Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
21s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 16:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cefN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cefN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cefN.exe
-
Size
55KB
-
MD5
aba3c73620bceb64fc46c2697d1dbfe0
-
SHA1
1cd8e1ace9cb18b757eee72a9517dba84dd9d73e
-
SHA256
7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cef
-
SHA512
2dc407906835c2e9e03d52825f3c3e9b76cfbcd619d30c1863c93a1682dcf450d3d4a9015ba4e8dff9d5525778be546375d29ddd4be581e192b61fab36c9205a
-
SSDEEP
1536:dexMxksll/F2EnTXP/lIGwUEO6NSoNSd0A3shxD6:dexMxdvF2EngUEO6NXNW0A8hh
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmddgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdbbnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iilceh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmfklepl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nogmin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llcehg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpanne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjbjjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fqffgapf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpmpnmck.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacefpbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckecpjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlpbna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklepmal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjfcali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acohnhab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efpbih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmamfddp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgdnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkcmjpma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgkbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nohddd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkmmigjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnnkec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljcbcngi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lncgollm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikapdqoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdlfngcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbpoebgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dljngoea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkbmil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaobkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Laogfg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbadagln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkedjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aalofa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgdciiod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdmbhnjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejiadgkl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpmllpef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbjjekhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpaqmnap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfikod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igngim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmacej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gefolhja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgfiocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkdndeon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnhkq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hajhpgag.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojeomee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbjpem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbmlkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oomjng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeenapck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gibkmgcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndgbgefh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflmpebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekbhnkhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdadadkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbemho32.exe -
Executes dropped EXE 64 IoCs
pid Process 2688 Ckecpjdh.exe 2548 Cpbkhabp.exe 2564 Cglcek32.exe 2544 Ckhpejbf.exe 3060 Cpdhna32.exe 1332 Cccdjl32.exe 2464 Cgnpjkhj.exe 2792 Clkicbfa.exe 2788 Cojeomee.exe 2716 Cgqmpkfg.exe 2812 Chbihc32.exe 1348 Cpiaipmh.exe 448 Cffjagko.exe 2132 Dlpbna32.exe 1844 Donojm32.exe 3020 Dfhgggim.exe 844 Dhgccbhp.exe 1100 Dkeoongd.exe 2472 Dnckki32.exe 1848 Dboglhna.exe 644 Dglpdomh.exe 2476 Dnfhqi32.exe 2500 Dbadagln.exe 372 Ddppmclb.exe 2280 Dhklna32.exe 1692 Dkjhjm32.exe 2920 Dqfabdaf.exe 2760 Dklepmal.exe 2652 Djoeki32.exe 1044 Ecgjdong.exe 792 Ejabqi32.exe 2020 Epnkip32.exe 2344 Egebjmdn.exe 2932 Embkbdce.exe 2336 Eqngcc32.exe 2816 Eclcon32.exe 2820 Ejfllhao.exe 2600 Eiilge32.exe 2308 Epcddopf.exe 3008 Emgdmc32.exe 1080 Elieipej.exe 2404 Efoifiep.exe 676 Einebddd.exe 2416 Fllaopcg.exe 1748 Fnjnkkbk.exe 1956 Faijggao.exe 2412 Fedfgejh.exe 768 Fjaoplho.exe 1952 Fnmjpk32.exe 2692 Fakglf32.exe 2612 Fcichb32.exe 2588 Fheoiqgi.exe 2936 Fjckelfm.exe 2384 Fnogfk32.exe 2996 Famcbf32.exe 3028 Fhglop32.exe 2636 Fjfhkl32.exe 2824 Fnadkjlc.exe 536 Fmddgg32.exe 2100 Fappgflg.exe 2188 Fdnlcakk.exe 2876 Fhjhdp32.exe 2024 Fjhdpk32.exe 2296 Fikelhib.exe -
Loads dropped DLL 64 IoCs
pid Process 2400 7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cefN.exe 2400 7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cefN.exe 2688 Ckecpjdh.exe 2688 Ckecpjdh.exe 2548 Cpbkhabp.exe 2548 Cpbkhabp.exe 2564 Cglcek32.exe 2564 Cglcek32.exe 2544 Ckhpejbf.exe 2544 Ckhpejbf.exe 3060 Cpdhna32.exe 3060 Cpdhna32.exe 1332 Cccdjl32.exe 1332 Cccdjl32.exe 2464 Cgnpjkhj.exe 2464 Cgnpjkhj.exe 2792 Clkicbfa.exe 2792 Clkicbfa.exe 2788 Cojeomee.exe 2788 Cojeomee.exe 2716 Cgqmpkfg.exe 2716 Cgqmpkfg.exe 2812 Chbihc32.exe 2812 Chbihc32.exe 1348 Cpiaipmh.exe 1348 Cpiaipmh.exe 448 Cffjagko.exe 448 Cffjagko.exe 2132 Dlpbna32.exe 2132 Dlpbna32.exe 1844 Donojm32.exe 1844 Donojm32.exe 3020 Dfhgggim.exe 3020 Dfhgggim.exe 844 Dhgccbhp.exe 844 Dhgccbhp.exe 1100 Dkeoongd.exe 1100 Dkeoongd.exe 2472 Dnckki32.exe 2472 Dnckki32.exe 1848 Dboglhna.exe 1848 Dboglhna.exe 644 Dglpdomh.exe 644 Dglpdomh.exe 2476 Dnfhqi32.exe 2476 Dnfhqi32.exe 2500 Dbadagln.exe 2500 Dbadagln.exe 372 Ddppmclb.exe 372 Ddppmclb.exe 2280 Dhklna32.exe 2280 Dhklna32.exe 1692 Dkjhjm32.exe 1692 Dkjhjm32.exe 2920 Dqfabdaf.exe 2920 Dqfabdaf.exe 2760 Dklepmal.exe 2760 Dklepmal.exe 2652 Djoeki32.exe 2652 Djoeki32.exe 1044 Ecgjdong.exe 1044 Ecgjdong.exe 792 Ejabqi32.exe 792 Ejabqi32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Jojloc32.exe Jmlobg32.exe File created C:\Windows\SysWOW64\Ccoemihm.dll Kmnlhg32.exe File opened for modification C:\Windows\SysWOW64\Fakglf32.exe Fnmjpk32.exe File opened for modification C:\Windows\SysWOW64\Hibgkjee.exe Hgckoofa.exe File opened for modification C:\Windows\SysWOW64\Hnmcli32.exe Hibgkjee.exe File created C:\Windows\SysWOW64\Faiglonh.dll Nloachkf.exe File opened for modification C:\Windows\SysWOW64\Cccdjl32.exe Cpdhna32.exe File created C:\Windows\SysWOW64\Fnadkjlc.exe Fjfhkl32.exe File created C:\Windows\SysWOW64\Iokhcodo.exe Ilmlfcel.exe File created C:\Windows\SysWOW64\Jqhdfe32.exe Jnjhjj32.exe File created C:\Windows\SysWOW64\Gbcien32.exe Fdqiiaih.exe File created C:\Windows\SysWOW64\Emdpcf32.dll Hhadgakg.exe File created C:\Windows\SysWOW64\Glfjgaih.exe Gihnkejd.exe File created C:\Windows\SysWOW64\Efbfbl32.dll Jnlepioj.exe File created C:\Windows\SysWOW64\Ejhoapqd.dll Fqhclqnc.exe File created C:\Windows\SysWOW64\Onchdkoc.dll Mmdkfmjc.exe File created C:\Windows\SysWOW64\Lpqafeln.dll Bacefpbg.exe File created C:\Windows\SysWOW64\Fmodaadg.exe Fichqckn.exe File created C:\Windows\SysWOW64\Qnogkqfo.dll Hkejnl32.exe File created C:\Windows\SysWOW64\Edjlgq32.exe Eblpke32.exe File created C:\Windows\SysWOW64\Ehfhgogp.exe Edjlgq32.exe File created C:\Windows\SysWOW64\Hfnkji32.exe Hogcil32.exe File created C:\Windows\SysWOW64\Bjfpdf32.exe Ahhchk32.exe File created C:\Windows\SysWOW64\Cpjklo32.exe Cagjqbam.exe File opened for modification C:\Windows\SysWOW64\Lhoohgdg.exe Lepclldc.exe File created C:\Windows\SysWOW64\Kljmfe32.dll Acadchoo.exe File created C:\Windows\SysWOW64\Dlmfob32.dll Liaeleak.exe File opened for modification C:\Windows\SysWOW64\Dboglhna.exe Dnckki32.exe File opened for modification C:\Windows\SysWOW64\Lcedne32.exe Kaggbihl.exe File created C:\Windows\SysWOW64\Lpnjfa32.dll Icbkhnan.exe File opened for modification C:\Windows\SysWOW64\Ndiomdde.exe Nlbgkgcc.exe File opened for modification C:\Windows\SysWOW64\Jbcgeilh.exe Jngkdj32.exe File opened for modification C:\Windows\SysWOW64\Lekcffem.exe Laogfg32.exe File opened for modification C:\Windows\SysWOW64\Ofdeeb32.exe Ogaeieoj.exe File created C:\Windows\SysWOW64\Gaocdi32.dll Acohnhab.exe File opened for modification C:\Windows\SysWOW64\Jjfmem32.exe Jkcmjpma.exe File created C:\Windows\SysWOW64\Peqhgmdd.exe Pfnhkq32.exe File created C:\Windows\SysWOW64\Fbflbd32.dll Bhmmcjjd.exe File opened for modification C:\Windows\SysWOW64\Dljngoea.exe Djlbkcfn.exe File opened for modification C:\Windows\SysWOW64\Enenef32.exe Ejiadgkl.exe File created C:\Windows\SysWOW64\Fladmn32.exe Fmodaadg.exe File created C:\Windows\SysWOW64\Mdgbdihl.dll Gminbfoh.exe File created C:\Windows\SysWOW64\Edoblfhf.dll Ghekhd32.exe File opened for modification C:\Windows\SysWOW64\Gahpkd32.exe Gnicoh32.exe File created C:\Windows\SysWOW64\Fngooj32.dll Qmepanje.exe File created C:\Windows\SysWOW64\Lpfhlhbn.dll Fnbmoi32.exe File opened for modification C:\Windows\SysWOW64\Gfgdij32.exe Gdihmo32.exe File opened for modification C:\Windows\SysWOW64\Kfopdk32.exe Kcpcho32.exe File created C:\Windows\SysWOW64\Gfcdcl32.dll Llbnnq32.exe File created C:\Windows\SysWOW64\Dhklna32.exe Ddppmclb.exe File opened for modification C:\Windows\SysWOW64\Dhklna32.exe Ddppmclb.exe File opened for modification C:\Windows\SysWOW64\Kggfnoch.exe Kopnma32.exe File created C:\Windows\SysWOW64\Hoalia32.exe Hlbpme32.exe File created C:\Windows\SysWOW64\Efpbih32.exe Ecbfmm32.exe File created C:\Windows\SysWOW64\Gmgnmlma.dll Gfgdij32.exe File created C:\Windows\SysWOW64\Amglgn32.exe Ajipkb32.exe File opened for modification C:\Windows\SysWOW64\Ecoihm32.exe Edmilpld.exe File created C:\Windows\SysWOW64\Ojbnkp32.exe Ofgbkacb.exe File created C:\Windows\SysWOW64\Ipfkabpg.exe Ilkpac32.exe File opened for modification C:\Windows\SysWOW64\Gnlpeh32.exe Gfdhck32.exe File created C:\Windows\SysWOW64\Fdqiiaih.exe Fabmmejd.exe File created C:\Windows\SysWOW64\Doijgpba.dll Pqgilnji.exe File created C:\Windows\SysWOW64\Ogohdeam.exe Occlcg32.exe File opened for modification C:\Windows\SysWOW64\Ddppmclb.exe Dbadagln.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7120 6968 WerFault.exe 685 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkjhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqngcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilgjhena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajgfboj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhleaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamifcmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdhnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcedne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajdcofop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cabaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfqiingf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkicbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnogfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chabmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inebpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndgbgefh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmibmhoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fladmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpmpnmck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhnnnbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obnbpb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihnkejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngkdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiobadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liblfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nikkkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmggllha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peqhgmdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdplfflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqpebg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfpjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eblpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcleiclo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedifo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nldcagaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkbjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noagjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnnkec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hilgfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfhmehji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Limhpihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbffjmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoalia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfgoadd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Binikb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmncl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqhclqnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcngcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfiocfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgcecja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbmco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbdcepcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockbdebl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnlnpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djghpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dljngoea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclhjpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlacfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bodhjdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhdfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Golgon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inmpklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkhdnh32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acadchoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Admgglep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gabmfl32.dll" Dcbjni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhadgakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eclcon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dncdqcbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haleefoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojqeofnd.dll" Nklaipbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqmice32.dll" Iadbqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akeaja32.dll" Dlchfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmodaadg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fblljhbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkejnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmkafhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfhgggim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hflndjin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hechkfkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qchjfo32.dll" Nhhominh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggcghg32.dll" Gfiaojkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmijajbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pigklmqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aebakp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cabaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohkdfhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjbcnmen.dll" Pbgefa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qfikod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpenafkn.dll" Kioiffcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmogpj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdnibdmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnqjk32.dll" Kkefoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpmknp32.dll" Apfici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khpbbn32.dll" Ckkenikc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqmnadlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjpmdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijopjhfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlecmb32.dll" Feobac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Monjcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnckki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nljhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfggne32.dll" Ffeldglk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgdhcmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nggkipci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igcgnbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oellihpf.dll" Qnpcpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alofnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hilgfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljfnnkkc.dll" Kfgjdlme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifefbd32.dll" Ddhcbnnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lncicbma.dll" Enbapf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ipkema32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhllnk32.dll" Hnkffi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfojpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkmldbcj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbdcepcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Codeih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpimbcnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Memlki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhfjadim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doahjaco.dll" Jgbmco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfgjdlme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmfgkh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2688 2400 7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cefN.exe 30 PID 2400 wrote to memory of 2688 2400 7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cefN.exe 30 PID 2400 wrote to memory of 2688 2400 7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cefN.exe 30 PID 2400 wrote to memory of 2688 2400 7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cefN.exe 30 PID 2688 wrote to memory of 2548 2688 Ckecpjdh.exe 31 PID 2688 wrote to memory of 2548 2688 Ckecpjdh.exe 31 PID 2688 wrote to memory of 2548 2688 Ckecpjdh.exe 31 PID 2688 wrote to memory of 2548 2688 Ckecpjdh.exe 31 PID 2548 wrote to memory of 2564 2548 Cpbkhabp.exe 32 PID 2548 wrote to memory of 2564 2548 Cpbkhabp.exe 32 PID 2548 wrote to memory of 2564 2548 Cpbkhabp.exe 32 PID 2548 wrote to memory of 2564 2548 Cpbkhabp.exe 32 PID 2564 wrote to memory of 2544 2564 Cglcek32.exe 33 PID 2564 wrote to memory of 2544 2564 Cglcek32.exe 33 PID 2564 wrote to memory of 2544 2564 Cglcek32.exe 33 PID 2564 wrote to memory of 2544 2564 Cglcek32.exe 33 PID 2544 wrote to memory of 3060 2544 Ckhpejbf.exe 34 PID 2544 wrote to memory of 3060 2544 Ckhpejbf.exe 34 PID 2544 wrote to memory of 3060 2544 Ckhpejbf.exe 34 PID 2544 wrote to memory of 3060 2544 Ckhpejbf.exe 34 PID 3060 wrote to memory of 1332 3060 Cpdhna32.exe 35 PID 3060 wrote to memory of 1332 3060 Cpdhna32.exe 35 PID 3060 wrote to memory of 1332 3060 Cpdhna32.exe 35 PID 3060 wrote to memory of 1332 3060 Cpdhna32.exe 35 PID 1332 wrote to memory of 2464 1332 Cccdjl32.exe 36 PID 1332 wrote to memory of 2464 1332 Cccdjl32.exe 36 PID 1332 wrote to memory of 2464 1332 Cccdjl32.exe 36 PID 1332 wrote to memory of 2464 1332 Cccdjl32.exe 36 PID 2464 wrote to memory of 2792 2464 Cgnpjkhj.exe 37 PID 2464 wrote to memory of 2792 2464 Cgnpjkhj.exe 37 PID 2464 wrote to memory of 2792 2464 Cgnpjkhj.exe 37 PID 2464 wrote to memory of 2792 2464 Cgnpjkhj.exe 37 PID 2792 wrote to memory of 2788 2792 Clkicbfa.exe 38 PID 2792 wrote to memory of 2788 2792 Clkicbfa.exe 38 PID 2792 wrote to memory of 2788 2792 Clkicbfa.exe 38 PID 2792 wrote to memory of 2788 2792 Clkicbfa.exe 38 PID 2788 wrote to memory of 2716 2788 Cojeomee.exe 39 PID 2788 wrote to memory of 2716 2788 Cojeomee.exe 39 PID 2788 wrote to memory of 2716 2788 Cojeomee.exe 39 PID 2788 wrote to memory of 2716 2788 Cojeomee.exe 39 PID 2716 wrote to memory of 2812 2716 Cgqmpkfg.exe 40 PID 2716 wrote to memory of 2812 2716 Cgqmpkfg.exe 40 PID 2716 wrote to memory of 2812 2716 Cgqmpkfg.exe 40 PID 2716 wrote to memory of 2812 2716 Cgqmpkfg.exe 40 PID 2812 wrote to memory of 1348 2812 Chbihc32.exe 41 PID 2812 wrote to memory of 1348 2812 Chbihc32.exe 41 PID 2812 wrote to memory of 1348 2812 Chbihc32.exe 41 PID 2812 wrote to memory of 1348 2812 Chbihc32.exe 41 PID 1348 wrote to memory of 448 1348 Cpiaipmh.exe 42 PID 1348 wrote to memory of 448 1348 Cpiaipmh.exe 42 PID 1348 wrote to memory of 448 1348 Cpiaipmh.exe 42 PID 1348 wrote to memory of 448 1348 Cpiaipmh.exe 42 PID 448 wrote to memory of 2132 448 Cffjagko.exe 43 PID 448 wrote to memory of 2132 448 Cffjagko.exe 43 PID 448 wrote to memory of 2132 448 Cffjagko.exe 43 PID 448 wrote to memory of 2132 448 Cffjagko.exe 43 PID 2132 wrote to memory of 1844 2132 Dlpbna32.exe 44 PID 2132 wrote to memory of 1844 2132 Dlpbna32.exe 44 PID 2132 wrote to memory of 1844 2132 Dlpbna32.exe 44 PID 2132 wrote to memory of 1844 2132 Dlpbna32.exe 44 PID 1844 wrote to memory of 3020 1844 Donojm32.exe 45 PID 1844 wrote to memory of 3020 1844 Donojm32.exe 45 PID 1844 wrote to memory of 3020 1844 Donojm32.exe 45 PID 1844 wrote to memory of 3020 1844 Donojm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cefN.exe"C:\Users\Admin\AppData\Local\Temp\7c31839542f617a04a20322cf6a8d391d73fe489238d4b39081856f3b5e32cefN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\Ckecpjdh.exeC:\Windows\system32\Ckecpjdh.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Cpbkhabp.exeC:\Windows\system32\Cpbkhabp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Cpdhna32.exeC:\Windows\system32\Cpdhna32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Cccdjl32.exeC:\Windows\system32\Cccdjl32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\Cgnpjkhj.exeC:\Windows\system32\Cgnpjkhj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Clkicbfa.exeC:\Windows\system32\Clkicbfa.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Cojeomee.exeC:\Windows\system32\Cojeomee.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Chbihc32.exeC:\Windows\system32\Chbihc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Cpiaipmh.exeC:\Windows\system32\Cpiaipmh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1348 -
C:\Windows\SysWOW64\Cffjagko.exeC:\Windows\system32\Cffjagko.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Dlpbna32.exeC:\Windows\system32\Dlpbna32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1844 -
C:\Windows\SysWOW64\Dfhgggim.exeC:\Windows\system32\Dfhgggim.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1100 -
C:\Windows\SysWOW64\Dnckki32.exeC:\Windows\system32\Dnckki32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2472 -
C:\Windows\SysWOW64\Dboglhna.exeC:\Windows\system32\Dboglhna.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Dglpdomh.exeC:\Windows\system32\Dglpdomh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:644 -
C:\Windows\SysWOW64\Dnfhqi32.exeC:\Windows\system32\Dnfhqi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2476 -
C:\Windows\SysWOW64\Dbadagln.exeC:\Windows\system32\Dbadagln.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Ddppmclb.exeC:\Windows\system32\Ddppmclb.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:372 -
C:\Windows\SysWOW64\Dhklna32.exeC:\Windows\system32\Dhklna32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Dqfabdaf.exeC:\Windows\system32\Dqfabdaf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Dklepmal.exeC:\Windows\system32\Dklepmal.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2652 -
C:\Windows\SysWOW64\Ecgjdong.exeC:\Windows\system32\Ecgjdong.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1044 -
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:792 -
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe33⤵
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Egebjmdn.exeC:\Windows\system32\Egebjmdn.exe34⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe35⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Eqngcc32.exeC:\Windows\system32\Eqngcc32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Eclcon32.exeC:\Windows\system32\Eclcon32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe38⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Eiilge32.exeC:\Windows\system32\Eiilge32.exe39⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Epcddopf.exeC:\Windows\system32\Epcddopf.exe40⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Emgdmc32.exeC:\Windows\system32\Emgdmc32.exe41⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Elieipej.exeC:\Windows\system32\Elieipej.exe42⤵
- Executes dropped EXE
PID:1080 -
C:\Windows\SysWOW64\Efoifiep.exeC:\Windows\system32\Efoifiep.exe43⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe44⤵
- Executes dropped EXE
PID:676 -
C:\Windows\SysWOW64\Fllaopcg.exeC:\Windows\system32\Fllaopcg.exe45⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe46⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe47⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe48⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe49⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Fnmjpk32.exeC:\Windows\system32\Fnmjpk32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe51⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Fcichb32.exeC:\Windows\system32\Fcichb32.exe52⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe53⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Fjckelfm.exeC:\Windows\system32\Fjckelfm.exe54⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Famcbf32.exeC:\Windows\system32\Famcbf32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2996 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe57⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Fnadkjlc.exeC:\Windows\system32\Fnadkjlc.exe59⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Fmddgg32.exeC:\Windows\system32\Fmddgg32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:536 -
C:\Windows\SysWOW64\Fappgflg.exeC:\Windows\system32\Fappgflg.exe61⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe62⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Fhjhdp32.exeC:\Windows\system32\Fhjhdp32.exe63⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe64⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe65⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe66⤵PID:1468
-
C:\Windows\SysWOW64\Fabmmejd.exeC:\Windows\system32\Fabmmejd.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Fdqiiaih.exeC:\Windows\system32\Fdqiiaih.exe68⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe69⤵PID:1580
-
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe70⤵PID:2388
-
C:\Windows\SysWOW64\Gjjafkpe.exeC:\Windows\system32\Gjjafkpe.exe71⤵PID:2712
-
C:\Windows\SysWOW64\Gminbfoh.exeC:\Windows\system32\Gminbfoh.exe72⤵
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe73⤵PID:1772
-
C:\Windows\SysWOW64\Gbffjmmp.exeC:\Windows\system32\Gbffjmmp.exe74⤵
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Gfabkl32.exeC:\Windows\system32\Gfabkl32.exe75⤵PID:2892
-
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe76⤵PID:2952
-
C:\Windows\SysWOW64\Glnkcc32.exeC:\Windows\system32\Glnkcc32.exe77⤵PID:592
-
C:\Windows\SysWOW64\Gpjfcali.exeC:\Windows\system32\Gpjfcali.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1152 -
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe79⤵
- System Location Discovery: System Language Discovery
PID:2508 -
C:\Windows\SysWOW64\Gfcopl32.exeC:\Windows\system32\Gfcopl32.exe80⤵PID:316
-
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2152 -
C:\Windows\SysWOW64\Gibkmgcj.exeC:\Windows\system32\Gibkmgcj.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe83⤵
- Drops file in System32 directory
PID:2372 -
C:\Windows\SysWOW64\Gplcia32.exeC:\Windows\system32\Gplcia32.exe84⤵PID:2436
-
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Gampaipe.exeC:\Windows\system32\Gampaipe.exe86⤵PID:2840
-
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe87⤵PID:2984
-
C:\Windows\SysWOW64\Ghghnc32.exeC:\Windows\system32\Ghghnc32.exe88⤵PID:2212
-
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe89⤵PID:2592
-
C:\Windows\SysWOW64\Gkedjo32.exeC:\Windows\system32\Gkedjo32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Goapjnoo.exeC:\Windows\system32\Goapjnoo.exe91⤵PID:2324
-
C:\Windows\SysWOW64\Gbmlkl32.exeC:\Windows\system32\Gbmlkl32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe93⤵PID:2200
-
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe94⤵
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Gleqdb32.exeC:\Windows\system32\Gleqdb32.exe95⤵PID:1072
-
C:\Windows\SysWOW64\Hocmpm32.exeC:\Windows\system32\Hocmpm32.exe96⤵PID:608
-
C:\Windows\SysWOW64\Hememgdi.exeC:\Windows\system32\Hememgdi.exe97⤵PID:1572
-
C:\Windows\SysWOW64\Hdpehd32.exeC:\Windows\system32\Hdpehd32.exe98⤵PID:2360
-
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe99⤵PID:2836
-
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe100⤵PID:2860
-
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe101⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Hadfah32.exeC:\Windows\system32\Hadfah32.exe102⤵PID:1300
-
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe103⤵PID:976
-
C:\Windows\SysWOW64\Hdbbnd32.exeC:\Windows\system32\Hdbbnd32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1416 -
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe105⤵
- System Location Discovery: System Language Discovery
PID:856 -
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe106⤵PID:2228
-
C:\Windows\SysWOW64\Hipkfkgh.exeC:\Windows\system32\Hipkfkgh.exe107⤵PID:1268
-
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe108⤵
- Modifies registry class
PID:300 -
C:\Windows\SysWOW64\Hafbghhj.exeC:\Windows\system32\Hafbghhj.exe109⤵PID:1620
-
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe110⤵PID:2568
-
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe111⤵
- Drops file in System32 directory
PID:2604 -
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe112⤵
- Drops file in System32 directory
PID:2576 -
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe113⤵PID:3068
-
C:\Windows\SysWOW64\Hlpchfdi.exeC:\Windows\system32\Hlpchfdi.exe114⤵PID:2176
-
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe115⤵PID:2864
-
C:\Windows\SysWOW64\Hcjldp32.exeC:\Windows\system32\Hcjldp32.exe116⤵PID:1240
-
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe117⤵PID:2808
-
C:\Windows\SysWOW64\Hehhqk32.exeC:\Windows\system32\Hehhqk32.exe118⤵PID:2004
-
C:\Windows\SysWOW64\Hnppaill.exeC:\Windows\system32\Hnppaill.exe119⤵PID:1508
-
C:\Windows\SysWOW64\Hlbpme32.exeC:\Windows\system32\Hlbpme32.exe120⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Hoalia32.exeC:\Windows\system32\Hoalia32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-