmg.exe 2004 Fghngimj.exe 2232 Fjfjcdln.exe 908 Fmdfppkb.exe 2040 Fcoolj32.exe 800 Fikgda32.exe 1216 Fmgcepio.exe 1100 Gabofn32.exe 2772 Gpeoakhc.exe 1704 Gbdlnf32.exe 2252 Gfogneop.exe 2892 Gjkcod32.exe 2724 Gmipko32.exe 2944 Gllpflng.exe 1940 Gcchgini.exe 2332 Gbfhcf32.exe 1068 Geddoa32.exe 2060 Gmlmpo32.exe 1840 Gpjilj32.exe 2084 Gbheif32.exe 1780 Gegaeabe.exe 2164 Ghenamai.exe 2540 Gnofng32.exe 1788 Ganbjb32.exe 3052 Giejkp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2296 0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe 2296 0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe 1132 Cbajme32.exe 1132 Cbajme32.exe 2840 Cikbjpqd.exe 2840 Cikbjpqd.exe 2816 Cgobcd32.exe 2816 Cgobcd32.exe 2968 Cimooo32.exe 2968 Cimooo32.exe 2860 Cojghf32.exe 2860 Cojghf32.exe 2748 Cgaoic32.exe 2748 Cgaoic32.exe 2276 Cipleo32.exe 2276 Cipleo32.exe 2396 Clnhajlc.exe 2396 Clnhajlc.exe 2448 Dchpnd32.exe 2448 Dchpnd32.exe 2988 Dlpdfjjp.exe 2988 Dlpdfjjp.exe 2760 Dcjmcd32.exe 2760 Dcjmcd32.exe 316 Deiipp32.exe 316 Deiipp32.exe 2664 Doamhe32.exe 2664 Doamhe32.exe 1860 Dekeeonn.exe 1860 Dekeeonn.exe 2204 Dglbmg32.exe 2204 Dglbmg32.exe 788 Docjne32.exe 788 Docjne32.exe 2148 Ddpbfl32.exe 2148 Ddpbfl32.exe 2072 Dkjkcfjc.exe 2072 Dkjkcfjc.exe 2120 Dpgckm32.exe 2120 Dpgckm32.exe 2068 Dcepgh32.exe 2068 Dcepgh32.exe 1784 Ejohdbok.exe 1784 Ejohdbok.exe 2592 Epipql32.exe 2592 Epipql32.exe 1508 Ejadibmh.exe 1508 Ejadibmh.exe 3068 Eplmflde.exe 3068 Eplmflde.exe 2884 Eqnillbb.exe 2884 Eqnillbb.exe 2168 Eclfhgaf.exe 2168 Eclfhgaf.exe 2832 Ehinpnpm.exe 2832 Ehinpnpm.exe 2824 Ekhjlioa.exe 2824 Ekhjlioa.exe 2900 Ebabicfn.exe 2900 Ebabicfn.exe 2280 Ekjgbi32.exe 2280 Ekjgbi32.exe 2688 Enhcnd32.exe 2688 Enhcnd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Oheppe32.exe Oegdcj32.exe File created C:\Windows\SysWOW64\Edjdohaf.dll Fipdqmje.exe File created C:\Windows\SysWOW64\Kgoebmip.exe Kqemeb32.exe File opened for modification C:\Windows\SysWOW64\Lelljepm.exe Lbmpnjai.exe File created C:\Windows\SysWOW64\Mlmjgnaa.exe Mcfbfaao.exe File created C:\Windows\SysWOW64\Igffmkno.exe Ihcfan32.exe File created C:\Windows\SysWOW64\Dpgdad32.dll Jbijcgbc.exe File opened for modification C:\Windows\SysWOW64\Okkfmmqj.exe Odanqb32.exe File opened for modification C:\Windows\SysWOW64\Mjmnmk32.exe Mgoaap32.exe File created C:\Windows\SysWOW64\Ncnhfi32.dll Nphbfplf.exe File opened for modification C:\Windows\SysWOW64\Fjaqhe32.exe Fipdqmje.exe File created C:\Windows\SysWOW64\Acbdcjgi.dll Gpjilj32.exe File opened for modification C:\Windows\SysWOW64\Jghcbjll.exe Jcmgal32.exe File created C:\Windows\SysWOW64\Mgoaap32.exe Milaecdp.exe File created C:\Windows\SysWOW64\Mnncii32.exe Mffkgl32.exe File created C:\Windows\SysWOW64\Dkhdhoei.dll Nljjqbfp.exe File created C:\Windows\SysWOW64\Ngkaaolf.exe Ndmeecmb.exe File opened for modification C:\Windows\SysWOW64\Omgfdhbq.exe Oiljcj32.exe File created C:\Windows\SysWOW64\Doamhe32.exe Deiipp32.exe File created C:\Windows\SysWOW64\Ckabkdol.dll Dglbmg32.exe File created C:\Windows\SysWOW64\Nmlddd32.dll Fikgda32.exe File created C:\Windows\SysWOW64\Ceicae32.dll Hfaqbh32.exe File created C:\Windows\SysWOW64\Lncacf32.dll Ogddhmdl.exe File opened for modification C:\Windows\SysWOW64\Cgaoic32.exe Cojghf32.exe File created C:\Windows\SysWOW64\Hnflnfbm.exe Hfodmhbk.exe File opened for modification C:\Windows\SysWOW64\Nepach32.exe Nbbegl32.exe File created C:\Windows\SysWOW64\Opgcne32.dll Ogmngn32.exe File opened for modification C:\Windows\SysWOW64\Glcfgk32.exe Ghgjflof.exe File opened for modification C:\Windows\SysWOW64\Ifhgcgjq.exe Ioaobjin.exe File opened for modification C:\Windows\SysWOW64\Kfgcieii.exe Knpkhhhg.exe File created C:\Windows\SysWOW64\Lomglo32.exe Lmnkpc32.exe File created C:\Windows\SysWOW64\Kcamln32.exe Kdnlpaln.exe File created C:\Windows\SysWOW64\Mjddnjdf.exe Mhfhaoec.exe File created C:\Windows\SysWOW64\Nbbegl32.exe Ndoelpid.exe File opened for modification C:\Windows\SysWOW64\Oingii32.exe Okkfmmqj.exe File created C:\Windows\SysWOW64\Hfaqbh32.exe Hdcdfmqe.exe File created C:\Windows\SysWOW64\Iboghh32.exe Iockhigl.exe File created C:\Windows\SysWOW64\Dhmbnh32.dll Kbncof32.exe File opened for modification C:\Windows\SysWOW64\Malpee32.exe Mnncii32.exe File created C:\Windows\SysWOW64\Ppicjm32.dll Mpalfabn.exe File created C:\Windows\SysWOW64\Banaaa32.dll Ejadibmh.exe File opened for modification C:\Windows\SysWOW64\Eqnillbb.exe Eplmflde.exe File created C:\Windows\SysWOW64\Knmmkb32.dll Hndoifdp.exe File created C:\Windows\SysWOW64\Oqfgbf32.dll Kkaolm32.exe File opened for modification C:\Windows\SysWOW64\Oheppe32.exe Oegdcj32.exe File created C:\Windows\SysWOW64\Jcejbh32.dll Fjaqhe32.exe File created C:\Windows\SysWOW64\Cblmfa32.dll Kjnanhhc.exe File created C:\Windows\SysWOW64\Djfoghqi.dll Mfkebkjk.exe File created C:\Windows\SysWOW64\Dmlibo32.dll Neghdg32.exe File opened for modification C:\Windows\SysWOW64\Cbajme32.exe 0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe File created C:\Windows\SysWOW64\Cimooo32.exe Cgobcd32.exe File opened for modification C:\Windows\SysWOW64\Jnbkodci.exe Jghcbjll.exe File opened for modification C:\Windows\SysWOW64\Nanhihno.exe Noplmlok.exe File created C:\Windows\SysWOW64\Fbfldc32.exe Fhngkm32.exe File created C:\Windows\SysWOW64\Gdnkkmej.exe Gekkpqnp.exe File created C:\Windows\SysWOW64\Hlcbfnjk.exe Hmpbja32.exe File opened for modification C:\Windows\SysWOW64\Nlapaapg.exe Nhfdqb32.exe File opened for modification C:\Windows\SysWOW64\Fgeabi32.exe Fdgefn32.exe File created C:\Windows\SysWOW64\Hlecmkel.exe Gdnkkmej.exe File opened for modification C:\Windows\SysWOW64\Hdhnal32.exe Hlqfqo32.exe File opened for modification C:\Windows\SysWOW64\Imkeneja.exe Ioheci32.exe File created C:\Windows\SysWOW64\Dfigef32.dll Lndqbk32.exe File opened for modification C:\Windows\SysWOW64\Ogbgbn32.exe Ocfkaone.exe File created C:\Windows\SysWOW64\Dchpnd32.exe Clnhajlc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3812 3748 WerFault.exe 262 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhfdqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjfjcdln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghenamai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplnpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kghoan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjnanhhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlnjcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiljcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fghngimj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnkkmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlecmkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfbfaao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpjeknfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iboghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcocgkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjlap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbfobllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqnillbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geddoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lelljepm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcamln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lckpbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmnkpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laeidfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcejd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdlnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibadnhmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgoebmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogddhmdl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjffbhnj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadhjaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lojjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmeecmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekjgbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcchgini.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioaobjin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giejkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiipeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jghcbjll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifhgcgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihnmfoli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihcfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnkfcjqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majcoepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejadibmh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enhcnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfdmhh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipleo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eplmflde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhmkbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljjqbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmgcepio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfpmifoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaolm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mffkgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpalfabn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndoelpid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okkfmmqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgeabi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfbinf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkfhglen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knddcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmngn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbegl32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opebpdad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkambhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbcdpd32.dll" Hadhjaaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iockhigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Laeidfdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfkhch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlmjgnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Majcoepi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eclfhgaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbgmbfej.dll" Gcchgini.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imkeneja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dapchl32.dll" Jhniebne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aonjnmnj.dll" Khglkqfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpapgnpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mnncii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngkaaolf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdloglhf.dll" Epipql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcqoqi32.dll" Hffjng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jempcgad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhniebne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlecmkel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iplnpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjkcod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbncof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpkphm32.dll" Lbkchj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikkoh32.dll" Oiljcj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hdhnal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lenioenj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oegdcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nhcgkbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdhbbpkh.dll" Oheppe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjmoge32.dll" Ihnmfoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjneoeeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmooam32.dll" Malpee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfidah32.dll" Mcjlap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Geddoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Manljd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohjmlaci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcihik32.dll" Okkfmmqj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node 0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojghf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmljkb32.dll" Ekjgbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnmmidhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfdbcing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmhaikja.dll" Mjmnmk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mffkgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndmeecmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfaqbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iokahhac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpnkep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkaolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhaomjd.dll" Opmhqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enhcnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpcdqpqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lndqbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hipdajoc.dll" Nepach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofnkap32.dll" Fcoolj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igffmkno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feglnpia.dll" Mffkgl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbbegl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihcfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejccaofe.dll" Jkabmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfpmifoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Knddcg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2296 wrote to memory of 1132 2296 0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe 30 PID 2296 wrote to memory of 1132 2296 0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe 30 PID 2296 wrote to memory of 1132 2296 0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe 30 PID 2296 wrote to memory of 1132 2296 0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe 30 PID 1132 wrote to memory of 2840 1132 Cbajme32.exe 31 PID 1132 wrote to memory of 2840 1132 Cbajme32.exe 31 PID 1132 wrote to memory of 2840 1132 Cbajme32.exe 31 PID 1132 wrote to memory of 2840 1132 Cbajme32.exe 31 PID 2840 wrote to memory of 2816 2840 Cikbjpqd.exe 32 PID 2840 wrote to memory of 2816 2840 Cikbjpqd.exe 32 PID 2840 wrote to memory of 2816 2840 Cikbjpqd.exe 32 PID 2840 wrote to memory of 2816 2840 Cikbjpqd.exe 32 PID 2816 wrote to memory of 2968 2816 Cgobcd32.exe 33 PID 2816 wrote to memory of 2968 2816 Cgobcd32.exe 33 PID 2816 wrote to memory of 2968 2816 Cgobcd32.exe 33 PID 2816 wrote to memory of 2968 2816 Cgobcd32.exe 33 PID 2968 wrote to memory of 2860 2968 Cimooo32.exe 34 PID 2968 wrote to memory of 2860 2968 Cimooo32.exe 34 PID 2968 wrote to memory of 2860 2968 Cimooo32.exe 34 PID 2968 wrote to memory of 2860 2968 Cimooo32.exe 34 PID 2860 wrote to memory of 2748 2860 Cojghf32.exe 35 PID 2860 wrote to memory of 2748 2860 Cojghf32.exe 35 PID 2860 wrote to memory of 2748 2860 Cojghf32.exe 35 PID 2860 wrote to memory of 2748 2860 Cojghf32.exe 35 PID 2748 wrote to memory of 2276 2748 Cgaoic32.exe 36 PID 2748 wrote to memory of 2276 2748 Cgaoic32.exe 36 PID 2748 wrote to memory of 2276 2748 Cgaoic32.exe 36 PID 2748 wrote to memory of 2276 2748 Cgaoic32.exe 36 PID 2276 wrote to memory of 2396 2276 Cipleo32.exe 37 PID 2276 wrote to memory of 2396 2276 Cipleo32.exe 37 PID 2276 wrote to memory of 2396 2276 Cipleo32.exe 37 PID 2276 wrote to memory of 2396 2276 Cipleo32.exe 37 PID 2396 wrote to memory of 2448 2396 Clnhajlc.exe 38 PID 2396 wrote to memory of 2448 2396 Clnhajlc.exe 38 PID 2396 wrote to memory of 2448 2396 Clnhajlc.exe 38 PID 2396 wrote to memory of 2448 2396 Clnhajlc.exe 38 PID 2448 wrote to memory of 2988 2448 Dchpnd32.exe 39 PID 2448 wrote to memory of 2988 2448 Dchpnd32.exe 39 PID 2448 wrote to memory of 2988 2448 Dchpnd32.exe 39 PID 2448 wrote to memory of 2988 2448 Dchpnd32.exe 39 PID 2988 wrote to memory of 2760 2988 Dlpdfjjp.exe 40 PID 2988 wrote to memory of 2760 2988 Dlpdfjjp.exe 40 PID 2988 wrote to memory of 2760 2988 Dlpdfjjp.exe 40 PID 2988 wrote to memory of 2760 2988 Dlpdfjjp.exe 40 PID 2760 wrote to memory of 316 2760 Dcjmcd32.exe 41 PID 2760 wrote to memory of 316 2760 Dcjmcd32.exe 41 PID 2760 wrote to memory of 316 2760 Dcjmcd32.exe 41 PID 2760 wrote to memory of 316 2760 Dcjmcd32.exe 41 PID 316 wrote to memory of 2664 316 Deiipp32.exe 42 PID 316 wrote to memory of 2664 316 Deiipp32.exe 42 PID 316 wrote to memory of 2664 316 Deiipp32.exe 42 PID 316 wrote to memory of 2664 316 Deiipp32.exe 42 PID 2664 wrote to memory of 1860 2664 Doamhe32.exe 43 PID 2664 wrote to memory of 1860 2664 Doamhe32.exe 43 PID 2664 wrote to memory of 1860 2664 Doamhe32.exe 43 PID 2664 wrote to memory of 1860 2664 Doamhe32.exe 43 PID 1860 wrote to memory of 2204 1860 Dekeeonn.exe 44 PID 1860 wrote to memory of 2204 1860 Dekeeonn.exe 44 PID 1860 wrote to memory of 2204 1860 Dekeeonn.exe 44 PID 1860 wrote to memory of 2204 1860 Dekeeonn.exe 44 PID 2204 wrote to memory of 788 2204 Dglbmg32.exe 45 PID 2204 wrote to memory of 788 2204 Dglbmg32.exe 45 PID 2204 wrote to memory of 788 2204 Dglbmg32.exe 45 PID 2204 wrote to memory of 788 2204 Dglbmg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe"C:\Users\Admin\AppData\Local\Temp\0a6fe70e995cdae4acba8373dc382dcf342e9d3e6780896640fa9bd026983f25N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296 -
C:\Windows\SysWOW64\Cbajme32.exeC:\Windows\system32\Cbajme32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Windows\SysWOW64\Cikbjpqd.exeC:\Windows\system32\Cikbjpqd.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Cgobcd32.exeC:\Windows\system32\Cgobcd32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Cimooo32.exeC:\Windows\system32\Cimooo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Cojghf32.exeC:\Windows\system32\Cojghf32.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Cipleo32.exeC:\Windows\system32\Cipleo32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Dchpnd32.exeC:\Windows\system32\Dchpnd32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Dlpdfjjp.exeC:\Windows\system32\Dlpdfjjp.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Deiipp32.exeC:\Windows\system32\Deiipp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:316 -
C:\Windows\SysWOW64\Doamhe32.exeC:\Windows\system32\Doamhe32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Dglbmg32.exeC:\Windows\system32\Dglbmg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Docjne32.exeC:\Windows\system32\Docjne32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:788 -
C:\Windows\SysWOW64\Ddpbfl32.exeC:\Windows\system32\Ddpbfl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2148 -
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2072 -
C:\Windows\SysWOW64\Dpgckm32.exeC:\Windows\system32\Dpgckm32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Dcepgh32.exeC:\Windows\system32\Dcepgh32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Ejohdbok.exeC:\Windows\system32\Ejohdbok.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1784 -
C:\Windows\SysWOW64\Epipql32.exeC:\Windows\system32\Epipql32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Ejadibmh.exeC:\Windows\system32\Ejadibmh.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1508 -
C:\Windows\SysWOW64\Eplmflde.exeC:\Windows\system32\Eplmflde.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Eclfhgaf.exeC:\Windows\system32\Eclfhgaf.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Ehinpnpm.exeC:\Windows\system32\Ehinpnpm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2832 -
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Ebabicfn.exeC:\Windows\system32\Ebabicfn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Ekjgbi32.exeC:\Windows\system32\Ekjgbi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2280 -
C:\Windows\SysWOW64\Enhcnd32.exeC:\Windows\system32\Enhcnd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2176 -
C:\Windows\SysWOW64\Fbfldc32.exeC:\Windows\system32\Fbfldc32.exe34⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Fipdqmje.exeC:\Windows\system32\Fipdqmje.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Fjaqhe32.exeC:\Windows\system32\Fjaqhe32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1960 -
C:\Windows\SysWOW64\Fnmmidhm.exeC:\Windows\system32\Fnmmidhm.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:856 -
C:\Windows\SysWOW64\Fdgefn32.exeC:\Windows\system32\Fdgefn32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Fgeabi32.exeC:\Windows\system32\Fgeabi32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2356 -
C:\Windows\SysWOW64\Fkambhgf.exeC:\Windows\system32\Fkambhgf.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:804 -
C:\Windows\SysWOW64\Feiaknmg.exeC:\Windows\system32\Feiaknmg.exe41⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Fghngimj.exeC:\Windows\system32\Fghngimj.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Fjfjcdln.exeC:\Windows\system32\Fjfjcdln.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe44⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Fcoolj32.exeC:\Windows\system32\Fcoolj32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Fikgda32.exeC:\Windows\system32\Fikgda32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:800 -
C:\Windows\SysWOW64\Fmgcepio.exeC:\Windows\system32\Fmgcepio.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1216 -
C:\Windows\SysWOW64\Gabofn32.exeC:\Windows\system32\Gabofn32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1100 -
C:\Windows\SysWOW64\Gpeoakhc.exeC:\Windows\system32\Gpeoakhc.exe49⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Gbdlnf32.exeC:\Windows\system32\Gbdlnf32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Gfogneop.exeC:\Windows\system32\Gfogneop.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Gjkcod32.exeC:\Windows\system32\Gjkcod32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe53⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Gllpflng.exeC:\Windows\system32\Gllpflng.exe54⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Gcchgini.exeC:\Windows\system32\Gcchgini.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1940 -
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe56⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Geddoa32.exeC:\Windows\system32\Geddoa32.exe57⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1068 -
C:\Windows\SysWOW64\Gmlmpo32.exeC:\Windows\system32\Gmlmpo32.exe58⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Gpjilj32.exeC:\Windows\system32\Gpjilj32.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe60⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Gegaeabe.exeC:\Windows\system32\Gegaeabe.exe61⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Ghenamai.exeC:\Windows\system32\Ghenamai.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Gnofng32.exeC:\Windows\system32\Gnofng32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Ganbjb32.exeC:\Windows\system32\Ganbjb32.exe64⤵
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Giejkp32.exeC:\Windows\system32\Giejkp32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Ghgjflof.exeC:\Windows\system32\Ghgjflof.exe66⤵
- Drops file in System32 directory
PID:1056 -
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe67⤵PID:2596
-
C:\Windows\SysWOW64\Gjffbhnj.exeC:\Windows\system32\Gjffbhnj.exe68⤵
- System Location Discovery: System Language Discovery
PID:1608 -
C:\Windows\SysWOW64\Gekkpqnp.exeC:\Windows\system32\Gekkpqnp.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Gdnkkmej.exeC:\Windows\system32\Gdnkkmej.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2836 -
C:\Windows\SysWOW64\Hlecmkel.exeC:\Windows\system32\Hlecmkel.exe71⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Hndoifdp.exeC:\Windows\system32\Hndoifdp.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe73⤵PID:2764
-
C:\Windows\SysWOW64\Hfodmhbk.exeC:\Windows\system32\Hfodmhbk.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Hnflnfbm.exeC:\Windows\system32\Hnflnfbm.exe75⤵PID:572
-
C:\Windows\SysWOW64\Hadhjaaa.exeC:\Windows\system32\Hadhjaaa.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Hdcdfmqe.exeC:\Windows\system32\Hdcdfmqe.exe77⤵
- Drops file in System32 directory
PID:2940 -
C:\Windows\SysWOW64\Hfaqbh32.exeC:\Windows\system32\Hfaqbh32.exe78⤵
- Drops file in System32 directory
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Hipmoc32.exeC:\Windows\system32\Hipmoc32.exe79⤵PID:808
-
C:\Windows\SysWOW64\Hpjeknfi.exeC:\Windows\system32\Hpjeknfi.exe80⤵
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Hfdmhh32.exeC:\Windows\system32\Hfdmhh32.exe81⤵
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Hjoiiffo.exeC:\Windows\system32\Hjoiiffo.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1696 -
C:\Windows\SysWOW64\Hlqfqo32.exeC:\Windows\system32\Hlqfqo32.exe83⤵
- Drops file in System32 directory
PID:1916 -
C:\Windows\SysWOW64\Hdhnal32.exeC:\Windows\system32\Hdhnal32.exe84⤵
- Modifies registry class
PID:1340 -
C:\Windows\SysWOW64\Hffjng32.exeC:\Windows\system32\Hffjng32.exe85⤵
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Hmpbja32.exeC:\Windows\system32\Hmpbja32.exe86⤵
- Drops file in System32 directory
PID:2692 -
C:\Windows\SysWOW64\Hlcbfnjk.exeC:\Windows\system32\Hlcbfnjk.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1160 -
C:\Windows\SysWOW64\Ioaobjin.exeC:\Windows\system32\Ioaobjin.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Ifhgcgjq.exeC:\Windows\system32\Ifhgcgjq.exe89⤵
- System Location Discovery: System Language Discovery
PID:2428 -
C:\Windows\SysWOW64\Ihjcko32.exeC:\Windows\system32\Ihjcko32.exe90⤵PID:1088
-
C:\Windows\SysWOW64\Iockhigl.exeC:\Windows\system32\Iockhigl.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2128 -
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe92⤵
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe93⤵PID:1628
-
C:\Windows\SysWOW64\Iiipeb32.exeC:\Windows\system32\Iiipeb32.exe94⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Ikjlmjmp.exeC:\Windows\system32\Ikjlmjmp.exe95⤵PID:2152
-
C:\Windows\SysWOW64\Ibadnhmb.exeC:\Windows\system32\Ibadnhmb.exe96⤵
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\Iaddid32.exeC:\Windows\system32\Iaddid32.exe97⤵PID:612
-
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe98⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2792 -
C:\Windows\SysWOW64\Ioheci32.exeC:\Windows\system32\Ioheci32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Imkeneja.exeC:\Windows\system32\Imkeneja.exe100⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Idemkp32.exeC:\Windows\system32\Idemkp32.exe101⤵PID:2012
-
C:\Windows\SysWOW64\Iokahhac.exeC:\Windows\system32\Iokahhac.exe102⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Iplnpq32.exeC:\Windows\system32\Iplnpq32.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ihcfan32.exeC:\Windows\system32\Ihcfan32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1472 -
C:\Windows\SysWOW64\Igffmkno.exeC:\Windows\system32\Igffmkno.exe105⤵
- Modifies registry class
PID:1584 -
C:\Windows\SysWOW64\Jkabmi32.exeC:\Windows\system32\Jkabmi32.exe106⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Jnpoie32.exeC:\Windows\system32\Jnpoie32.exe107⤵PID:3056
-
C:\Windows\SysWOW64\Jpnkep32.exeC:\Windows\system32\Jpnkep32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1528 -
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe109⤵
- Drops file in System32 directory
PID:2188 -
C:\Windows\SysWOW64\Jghcbjll.exeC:\Windows\system32\Jghcbjll.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3024 -
C:\Windows\SysWOW64\Jnbkodci.exeC:\Windows\system32\Jnbkodci.exe111⤵PID:1736
-
C:\Windows\SysWOW64\Jcocgkbp.exeC:\Windows\system32\Jcocgkbp.exe112⤵
- System Location Discovery: System Language Discovery
PID:2444 -
C:\Windows\SysWOW64\Jempcgad.exeC:\Windows\system32\Jempcgad.exe113⤵
- Modifies registry class
PID:2588 -
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe114⤵
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1720 -
C:\Windows\SysWOW64\Jfpmifoa.exeC:\Windows\system32\Jfpmifoa.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2484 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe117⤵
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Johaalea.exeC:\Windows\system32\Johaalea.exe118⤵PID:2464
-
C:\Windows\SysWOW64\Jfbinf32.exeC:\Windows\system32\Jfbinf32.exe119⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Jjneoeeh.exeC:\Windows\system32\Jjneoeeh.exe120⤵
- Modifies registry class
PID:1520 -
C:\Windows\SysWOW64\Jllakpdk.exeC:\Windows\system32\Jllakpdk.exe121⤵PID:2532
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-