Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
129s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 00:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a.exe
-
Size
79KB
-
MD5
7fdba8fac68153d10a523c90c4d1c73a
-
SHA1
524dc7dbac070b6b2c0d38f28146e42abc36b536
-
SHA256
8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a
-
SHA512
7a34af35ce34bf38d02b70c774c18e48df952c8360d5c13c30b87d6daf80f63c8a327cda38e8fa1bbc9025c77f4d760cd0ed45aefeb7f4a39629ec222e02b60b
-
SSDEEP
1536:J4IOPlqW0mYh1fkXXbNUEQiFkSIgiItKq9v6DK:G/gkZUEQixtBtKq9vV
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odlpfblm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mqcnjnol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcnmdend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlhmhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbggdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncdhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epgqddoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcmajo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dggenkmf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebdffijp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oopocfgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giglnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eiclop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpboan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mknbmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bejlkaoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfconhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdpbnlbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgpbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Meqciqhp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmngef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jppbkoaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nblpbeob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jodfilko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbghpjih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aeifogee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gliomp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dapbdocn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnlcoage.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aldhih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfboa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gknjecab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjillfhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckfmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfmlojfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emkanhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dninfgol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjahnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddikjh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2940 Hebckd32.exe 2208 Ieepad32.exe 936 Idjlbqmb.exe 2768 Imenpfap.exe 2816 Jfoookfn.exe 2568 Jokccnci.exe 2536 Jbhlilip.exe 3040 Joomnm32.exe 1868 Jndjoi32.exe 1796 Jodfilko.exe 1144 Khlkba32.exe 1440 Kdckgc32.exe 1736 Kjbqei32.exe 1812 Kfiajj32.exe 1912 Kpoegc32.exe 1320 Llefld32.exe 1752 Lkkcmqcn.exe 112 Lfpgkicd.exe 2132 Lbghpjih.exe 1724 Ldhaaefi.exe 932 Lnpejklj.exe 612 Mnbbpkjg.exe 2068 Mbdhinmf.exe 1856 Mfbqol32.exe 2168 Nbknjm32.exe 1568 Njfbno32.exe 1616 Neocahbm.exe 2076 Nmjhejph.exe 2740 Ofdicodf.exe 2960 Olablfbm.exe 2916 Olfkge32.exe 2780 Oodhca32.exe 2572 Oijlpjma.exe 3048 Pagmjlhj.exe 2932 Qagiio32.exe 836 Qokjcc32.exe 544 Alojlgii.exe 1212 Aopcnbfj.exe 2848 Akfdcckn.exe 1420 Aqcmkjje.exe 1820 Akiahcik.exe 2188 Bcfbbe32.exe 1500 Bqjcli32.exe 1316 Boppmf32.exe 960 Bmcpfj32.exe 2148 Bbpioa32.exe 572 Bkimgflg.exe 2300 Beaaplbg.exe 1536 Cbebjpaa.exe 2472 Cnlcoage.exe 1560 Cefkkk32.exe 2732 Cgdggg32.exe 2696 Cnnpdaeb.exe 2804 Cgfdmf32.exe 2540 Caohfl32.exe 2660 Cflanc32.exe 3016 Clhifj32.exe 1872 Dmhfpmee.exe 2020 Doibhekc.exe 852 Dpiobh32.exe 2224 Deegjo32.exe 2764 Dalhop32.exe 2864 Dlblmh32.exe 976 Dejqenmh.exe -
Loads dropped DLL 64 IoCs
pid Process 2316 8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a.exe 2316 8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a.exe 2940 Hebckd32.exe 2940 Hebckd32.exe 2208 Ieepad32.exe 2208 Ieepad32.exe 936 Idjlbqmb.exe 936 Idjlbqmb.exe 2768 Imenpfap.exe 2768 Imenpfap.exe 2816 Jfoookfn.exe 2816 Jfoookfn.exe 2568 Jokccnci.exe 2568 Jokccnci.exe 2536 Jbhlilip.exe 2536 Jbhlilip.exe 3040 Joomnm32.exe 3040 Joomnm32.exe 1868 Jndjoi32.exe 1868 Jndjoi32.exe 1796 Jodfilko.exe 1796 Jodfilko.exe 1144 Khlkba32.exe 1144 Khlkba32.exe 1440 Kdckgc32.exe 1440 Kdckgc32.exe 1736 Kjbqei32.exe 1736 Kjbqei32.exe 1812 Kfiajj32.exe 1812 Kfiajj32.exe 1912 Kpoegc32.exe 1912 Kpoegc32.exe 1320 Llefld32.exe 1320 Llefld32.exe 1752 Lkkcmqcn.exe 1752 Lkkcmqcn.exe 112 Lfpgkicd.exe 112 Lfpgkicd.exe 2132 Lbghpjih.exe 2132 Lbghpjih.exe 1724 Ldhaaefi.exe 1724 Ldhaaefi.exe 932 Lnpejklj.exe 932 Lnpejklj.exe 612 Mnbbpkjg.exe 612 Mnbbpkjg.exe 2068 Mbdhinmf.exe 2068 Mbdhinmf.exe 1856 Mfbqol32.exe 1856 Mfbqol32.exe 2168 Nbknjm32.exe 2168 Nbknjm32.exe 1568 Njfbno32.exe 1568 Njfbno32.exe 1616 Neocahbm.exe 1616 Neocahbm.exe 2076 Nmjhejph.exe 2076 Nmjhejph.exe 2740 Ofdicodf.exe 2740 Ofdicodf.exe 2960 Olablfbm.exe 2960 Olablfbm.exe 2916 Olfkge32.exe 2916 Olfkge32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hmpifh32.dll Process not Found File created C:\Windows\SysWOW64\Jcncfh32.exe Process not Found File created C:\Windows\SysWOW64\Jkjfpe32.exe Infefqkg.exe File created C:\Windows\SysWOW64\Gckadb32.dll Pbkbff32.exe File opened for modification C:\Windows\SysWOW64\Fcbicj32.exe Process not Found File created C:\Windows\SysWOW64\Ianfppgm.dll Process not Found File created C:\Windows\SysWOW64\Nknoahbi.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kjeicm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cbgjpo32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cfimnmoa.exe Ckciqdol.exe File opened for modification C:\Windows\SysWOW64\Ppdbepon.exe Ppafopqq.exe File created C:\Windows\SysWOW64\Pjbambmm.dll Process not Found File created C:\Windows\SysWOW64\Npmchfjp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jinmco32.exe Jpfikjfe.exe File created C:\Windows\SysWOW64\Qldkkhom.dll Fbddne32.exe File opened for modification C:\Windows\SysWOW64\Llkfan32.exe Lgpjaohd.exe File created C:\Windows\SysWOW64\Bjgoff32.exe Bhecnndq.exe File opened for modification C:\Windows\SysWOW64\Domdkjoc.exe Process not Found File created C:\Windows\SysWOW64\Mhhhhh32.exe Process not Found File created C:\Windows\SysWOW64\Phifln32.dll Fddcqm32.exe File opened for modification C:\Windows\SysWOW64\Qgmhknih.exe Qobcfklm.exe File created C:\Windows\SysWOW64\Lebocakp.dll Process not Found File created C:\Windows\SysWOW64\Moojopam.dll Amhafpgg.exe File created C:\Windows\SysWOW64\Ilkdpe32.exe Process not Found File created C:\Windows\SysWOW64\Ojgnpb32.exe Process not Found File created C:\Windows\SysWOW64\Cdnoiojm.dll Process not Found File created C:\Windows\SysWOW64\Aldllmnd.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hefmba32.exe Process not Found File created C:\Windows\SysWOW64\Cmpbdmob.dll Process not Found File created C:\Windows\SysWOW64\Lbgnie32.dll Jkegigal.exe File opened for modification C:\Windows\SysWOW64\Hgjdecca.exe Honpqaff.exe File opened for modification C:\Windows\SysWOW64\Bmbinpnd.exe Process not Found File created C:\Windows\SysWOW64\Bjbdnb32.exe Bdhlahfn.exe File opened for modification C:\Windows\SysWOW64\Pcapkl32.exe Okfkgiah.exe File created C:\Windows\SysWOW64\Fjlogk32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ncnbgc32.exe Process not Found File created C:\Windows\SysWOW64\Aenkmf32.dll Lkkcmqcn.exe File opened for modification C:\Windows\SysWOW64\Hpgcfmge.exe Hnegod32.exe File created C:\Windows\SysWOW64\Jjeank32.dll Qjmodpoe.exe File opened for modification C:\Windows\SysWOW64\Koodlbeh.exe Kheloh32.exe File created C:\Windows\SysWOW64\Edcgcfhl.exe Process not Found File created C:\Windows\SysWOW64\Mfkjeoak.dll Process not Found File created C:\Windows\SysWOW64\Lfmjgf32.exe Lqqboo32.exe File created C:\Windows\SysWOW64\Hiafac32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Nbpipa32.exe Process not Found File created C:\Windows\SysWOW64\Opjpqk32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Djfhoqgn.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kpajam32.exe Process not Found File created C:\Windows\SysWOW64\Knbgec32.dll Pkhagodb.exe File created C:\Windows\SysWOW64\Bodblh32.dll Nkgcic32.exe File created C:\Windows\SysWOW64\Palfgg32.exe Ppjjpoih.exe File created C:\Windows\SysWOW64\Ipocfobh.exe Iggomj32.exe File created C:\Windows\SysWOW64\Iihlnppa.dll Mhddln32.exe File created C:\Windows\SysWOW64\Epppaa32.dll Process not Found File created C:\Windows\SysWOW64\Ajcldi32.dll Process not Found File created C:\Windows\SysWOW64\Fejloiok.dll Process not Found File created C:\Windows\SysWOW64\Eheeqgmn.exe Eloekf32.exe File created C:\Windows\SysWOW64\Gfncngco.dll Emifaa32.exe File created C:\Windows\SysWOW64\Pkpoqlkj.dll Gliomp32.exe File opened for modification C:\Windows\SysWOW64\Fhfhip32.exe Ealpmeme.exe File created C:\Windows\SysWOW64\Cfdjbm32.dll Process not Found File created C:\Windows\SysWOW64\Mabghlcm.dll Process not Found File opened for modification C:\Windows\SysWOW64\Fpcgji32.exe Eheeqgmn.exe File created C:\Windows\SysWOW64\Fhfhip32.exe Ealpmeme.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3204 1964 Process not Found 1814 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nclfpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnalqqbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmggkmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmefhpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpioa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnjco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjmnmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhfniekh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nopcdbep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cicakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoabgggf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqokoeig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agfkalam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpfikjfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkqnelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcdfbjkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmaofnkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gblknd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maldcblg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddikjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnkedemc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpndcjqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbmknipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agkjknji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epgqddoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiahfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcmajo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnjepahn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdfpmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgiggh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfeacnaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glcmna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcpang32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpboan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdlpbbmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofgkkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pknfif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmiaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eikjgc32.dll" Pgeigp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okcgbben.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knabngen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnkedemc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cddqod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpmckh32.dll" Jdeigc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nleojofn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjnohc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkhedlbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqjghb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lajifken.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Palfgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odlpfblm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjjkphbk.dll" Hipodl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajogaal.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jodfilko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elhgeffh.dll" Bjmdhmne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjbambmm.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emkanhnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gehoec32.dll" Nhfkhhnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qeqfki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhmcpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dglfkebm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anqhoddb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmpnkecn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Amhifh32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pipqgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Feeicmli.dll" Pndaiokc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfboa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aqmnnjni.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lodeahen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Djbmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iodhld32.dll" Ehoqklia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjmdhmne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Doibhekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abghlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgjnphed.dll" Ijdbffpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjgqkmff.dll" Okapcanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djbmjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbnlhcog.dll" Deegjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgaijn32.dll" Klipfpeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qbllgblj.dll" Pdflopoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phoepf32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enmbfchb.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ephkak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gahcbbhl.dll" Jbqkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdmil32.dll" Gejgjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaagoqcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2940 2316 8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a.exe 29 PID 2316 wrote to memory of 2940 2316 8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a.exe 29 PID 2316 wrote to memory of 2940 2316 8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a.exe 29 PID 2316 wrote to memory of 2940 2316 8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a.exe 29 PID 2940 wrote to memory of 2208 2940 Hebckd32.exe 30 PID 2940 wrote to memory of 2208 2940 Hebckd32.exe 30 PID 2940 wrote to memory of 2208 2940 Hebckd32.exe 30 PID 2940 wrote to memory of 2208 2940 Hebckd32.exe 30 PID 2208 wrote to memory of 936 2208 Ieepad32.exe 31 PID 2208 wrote to memory of 936 2208 Ieepad32.exe 31 PID 2208 wrote to memory of 936 2208 Ieepad32.exe 31 PID 2208 wrote to memory of 936 2208 Ieepad32.exe 31 PID 936 wrote to memory of 2768 936 Idjlbqmb.exe 32 PID 936 wrote to memory of 2768 936 Idjlbqmb.exe 32 PID 936 wrote to memory of 2768 936 Idjlbqmb.exe 32 PID 936 wrote to memory of 2768 936 Idjlbqmb.exe 32 PID 2768 wrote to memory of 2816 2768 Imenpfap.exe 33 PID 2768 wrote to memory of 2816 2768 Imenpfap.exe 33 PID 2768 wrote to memory of 2816 2768 Imenpfap.exe 33 PID 2768 wrote to memory of 2816 2768 Imenpfap.exe 33 PID 2816 wrote to memory of 2568 2816 Jfoookfn.exe 34 PID 2816 wrote to memory of 2568 2816 Jfoookfn.exe 34 PID 2816 wrote to memory of 2568 2816 Jfoookfn.exe 34 PID 2816 wrote to memory of 2568 2816 Jfoookfn.exe 34 PID 2568 wrote to memory of 2536 2568 Jokccnci.exe 35 PID 2568 wrote to memory of 2536 2568 Jokccnci.exe 35 PID 2568 wrote to memory of 2536 2568 Jokccnci.exe 35 PID 2568 wrote to memory of 2536 2568 Jokccnci.exe 35 PID 2536 wrote to memory of 3040 2536 Jbhlilip.exe 36 PID 2536 wrote to memory of 3040 2536 Jbhlilip.exe 36 PID 2536 wrote to memory of 3040 2536 Jbhlilip.exe 36 PID 2536 wrote to memory of 3040 2536 Jbhlilip.exe 36 PID 3040 wrote to memory of 1868 3040 Joomnm32.exe 37 PID 3040 wrote to memory of 1868 3040 Joomnm32.exe 37 PID 3040 wrote to memory of 1868 3040 Joomnm32.exe 37 PID 3040 wrote to memory of 1868 3040 Joomnm32.exe 37 PID 1868 wrote to memory of 1796 1868 Jndjoi32.exe 38 PID 1868 wrote to memory of 1796 1868 Jndjoi32.exe 38 PID 1868 wrote to memory of 1796 1868 Jndjoi32.exe 38 PID 1868 wrote to memory of 1796 1868 Jndjoi32.exe 38 PID 1796 wrote to memory of 1144 1796 Jodfilko.exe 39 PID 1796 wrote to memory of 1144 1796 Jodfilko.exe 39 PID 1796 wrote to memory of 1144 1796 Jodfilko.exe 39 PID 1796 wrote to memory of 1144 1796 Jodfilko.exe 39 PID 1144 wrote to memory of 1440 1144 Khlkba32.exe 40 PID 1144 wrote to memory of 1440 1144 Khlkba32.exe 40 PID 1144 wrote to memory of 1440 1144 Khlkba32.exe 40 PID 1144 wrote to memory of 1440 1144 Khlkba32.exe 40 PID 1440 wrote to memory of 1736 1440 Kdckgc32.exe 41 PID 1440 wrote to memory of 1736 1440 Kdckgc32.exe 41 PID 1440 wrote to memory of 1736 1440 Kdckgc32.exe 41 PID 1440 wrote to memory of 1736 1440 Kdckgc32.exe 41 PID 1736 wrote to memory of 1812 1736 Kjbqei32.exe 42 PID 1736 wrote to memory of 1812 1736 Kjbqei32.exe 42 PID 1736 wrote to memory of 1812 1736 Kjbqei32.exe 42 PID 1736 wrote to memory of 1812 1736 Kjbqei32.exe 42 PID 1812 wrote to memory of 1912 1812 Kfiajj32.exe 43 PID 1812 wrote to memory of 1912 1812 Kfiajj32.exe 43 PID 1812 wrote to memory of 1912 1812 Kfiajj32.exe 43 PID 1812 wrote to memory of 1912 1812 Kfiajj32.exe 43 PID 1912 wrote to memory of 1320 1912 Kpoegc32.exe 44 PID 1912 wrote to memory of 1320 1912 Kpoegc32.exe 44 PID 1912 wrote to memory of 1320 1912 Kpoegc32.exe 44 PID 1912 wrote to memory of 1320 1912 Kpoegc32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a.exe"C:\Users\Admin\AppData\Local\Temp\8ff0fb0cd3738c591e2ac33d15b8196a972f11671ba9ef9c8fd2275a9c641d3a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Hebckd32.exeC:\Windows\system32\Hebckd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Ieepad32.exeC:\Windows\system32\Ieepad32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Windows\SysWOW64\Idjlbqmb.exeC:\Windows\system32\Idjlbqmb.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:936 -
C:\Windows\SysWOW64\Imenpfap.exeC:\Windows\system32\Imenpfap.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\Jfoookfn.exeC:\Windows\system32\Jfoookfn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Jokccnci.exeC:\Windows\system32\Jokccnci.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Jbhlilip.exeC:\Windows\system32\Jbhlilip.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\Joomnm32.exeC:\Windows\system32\Joomnm32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Jndjoi32.exeC:\Windows\system32\Jndjoi32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Jodfilko.exeC:\Windows\system32\Jodfilko.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Khlkba32.exeC:\Windows\system32\Khlkba32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Kdckgc32.exeC:\Windows\system32\Kdckgc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Kjbqei32.exeC:\Windows\system32\Kjbqei32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Kfiajj32.exeC:\Windows\system32\Kfiajj32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Kpoegc32.exeC:\Windows\system32\Kpoegc32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Llefld32.exeC:\Windows\system32\Llefld32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1320 -
C:\Windows\SysWOW64\Lkkcmqcn.exeC:\Windows\system32\Lkkcmqcn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Lfpgkicd.exeC:\Windows\system32\Lfpgkicd.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:112 -
C:\Windows\SysWOW64\Lbghpjih.exeC:\Windows\system32\Lbghpjih.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2132 -
C:\Windows\SysWOW64\Ldhaaefi.exeC:\Windows\system32\Ldhaaefi.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Lnpejklj.exeC:\Windows\system32\Lnpejklj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Mnbbpkjg.exeC:\Windows\system32\Mnbbpkjg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Mbdhinmf.exeC:\Windows\system32\Mbdhinmf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Mfbqol32.exeC:\Windows\system32\Mfbqol32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1856 -
C:\Windows\SysWOW64\Nbknjm32.exeC:\Windows\system32\Nbknjm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Njfbno32.exeC:\Windows\system32\Njfbno32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Neocahbm.exeC:\Windows\system32\Neocahbm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1616 -
C:\Windows\SysWOW64\Nmjhejph.exeC:\Windows\system32\Nmjhejph.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2076 -
C:\Windows\SysWOW64\Ofdicodf.exeC:\Windows\system32\Ofdicodf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Olablfbm.exeC:\Windows\system32\Olablfbm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Olfkge32.exeC:\Windows\system32\Olfkge32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Oodhca32.exeC:\Windows\system32\Oodhca32.exe33⤵
- Executes dropped EXE
PID:2780 -
C:\Windows\SysWOW64\Oijlpjma.exeC:\Windows\system32\Oijlpjma.exe34⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Pagmjlhj.exeC:\Windows\system32\Pagmjlhj.exe35⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Qagiio32.exeC:\Windows\system32\Qagiio32.exe36⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Qokjcc32.exeC:\Windows\system32\Qokjcc32.exe37⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Alojlgii.exeC:\Windows\system32\Alojlgii.exe38⤵
- Executes dropped EXE
PID:544 -
C:\Windows\SysWOW64\Aopcnbfj.exeC:\Windows\system32\Aopcnbfj.exe39⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Akfdcckn.exeC:\Windows\system32\Akfdcckn.exe40⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Aqcmkjje.exeC:\Windows\system32\Aqcmkjje.exe41⤵
- Executes dropped EXE
PID:1420 -
C:\Windows\SysWOW64\Akiahcik.exeC:\Windows\system32\Akiahcik.exe42⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Bcfbbe32.exeC:\Windows\system32\Bcfbbe32.exe43⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Bqjcli32.exeC:\Windows\system32\Bqjcli32.exe44⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Boppmf32.exeC:\Windows\system32\Boppmf32.exe45⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Bmcpfj32.exeC:\Windows\system32\Bmcpfj32.exe46⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Bbpioa32.exeC:\Windows\system32\Bbpioa32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2148 -
C:\Windows\SysWOW64\Bkimgflg.exeC:\Windows\system32\Bkimgflg.exe48⤵
- Executes dropped EXE
PID:572 -
C:\Windows\SysWOW64\Beaaplbg.exeC:\Windows\system32\Beaaplbg.exe49⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Cbebjpaa.exeC:\Windows\system32\Cbebjpaa.exe50⤵
- Executes dropped EXE
PID:1536 -
C:\Windows\SysWOW64\Cnlcoage.exeC:\Windows\system32\Cnlcoage.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2472 -
C:\Windows\SysWOW64\Cefkkk32.exeC:\Windows\system32\Cefkkk32.exe52⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Cgdggg32.exeC:\Windows\system32\Cgdggg32.exe53⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Cnnpdaeb.exeC:\Windows\system32\Cnnpdaeb.exe54⤵
- Executes dropped EXE
PID:2696 -
C:\Windows\SysWOW64\Cgfdmf32.exeC:\Windows\system32\Cgfdmf32.exe55⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Caohfl32.exeC:\Windows\system32\Caohfl32.exe56⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Cflanc32.exeC:\Windows\system32\Cflanc32.exe57⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Clhifj32.exeC:\Windows\system32\Clhifj32.exe58⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Dmhfpmee.exeC:\Windows\system32\Dmhfpmee.exe59⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Doibhekc.exeC:\Windows\system32\Doibhekc.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:2020 -
C:\Windows\SysWOW64\Dpiobh32.exeC:\Windows\system32\Dpiobh32.exe61⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Deegjo32.exeC:\Windows\system32\Deegjo32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Dalhop32.exeC:\Windows\system32\Dalhop32.exe63⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Dlblmh32.exeC:\Windows\system32\Dlblmh32.exe64⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Dejqenmh.exeC:\Windows\system32\Dejqenmh.exe65⤵
- Executes dropped EXE
PID:976 -
C:\Windows\SysWOW64\Dglmmf32.exeC:\Windows\system32\Dglmmf32.exe66⤵PID:1748
-
C:\Windows\SysWOW64\Eaaajo32.exeC:\Windows\system32\Eaaajo32.exe67⤵PID:1972
-
C:\Windows\SysWOW64\Epfnkk32.exeC:\Windows\system32\Epfnkk32.exe68⤵PID:2368
-
C:\Windows\SysWOW64\Eklbid32.exeC:\Windows\system32\Eklbid32.exe69⤵PID:2400
-
C:\Windows\SysWOW64\Ephkak32.exeC:\Windows\system32\Ephkak32.exe70⤵
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Eiapjq32.exeC:\Windows\system32\Eiapjq32.exe71⤵PID:2108
-
C:\Windows\SysWOW64\Eiclop32.exeC:\Windows\system32\Eiclop32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Epmdljal.exeC:\Windows\system32\Epmdljal.exe73⤵PID:2956
-
C:\Windows\SysWOW64\Fejmda32.exeC:\Windows\system32\Fejmda32.exe74⤵PID:2900
-
C:\Windows\SysWOW64\Fkgemh32.exeC:\Windows\system32\Fkgemh32.exe75⤵PID:2612
-
C:\Windows\SysWOW64\Fcnmne32.exeC:\Windows\system32\Fcnmne32.exe76⤵PID:2936
-
C:\Windows\SysWOW64\Fkibbh32.exeC:\Windows\system32\Fkibbh32.exe77⤵PID:2276
-
C:\Windows\SysWOW64\Facjobce.exeC:\Windows\system32\Facjobce.exe78⤵PID:2896
-
C:\Windows\SysWOW64\Fgpcgi32.exeC:\Windows\system32\Fgpcgi32.exe79⤵PID:964
-
C:\Windows\SysWOW64\Fddcqm32.exeC:\Windows\system32\Fddcqm32.exe80⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Fnlhibff.exeC:\Windows\system32\Fnlhibff.exe81⤵PID:2164
-
C:\Windows\SysWOW64\Fdfpfm32.exeC:\Windows\system32\Fdfpfm32.exe82⤵PID:2192
-
C:\Windows\SysWOW64\Fjchnclk.exeC:\Windows\system32\Fjchnclk.exe83⤵PID:1060
-
C:\Windows\SysWOW64\Gckmgi32.exeC:\Windows\system32\Gckmgi32.exe84⤵PID:1652
-
C:\Windows\SysWOW64\Gnaadb32.exeC:\Windows\system32\Gnaadb32.exe85⤵PID:1988
-
C:\Windows\SysWOW64\Gobnljhp.exeC:\Windows\system32\Gobnljhp.exe86⤵PID:2412
-
C:\Windows\SysWOW64\Gmfnen32.exeC:\Windows\system32\Gmfnen32.exe87⤵PID:2836
-
C:\Windows\SysWOW64\Gbcgne32.exeC:\Windows\system32\Gbcgne32.exe88⤵PID:2032
-
C:\Windows\SysWOW64\Gmhkkn32.exeC:\Windows\system32\Gmhkkn32.exe89⤵PID:2744
-
C:\Windows\SysWOW64\Gddppp32.exeC:\Windows\system32\Gddppp32.exe90⤵PID:2908
-
C:\Windows\SysWOW64\Gfclic32.exeC:\Windows\system32\Gfclic32.exe91⤵PID:2712
-
C:\Windows\SysWOW64\Hiahfo32.exeC:\Windows\system32\Hiahfo32.exe92⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Holqbipe.exeC:\Windows\system32\Holqbipe.exe93⤵PID:1264
-
C:\Windows\SysWOW64\Hehikpol.exeC:\Windows\system32\Hehikpol.exe94⤵PID:584
-
C:\Windows\SysWOW64\Hjeacf32.exeC:\Windows\system32\Hjeacf32.exe95⤵PID:2628
-
C:\Windows\SysWOW64\Hqojpqdp.exeC:\Windows\system32\Hqojpqdp.exe96⤵PID:1832
-
C:\Windows\SysWOW64\Hgiblk32.exeC:\Windows\system32\Hgiblk32.exe97⤵PID:108
-
C:\Windows\SysWOW64\Hmfjda32.exeC:\Windows\system32\Hmfjda32.exe98⤵PID:952
-
C:\Windows\SysWOW64\Hnegod32.exeC:\Windows\system32\Hnegod32.exe99⤵
- Drops file in System32 directory
PID:308 -
C:\Windows\SysWOW64\Hpgcfmge.exeC:\Windows\system32\Hpgcfmge.exe100⤵PID:2404
-
C:\Windows\SysWOW64\Hiohob32.exeC:\Windows\system32\Hiohob32.exe101⤵PID:2496
-
C:\Windows\SysWOW64\Ibobhgno.exeC:\Windows\system32\Ibobhgno.exe102⤵PID:2788
-
C:\Windows\SysWOW64\Ihnhfmjc.exeC:\Windows\system32\Ihnhfmjc.exe103⤵PID:2560
-
C:\Windows\SysWOW64\Jhbaam32.exeC:\Windows\system32\Jhbaam32.exe104⤵PID:1252
-
C:\Windows\SysWOW64\Jkcjchco.exeC:\Windows\system32\Jkcjchco.exe105⤵PID:2336
-
C:\Windows\SysWOW64\Jppbkoaf.exeC:\Windows\system32\Jppbkoaf.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2840 -
C:\Windows\SysWOW64\Jkegigal.exeC:\Windows\system32\Jkegigal.exe107⤵
- Drops file in System32 directory
PID:692 -
C:\Windows\SysWOW64\Jpboan32.exeC:\Windows\system32\Jpboan32.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1120 -
C:\Windows\SysWOW64\Jbqkmj32.exeC:\Windows\system32\Jbqkmj32.exe109⤵
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Klipfpeh.exeC:\Windows\system32\Klipfpeh.exe110⤵
- Modifies registry class
PID:2964 -
C:\Windows\SysWOW64\Keadoe32.exeC:\Windows\system32\Keadoe32.exe111⤵PID:1980
-
C:\Windows\SysWOW64\Kojihjbi.exeC:\Windows\system32\Kojihjbi.exe112⤵PID:1520
-
C:\Windows\SysWOW64\Kiomec32.exeC:\Windows\system32\Kiomec32.exe113⤵PID:536
-
C:\Windows\SysWOW64\Klniao32.exeC:\Windows\system32\Klniao32.exe114⤵PID:2752
-
C:\Windows\SysWOW64\Kajbie32.exeC:\Windows\system32\Kajbie32.exe115⤵PID:2776
-
C:\Windows\SysWOW64\Kdinea32.exeC:\Windows\system32\Kdinea32.exe116⤵PID:3028
-
C:\Windows\SysWOW64\Klpffn32.exeC:\Windows\system32\Klpffn32.exe117⤵PID:2444
-
C:\Windows\SysWOW64\Knabngen.exeC:\Windows\system32\Knabngen.exe118⤵
- Modifies registry class
PID:2288 -
C:\Windows\SysWOW64\Khgglp32.exeC:\Windows\system32\Khgglp32.exe119⤵PID:2984
-
C:\Windows\SysWOW64\Koaohila.exeC:\Windows\system32\Koaohila.exe120⤵PID:2464
-
C:\Windows\SysWOW64\Laokdekd.exeC:\Windows\system32\Laokdekd.exe121⤵PID:1676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-