Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09/10/2024, 00:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a.exe
-
Size
483KB
-
MD5
d43622b87d0acb25cfbcbfd07d3b6e62
-
SHA1
228b3676f2c6f749774b0f8e5f14454539bdc5d4
-
SHA256
7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a
-
SHA512
ef1770c4fb643ddb52891c5e0bd2503f89393110355a74b10dbd28286b12a6df6d7ea1982fa7dafc417aef91e7153044822af64cb460f8e2df4dafcf8f8113e9
-
SSDEEP
12288:HGZGTPtY5vARM0RM/3ARMSG0dhvARMoHG:HGZGTPtY58dhMHG
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fncfohel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnobmnnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnigma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfnehhdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcilml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hojijo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pajjpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iilqnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecpbhlqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdcdqbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keefaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfqlcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgjfnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndjhmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmjbhind.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfbogh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnocgnoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hckepcoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dljocp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnijkofe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfofla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aillbbdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgjfnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbnie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkgoog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqhdnfpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aamgfpfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egomgcnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clocjb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndmgkl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aoolei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhfpcelj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbilclhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddadh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mengda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blbcqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcnmpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkeiim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfbfken.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gggihhkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbagladc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbdfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qenjfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llbbnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbakgjmj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meceqn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckqhigeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgblap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qjmmkgga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdaoggnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddojomfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbhppd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmnckj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Begikk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Miocjebb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Llflijci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmblligf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiilaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofellh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbmqmgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qflbnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlkfli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjonod32.exe -
Executes dropped EXE 64 IoCs
pid Process 2272 Lkhfhaea.exe 2016 Llhcad32.exe 2688 Mnbbpkjg.exe 2672 Mbgdonkd.exe 2900 Miciqgqn.exe 2544 Nhmpmcaq.exe 2028 Odhjmc32.exe 1868 Obngnphg.exe 2636 Pajjpk32.exe 1556 Pijhompm.exe 2020 Afebpmal.exe 1776 Aopcnbfj.exe 2876 Ammjekmg.exe 1624 Bmogkkkd.exe 2984 Bbbedqcc.exe 2164 Dlkfli32.exe 1752 Epdafl32.exe 832 Egpfheoa.exe 980 Elolfl32.exe 1400 Ehfmkmqj.exe 1764 Fieiephm.exe 1076 Flfbfken.exe 1996 Fkphcg32.exe 396 Gggihhkd.exe 2304 Gfobndnj.exe 2208 Gfclic32.exe 2268 Hnoane32.exe 2760 Haafepbn.exe 2972 Hmhgjahb.exe 2040 Hfqlcg32.exe 548 Ipipllec.exe 2196 Ibobhgno.exe 2800 Ibaonfll.exe 2340 Jojmigpn.exe 1340 Jhbaam32.exe 2444 Jhengldk.exe 1392 Jifjod32.exe 2892 Kglgnhgq.exe 2840 Klipfpeh.exe 2228 Khpqkq32.exe 2352 Klniao32.exe 2152 Kajbie32.exe 588 Klpffn32.exe 976 Kehjpd32.exe 1164 Lpbkpa32.exe 1964 Ljjpighp.exe 1856 Lkjlcjpb.exe 1692 Lnkedemc.exe 1600 Mbadih32.exe 2232 Mknbmm32.exe 2060 Nggpgn32.exe 3068 Nmgeedno.exe 2656 Nmiakdll.exe 2612 Nbfjckjc.exe 3016 Oefcef32.exe 2600 Onognkne.exe 1484 Onadck32.exe 1212 Omfadgqj.exe 2896 Ojjanlod.exe 1108 Oadjjfga.exe 2968 Pfcohlce.exe 2024 Plbdfc32.exe 1748 Phiekdeo.exe 2416 Pabidiko.exe -
Loads dropped DLL 64 IoCs
pid Process 1756 7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a.exe 1756 7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a.exe 2272 Lkhfhaea.exe 2272 Lkhfhaea.exe 2016 Llhcad32.exe 2016 Llhcad32.exe 2688 Mnbbpkjg.exe 2688 Mnbbpkjg.exe 2672 Mbgdonkd.exe 2672 Mbgdonkd.exe 2900 Miciqgqn.exe 2900 Miciqgqn.exe 2544 Nhmpmcaq.exe 2544 Nhmpmcaq.exe 2028 Odhjmc32.exe 2028 Odhjmc32.exe 1868 Obngnphg.exe 1868 Obngnphg.exe 2636 Pajjpk32.exe 2636 Pajjpk32.exe 1556 Pijhompm.exe 1556 Pijhompm.exe 2020 Afebpmal.exe 2020 Afebpmal.exe 1776 Aopcnbfj.exe 1776 Aopcnbfj.exe 2876 Ammjekmg.exe 2876 Ammjekmg.exe 1624 Bmogkkkd.exe 1624 Bmogkkkd.exe 2984 Bbbedqcc.exe 2984 Bbbedqcc.exe 2164 Dlkfli32.exe 2164 Dlkfli32.exe 1752 Epdafl32.exe 1752 Epdafl32.exe 832 Egpfheoa.exe 832 Egpfheoa.exe 980 Elolfl32.exe 980 Elolfl32.exe 1400 Ehfmkmqj.exe 1400 Ehfmkmqj.exe 1764 Fieiephm.exe 1764 Fieiephm.exe 1076 Flfbfken.exe 1076 Flfbfken.exe 1996 Fkphcg32.exe 1996 Fkphcg32.exe 396 Gggihhkd.exe 396 Gggihhkd.exe 696 Gcbchhmc.exe 696 Gcbchhmc.exe 2208 Gfclic32.exe 2208 Gfclic32.exe 2268 Hnoane32.exe 2268 Hnoane32.exe 2760 Haafepbn.exe 2760 Haafepbn.exe 2972 Hmhgjahb.exe 2972 Hmhgjahb.exe 2040 Hfqlcg32.exe 2040 Hfqlcg32.exe 548 Ipipllec.exe 548 Ipipllec.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hlalhe32.exe Hpjlcdln.exe File opened for modification C:\Windows\SysWOW64\Qeqfki32.exe Qenjfi32.exe File created C:\Windows\SysWOW64\Egmmbjdp.dll Elcfklgb.exe File opened for modification C:\Windows\SysWOW64\Odgennoi.exe Ofbhlbja.exe File created C:\Windows\SysWOW64\Moidpo32.dll Poaanb32.exe File created C:\Windows\SysWOW64\Hffehgbq.dll Hfipcf32.exe File created C:\Windows\SysWOW64\Hfhbhbcc.dll Jqimfdni.exe File opened for modification C:\Windows\SysWOW64\Ndjhmc32.exe Ncjkcqjl.exe File created C:\Windows\SysWOW64\Knkpbehe.exe Kkmcfiia.exe File created C:\Windows\SysWOW64\Amagdcag.exe Annfhg32.exe File created C:\Windows\SysWOW64\Banggcka.exe Bdjgnp32.exe File created C:\Windows\SysWOW64\Kdfjekmd.exe Kdcnpkog.exe File created C:\Windows\SysWOW64\Pijglpjp.dll Cnmgpbfm.exe File opened for modification C:\Windows\SysWOW64\Ncaacp32.exe Nlgigemg.exe File created C:\Windows\SysWOW64\Ekkkpj32.exe Emgkgfof.exe File created C:\Windows\SysWOW64\Mijmfogh.dll Lkhfhaea.exe File opened for modification C:\Windows\SysWOW64\Cemkijdl.exe Bppcac32.exe File opened for modification C:\Windows\SysWOW64\Ljdmmelg.exe Kdgddo32.exe File opened for modification C:\Windows\SysWOW64\Ohaijo32.exe Obdqbh32.exe File created C:\Windows\SysWOW64\Oiepkigg.dll Pgcojing.exe File created C:\Windows\SysWOW64\Ndllcnhp.dll Ajmjbbbm.exe File created C:\Windows\SysWOW64\Pmhfamen.exe Pbbbddfg.exe File created C:\Windows\SysWOW64\Khmdjjfc.dll Decmnhjd.exe File opened for modification C:\Windows\SysWOW64\Cilkjn32.exe Cpcfaigm.exe File created C:\Windows\SysWOW64\Jonjid32.dll Lpdfmm32.exe File created C:\Windows\SysWOW64\Ieobijnp.dll Fajdbj32.exe File created C:\Windows\SysWOW64\Pggalnfm.dll Fqdjof32.exe File created C:\Windows\SysWOW64\Njedkohc.exe Nalpbi32.exe File opened for modification C:\Windows\SysWOW64\Omdfgq32.exe Obkegbnb.exe File opened for modification C:\Windows\SysWOW64\Ckqhigeg.exe Cnmgpbfm.exe File created C:\Windows\SysWOW64\Ngophaag.dll Aolppi32.exe File created C:\Windows\SysWOW64\Lkhbfcii.exe Lmdamojp.exe File opened for modification C:\Windows\SysWOW64\Ejhnofjg.exe Edkegplp.exe File created C:\Windows\SysWOW64\Oefcef32.exe Nbfjckjc.exe File opened for modification C:\Windows\SysWOW64\Pgcojing.exe Pebbbq32.exe File opened for modification C:\Windows\SysWOW64\Cibpoi32.exe Cipcii32.exe File created C:\Windows\SysWOW64\Nfhkiaje.dll Ekeplb32.exe File opened for modification C:\Windows\SysWOW64\Plakep32.exe Pjbnie32.exe File opened for modification C:\Windows\SysWOW64\Gpmnbi32.exe Gbinidpj.exe File created C:\Windows\SysWOW64\Eakmdm32.exe Eokdbahp.exe File created C:\Windows\SysWOW64\Dfbifmbj.dll Bbakgjmj.exe File opened for modification C:\Windows\SysWOW64\Qfnmjb32.exe Pijmanoe.exe File opened for modification C:\Windows\SysWOW64\Kofbahdm.exe Khljdn32.exe File opened for modification C:\Windows\SysWOW64\Fqdjof32.exe Fncamk32.exe File created C:\Windows\SysWOW64\Aolppi32.exe Ahbgcoge.exe File created C:\Windows\SysWOW64\Jmdengpa.dll Ncfccedl.exe File opened for modification C:\Windows\SysWOW64\Onognkne.exe Oefcef32.exe File created C:\Windows\SysWOW64\Ncibpaol.exe Nokiic32.exe File opened for modification C:\Windows\SysWOW64\Bdmflh32.exe Bmbnpnjl.exe File created C:\Windows\SysWOW64\Glknfkcl.dll Jneadc32.exe File created C:\Windows\SysWOW64\Lboedf32.dll Pgblap32.exe File created C:\Windows\SysWOW64\Gfelblph.exe Gbgcln32.exe File created C:\Windows\SysWOW64\Jcpgdbfn.dll Lhmijn32.exe File created C:\Windows\SysWOW64\Pdoigp32.dll Keimhmmd.exe File opened for modification C:\Windows\SysWOW64\Pgipif32.exe Pmcllm32.exe File created C:\Windows\SysWOW64\Chnbbl32.exe Ckjaih32.exe File created C:\Windows\SysWOW64\Bioddj32.exe Afolbogn.exe File opened for modification C:\Windows\SysWOW64\Kjomgpmq.exe Kpfhnj32.exe File created C:\Windows\SysWOW64\Mdafcaak.dll Pajjpk32.exe File created C:\Windows\SysWOW64\Bcebml32.dll Kehjpd32.exe File created C:\Windows\SysWOW64\Nndppk32.dll Pjbqaj32.exe File opened for modification C:\Windows\SysWOW64\Chnbbl32.exe Ckjaih32.exe File opened for modification C:\Windows\SysWOW64\Dbjledoo.exe Dhbhloho.exe File created C:\Windows\SysWOW64\Hhpigjfg.exe Hphafmee.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2940 4876 WerFault.exe 973 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eflkda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmfcmlfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pingfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekkkpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hojijo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajjpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenaoojo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgipif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmijij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jioqhlje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oledol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hckepcoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeoald32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcgled32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopdocfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecpbhlqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cboafgll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojffjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eejpgjgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdpbnlbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjenkhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokdiahg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momgic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heqhon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obkegbnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifljem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kicefkbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dljocp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdbkqai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepemajk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jendbhbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhnede32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afniif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmbaof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmabhfca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdcdnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciqdenjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bioddj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljifgeha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkphcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoacqggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjfplfll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlibdkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdjdpdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpdepem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhngmnij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imommm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmgop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoflbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkkjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcnia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfecqnad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmhgjahb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boqdng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnmgpbfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efakjgni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egqgdjel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpfhnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opgmilfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonhdlok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajlcmigj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldbococ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pijmanoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhqphqii.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4364 Pingfn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdnojkck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnmgpbfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pidgldkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begagoon.dll" Dohkpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ebojbaga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbjledoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mbcqqd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obdcnj32.dll" Fgoloohb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hglcclhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nigefc32.dll" Afebpmal.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cipcii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khmdjjfc.dll" Decmnhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obkegbnb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leoofkdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohbqhc32.dll" Bfnehhdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfmkfj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plqjilia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqngac32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nekddlgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhdmil32.dll" Gieckned.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidppdkl.dll" Okfkgiah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Maoejcim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Clmfdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaamgb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfkoqj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nalpbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okfbadbn.dll" Ldfgdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jonfpg32.dll" Obkegbnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heilom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhenbk32.dll" Odhjopna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqoacfjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klpffn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ljjpighp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gimpfdch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odmcjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmhicfnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hclocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdjclhh.dll" Ejhnofjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jqimfdni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Filpepno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epmhoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpqaio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnkdno32.dll" Nemlhn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmanmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inihff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmnckj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhdkppgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edfcif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehkjm32.dll" Amcaqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glknfkcl.dll" Jneadc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdgddo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojecjiao.dll" Ohaijo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhamginp.dll" Elqedomm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njmlnk32.dll" Dhbhloho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbjdhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gboqgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phaepifn.dll" Pciflkhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fncamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geogci32.dll" Pifdac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adnacoid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjfplfll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfadke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpgqobhg.dll" Kmmgjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epmhoc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1756 wrote to memory of 2272 1756 7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a.exe 29 PID 1756 wrote to memory of 2272 1756 7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a.exe 29 PID 1756 wrote to memory of 2272 1756 7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a.exe 29 PID 1756 wrote to memory of 2272 1756 7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a.exe 29 PID 2272 wrote to memory of 2016 2272 Lkhfhaea.exe 30 PID 2272 wrote to memory of 2016 2272 Lkhfhaea.exe 30 PID 2272 wrote to memory of 2016 2272 Lkhfhaea.exe 30 PID 2272 wrote to memory of 2016 2272 Lkhfhaea.exe 30 PID 2016 wrote to memory of 2688 2016 Llhcad32.exe 31 PID 2016 wrote to memory of 2688 2016 Llhcad32.exe 31 PID 2016 wrote to memory of 2688 2016 Llhcad32.exe 31 PID 2016 wrote to memory of 2688 2016 Llhcad32.exe 31 PID 2688 wrote to memory of 2672 2688 Mnbbpkjg.exe 32 PID 2688 wrote to memory of 2672 2688 Mnbbpkjg.exe 32 PID 2688 wrote to memory of 2672 2688 Mnbbpkjg.exe 32 PID 2688 wrote to memory of 2672 2688 Mnbbpkjg.exe 32 PID 2672 wrote to memory of 2900 2672 Mbgdonkd.exe 33 PID 2672 wrote to memory of 2900 2672 Mbgdonkd.exe 33 PID 2672 wrote to memory of 2900 2672 Mbgdonkd.exe 33 PID 2672 wrote to memory of 2900 2672 Mbgdonkd.exe 33 PID 2900 wrote to memory of 2544 2900 Miciqgqn.exe 34 PID 2900 wrote to memory of 2544 2900 Miciqgqn.exe 34 PID 2900 wrote to memory of 2544 2900 Miciqgqn.exe 34 PID 2900 wrote to memory of 2544 2900 Miciqgqn.exe 34 PID 2544 wrote to memory of 2028 2544 Nhmpmcaq.exe 35 PID 2544 wrote to memory of 2028 2544 Nhmpmcaq.exe 35 PID 2544 wrote to memory of 2028 2544 Nhmpmcaq.exe 35 PID 2544 wrote to memory of 2028 2544 Nhmpmcaq.exe 35 PID 2028 wrote to memory of 1868 2028 Odhjmc32.exe 36 PID 2028 wrote to memory of 1868 2028 Odhjmc32.exe 36 PID 2028 wrote to memory of 1868 2028 Odhjmc32.exe 36 PID 2028 wrote to memory of 1868 2028 Odhjmc32.exe 36 PID 1868 wrote to memory of 2636 1868 Obngnphg.exe 37 PID 1868 wrote to memory of 2636 1868 Obngnphg.exe 37 PID 1868 wrote to memory of 2636 1868 Obngnphg.exe 37 PID 1868 wrote to memory of 2636 1868 Obngnphg.exe 37 PID 2636 wrote to memory of 1556 2636 Pajjpk32.exe 38 PID 2636 wrote to memory of 1556 2636 Pajjpk32.exe 38 PID 2636 wrote to memory of 1556 2636 Pajjpk32.exe 38 PID 2636 wrote to memory of 1556 2636 Pajjpk32.exe 38 PID 1556 wrote to memory of 2020 1556 Pijhompm.exe 39 PID 1556 wrote to memory of 2020 1556 Pijhompm.exe 39 PID 1556 wrote to memory of 2020 1556 Pijhompm.exe 39 PID 1556 wrote to memory of 2020 1556 Pijhompm.exe 39 PID 2020 wrote to memory of 1776 2020 Afebpmal.exe 40 PID 2020 wrote to memory of 1776 2020 Afebpmal.exe 40 PID 2020 wrote to memory of 1776 2020 Afebpmal.exe 40 PID 2020 wrote to memory of 1776 2020 Afebpmal.exe 40 PID 1776 wrote to memory of 2876 1776 Aopcnbfj.exe 41 PID 1776 wrote to memory of 2876 1776 Aopcnbfj.exe 41 PID 1776 wrote to memory of 2876 1776 Aopcnbfj.exe 41 PID 1776 wrote to memory of 2876 1776 Aopcnbfj.exe 41 PID 2876 wrote to memory of 1624 2876 Ammjekmg.exe 42 PID 2876 wrote to memory of 1624 2876 Ammjekmg.exe 42 PID 2876 wrote to memory of 1624 2876 Ammjekmg.exe 42 PID 2876 wrote to memory of 1624 2876 Ammjekmg.exe 42 PID 1624 wrote to memory of 2984 1624 Bmogkkkd.exe 43 PID 1624 wrote to memory of 2984 1624 Bmogkkkd.exe 43 PID 1624 wrote to memory of 2984 1624 Bmogkkkd.exe 43 PID 1624 wrote to memory of 2984 1624 Bmogkkkd.exe 43 PID 2984 wrote to memory of 2164 2984 Bbbedqcc.exe 44 PID 2984 wrote to memory of 2164 2984 Bbbedqcc.exe 44 PID 2984 wrote to memory of 2164 2984 Bbbedqcc.exe 44 PID 2984 wrote to memory of 2164 2984 Bbbedqcc.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a.exe"C:\Users\Admin\AppData\Local\Temp\7f331c75afdfe98a1091116572c5f744e3d15a50b98dbd6f8dd12dc77d953e1a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Lkhfhaea.exeC:\Windows\system32\Lkhfhaea.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Llhcad32.exeC:\Windows\system32\Llhcad32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Mnbbpkjg.exeC:\Windows\system32\Mnbbpkjg.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Mbgdonkd.exeC:\Windows\system32\Mbgdonkd.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Miciqgqn.exeC:\Windows\system32\Miciqgqn.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Nhmpmcaq.exeC:\Windows\system32\Nhmpmcaq.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Odhjmc32.exeC:\Windows\system32\Odhjmc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Obngnphg.exeC:\Windows\system32\Obngnphg.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1868 -
C:\Windows\SysWOW64\Pajjpk32.exeC:\Windows\system32\Pajjpk32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Pijhompm.exeC:\Windows\system32\Pijhompm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1556 -
C:\Windows\SysWOW64\Afebpmal.exeC:\Windows\system32\Afebpmal.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Aopcnbfj.exeC:\Windows\system32\Aopcnbfj.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Ammjekmg.exeC:\Windows\system32\Ammjekmg.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Bmogkkkd.exeC:\Windows\system32\Bmogkkkd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Bbbedqcc.exeC:\Windows\system32\Bbbedqcc.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Dlkfli32.exeC:\Windows\system32\Dlkfli32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2164 -
C:\Windows\SysWOW64\Epdafl32.exeC:\Windows\system32\Epdafl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Egpfheoa.exeC:\Windows\system32\Egpfheoa.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:832 -
C:\Windows\SysWOW64\Elolfl32.exeC:\Windows\system32\Elolfl32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980 -
C:\Windows\SysWOW64\Ehfmkmqj.exeC:\Windows\system32\Ehfmkmqj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1400 -
C:\Windows\SysWOW64\Fieiephm.exeC:\Windows\system32\Fieiephm.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Flfbfken.exeC:\Windows\system32\Flfbfken.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1076 -
C:\Windows\SysWOW64\Fkphcg32.exeC:\Windows\system32\Fkphcg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1996 -
C:\Windows\SysWOW64\Gggihhkd.exeC:\Windows\system32\Gggihhkd.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:396 -
C:\Windows\SysWOW64\Gfobndnj.exeC:\Windows\system32\Gfobndnj.exe26⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Gcbchhmc.exeC:\Windows\system32\Gcbchhmc.exe27⤵
- Loads dropped DLL
PID:696 -
C:\Windows\SysWOW64\Gfclic32.exeC:\Windows\system32\Gfclic32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Hnoane32.exeC:\Windows\system32\Hnoane32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Haafepbn.exeC:\Windows\system32\Haafepbn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Hmhgjahb.exeC:\Windows\system32\Hmhgjahb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2972 -
C:\Windows\SysWOW64\Hfqlcg32.exeC:\Windows\system32\Hfqlcg32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2040 -
C:\Windows\SysWOW64\Ipipllec.exeC:\Windows\system32\Ipipllec.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:548 -
C:\Windows\SysWOW64\Ibobhgno.exeC:\Windows\system32\Ibobhgno.exe34⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Ibaonfll.exeC:\Windows\system32\Ibaonfll.exe35⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Jojmigpn.exeC:\Windows\system32\Jojmigpn.exe36⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Jhbaam32.exeC:\Windows\system32\Jhbaam32.exe37⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Jhengldk.exeC:\Windows\system32\Jhengldk.exe38⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Jifjod32.exeC:\Windows\system32\Jifjod32.exe39⤵
- Executes dropped EXE
PID:1392 -
C:\Windows\SysWOW64\Kglgnhgq.exeC:\Windows\system32\Kglgnhgq.exe40⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Klipfpeh.exeC:\Windows\system32\Klipfpeh.exe41⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Khpqkq32.exeC:\Windows\system32\Khpqkq32.exe42⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Klniao32.exeC:\Windows\system32\Klniao32.exe43⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Kajbie32.exeC:\Windows\system32\Kajbie32.exe44⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Klpffn32.exeC:\Windows\system32\Klpffn32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Kehjpd32.exeC:\Windows\system32\Kehjpd32.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:976 -
C:\Windows\SysWOW64\Lpbkpa32.exeC:\Windows\system32\Lpbkpa32.exe47⤵
- Executes dropped EXE
PID:1164 -
C:\Windows\SysWOW64\Ljjpighp.exeC:\Windows\system32\Ljjpighp.exe48⤵
- Executes dropped EXE
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Lkjlcjpb.exeC:\Windows\system32\Lkjlcjpb.exe49⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Lnkedemc.exeC:\Windows\system32\Lnkedemc.exe50⤵
- Executes dropped EXE
PID:1692 -
C:\Windows\SysWOW64\Mbadih32.exeC:\Windows\system32\Mbadih32.exe51⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Mknbmm32.exeC:\Windows\system32\Mknbmm32.exe52⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Nggpgn32.exeC:\Windows\system32\Nggpgn32.exe53⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nmgeedno.exeC:\Windows\system32\Nmgeedno.exe54⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Nmiakdll.exeC:\Windows\system32\Nmiakdll.exe55⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Nbfjckjc.exeC:\Windows\system32\Nbfjckjc.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Oefcef32.exeC:\Windows\system32\Oefcef32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Onognkne.exeC:\Windows\system32\Onognkne.exe58⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Onadck32.exeC:\Windows\system32\Onadck32.exe59⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Omfadgqj.exeC:\Windows\system32\Omfadgqj.exe60⤵
- Executes dropped EXE
PID:1212 -
C:\Windows\SysWOW64\Ojjanlod.exeC:\Windows\system32\Ojjanlod.exe61⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Oadjjfga.exeC:\Windows\system32\Oadjjfga.exe62⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Pfcohlce.exeC:\Windows\system32\Pfcohlce.exe63⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Plbdfc32.exeC:\Windows\system32\Plbdfc32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Phiekdeo.exeC:\Windows\system32\Phiekdeo.exe65⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Pabidiko.exeC:\Windows\system32\Pabidiko.exe66⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Qmijij32.exeC:\Windows\system32\Qmijij32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Qohfcmhf.exeC:\Windows\system32\Qohfcmhf.exe68⤵PID:2300
-
C:\Windows\SysWOW64\Akoghnnj.exeC:\Windows\system32\Akoghnnj.exe69⤵PID:2516
-
C:\Windows\SysWOW64\Acjllqke.exeC:\Windows\system32\Acjllqke.exe70⤵PID:2496
-
C:\Windows\SysWOW64\Aclhap32.exeC:\Windows\system32\Aclhap32.exe71⤵PID:2364
-
C:\Windows\SysWOW64\Afmack32.exeC:\Windows\system32\Afmack32.exe72⤵PID:2212
-
C:\Windows\SysWOW64\Ahnjefcd.exeC:\Windows\system32\Ahnjefcd.exe73⤵PID:2696
-
C:\Windows\SysWOW64\Abfonl32.exeC:\Windows\system32\Abfonl32.exe74⤵PID:2576
-
C:\Windows\SysWOW64\Bbilclhb.exeC:\Windows\system32\Bbilclhb.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2788 -
C:\Windows\SysWOW64\Bbkhikfp.exeC:\Windows\system32\Bbkhikfp.exe76⤵PID:3052
-
C:\Windows\SysWOW64\Bghaabdg.exeC:\Windows\system32\Bghaabdg.exe77⤵PID:3048
-
C:\Windows\SysWOW64\Bdlakf32.exeC:\Windows\system32\Bdlakf32.exe78⤵PID:1312
-
C:\Windows\SysWOW64\Bdnnpf32.exeC:\Windows\system32\Bdnnpf32.exe79⤵PID:2880
-
C:\Windows\SysWOW64\Cohoqd32.exeC:\Windows\system32\Cohoqd32.exe80⤵PID:2924
-
C:\Windows\SysWOW64\Cipcii32.exeC:\Windows\system32\Cipcii32.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:1420 -
C:\Windows\SysWOW64\Cibpoi32.exeC:\Windows\system32\Cibpoi32.exe82⤵PID:1832
-
C:\Windows\SysWOW64\Cffqhmqd.exeC:\Windows\system32\Cffqhmqd.exe83⤵PID:1316
-
C:\Windows\SysWOW64\Cmpieg32.exeC:\Windows\system32\Cmpieg32.exe84⤵PID:1724
-
C:\Windows\SysWOW64\Ckeffdmi.exeC:\Windows\system32\Ckeffdmi.exe85⤵PID:1988
-
C:\Windows\SysWOW64\Dglfkebm.exeC:\Windows\system32\Dglfkebm.exe86⤵PID:1596
-
C:\Windows\SysWOW64\Depgeiag.exeC:\Windows\system32\Depgeiag.exe87⤵PID:876
-
C:\Windows\SysWOW64\Djmpmppn.exeC:\Windows\system32\Djmpmppn.exe88⤵PID:236
-
C:\Windows\SysWOW64\Dhapfd32.exeC:\Windows\system32\Dhapfd32.exe89⤵PID:2960
-
C:\Windows\SysWOW64\Dchqkedl.exeC:\Windows\system32\Dchqkedl.exe90⤵PID:2556
-
C:\Windows\SysWOW64\Ddjmaebi.exeC:\Windows\system32\Ddjmaebi.exe91⤵PID:2616
-
C:\Windows\SysWOW64\Ebojbaga.exeC:\Windows\system32\Ebojbaga.exe92⤵
- Modifies registry class
PID:2524 -
C:\Windows\SysWOW64\Emeoojfg.exeC:\Windows\system32\Emeoojfg.exe93⤵PID:2440
-
C:\Windows\SysWOW64\Efmchp32.exeC:\Windows\system32\Efmchp32.exe94⤵PID:1440
-
C:\Windows\SysWOW64\Epegae32.exeC:\Windows\system32\Epegae32.exe95⤵PID:1864
-
C:\Windows\SysWOW64\Eagdimif.exeC:\Windows\system32\Eagdimif.exe96⤵PID:2724
-
C:\Windows\SysWOW64\Eokdbahp.exeC:\Windows\system32\Eokdbahp.exe97⤵
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Eakmdm32.exeC:\Windows\system32\Eakmdm32.exe98⤵PID:2012
-
C:\Windows\SysWOW64\Fmbninke.exeC:\Windows\system32\Fmbninke.exe99⤵PID:2380
-
C:\Windows\SysWOW64\Geibin32.exeC:\Windows\system32\Geibin32.exe100⤵PID:2980
-
C:\Windows\SysWOW64\Gkfkae32.exeC:\Windows\system32\Gkfkae32.exe101⤵PID:2400
-
C:\Windows\SysWOW64\Gdnojkck.exeC:\Windows\system32\Gdnojkck.exe102⤵
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Gqepolio.exeC:\Windows\system32\Gqepolio.exe103⤵PID:1028
-
C:\Windows\SysWOW64\Gdciej32.exeC:\Windows\system32\Gdciej32.exe104⤵PID:2680
-
C:\Windows\SysWOW64\Hqjijk32.exeC:\Windows\system32\Hqjijk32.exe105⤵PID:2736
-
C:\Windows\SysWOW64\Hmqjoljn.exeC:\Windows\system32\Hmqjoljn.exe106⤵PID:2792
-
C:\Windows\SysWOW64\Hoacqggo.exeC:\Windows\system32\Hoacqggo.exe107⤵
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\Hmecjk32.exeC:\Windows\system32\Hmecjk32.exe108⤵PID:2460
-
C:\Windows\SysWOW64\Heqhon32.exeC:\Windows\system32\Heqhon32.exe109⤵
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Hkjqkhkq.exeC:\Windows\system32\Hkjqkhkq.exe110⤵PID:2328
-
C:\Windows\SysWOW64\Igaapiqe.exeC:\Windows\system32\Igaapiqe.exe111⤵PID:2928
-
C:\Windows\SysWOW64\Iianjl32.exeC:\Windows\system32\Iianjl32.exe112⤵PID:2288
-
C:\Windows\SysWOW64\Ialbon32.exeC:\Windows\system32\Ialbon32.exe113⤵PID:1648
-
C:\Windows\SysWOW64\Ianodncp.exeC:\Windows\system32\Ianodncp.exe114⤵PID:1732
-
C:\Windows\SysWOW64\Imepio32.exeC:\Windows\system32\Imepio32.exe115⤵PID:1720
-
C:\Windows\SysWOW64\Iilqnp32.exeC:\Windows\system32\Iilqnp32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:828 -
C:\Windows\SysWOW64\Jjkmhbek.exeC:\Windows\system32\Jjkmhbek.exe117⤵PID:2752
-
C:\Windows\SysWOW64\Jfbnmckp.exeC:\Windows\system32\Jfbnmckp.exe118⤵PID:2596
-
C:\Windows\SysWOW64\Jnmbafik.exeC:\Windows\system32\Jnmbafik.exe119⤵PID:2276
-
C:\Windows\SysWOW64\Jankcafl.exeC:\Windows\system32\Jankcafl.exe120⤵PID:2004
-
C:\Windows\SysWOW64\Jjfplfll.exeC:\Windows\system32\Jjfplfll.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2976
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-