Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
16s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
10/10/2024, 04:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe
-
Size
64KB
-
MD5
9970ed0b3f4f123948879331bc5f81e0
-
SHA1
1ffce4b615015d61575d603a1035b9ce795d9a90
-
SHA256
500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83
-
SHA512
de085a62a84c832e0b5452a306939ea78ebac63e93bceaf39bd0938c6b230949fe98d3279bdd730e37c205d43e68c3740c11b8a3af856f43f8e4957aaa9a3649
-
SSDEEP
768:zQQLIW7ySiyDCXEP4d16ftMaEO34x9H8ncEUSUs5OBI8t1wOu2p/1H5wZXdnhYa0:XLIE/CEW10toO3BTU0yxu2LoAMCeW
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimgmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiffbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlleni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmondpbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhmhpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhpadpke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efakhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjckcbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idqpjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgbfen32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cioohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekndpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmffhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gdchifik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcfmkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqhhin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmaedolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odpeop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dddodd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlebog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncnoaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neaehelb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmibn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gabohk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilfbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnpgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeegfkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcdnpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mclbkjcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhihepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpgjob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flnpoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ighfecdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpgaohej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lneghd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlfgkleh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojojmfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgqokp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhebij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjonpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmjqhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojlmgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pemdic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmdehgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ianambhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lifoia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qahnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikemiik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjmhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nknmplji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndhooaog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpnkjq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gekncjfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmipmlan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mggoli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnlobhne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikibkhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qgeckn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnfnlk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpkdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ijmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdfqomom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijdcdgn.exe -
Executes dropped EXE 64 IoCs
pid Process 1812 Hhfqejoh.exe 756 Hkdmaenk.exe 2624 Hanenoeh.exe 2572 Hdmajkdl.exe 2612 Hobfgcdb.exe 3024 Haqbcoce.exe 2976 Hdonpjbi.exe 2416 Hgnjlfam.exe 2924 Hngbhp32.exe 1592 Hpfoekhm.exe 2772 Hcdkagga.exe 2660 Hkkcbdhc.exe 2636 Hnjonpgg.exe 600 Hphljkfk.exe 1752 Hgbdge32.exe 2188 Hjqpcq32.exe 2864 Ipkhpk32.exe 2816 Iomhkgkb.exe 3056 Igdqmeke.exe 1916 Ijcmipjh.exe 2196 Ilaieljl.exe 1956 Iopeagip.exe 1028 Ianambhc.exe 924 Ihhjjm32.exe 1848 Iobbfggm.exe 852 Icnngeof.exe 620 Ilfbpk32.exe 2100 Ikibkhla.exe 2584 Ingogcke.exe 2540 Igpcpi32.exe 2056 Iogkaf32.exe 2888 Iqhhin32.exe 2592 Idcdjmao.exe 672 Jknlfg32.exe 1696 Jnlhbb32.exe 1496 Jdfqomom.exe 2628 Jmaedolh.exe 2688 Jqmadn32.exe 1100 Jfijmdbh.exe 2720 Jnqanbcj.exe 2168 Jmcbio32.exe 3020 Jgiffg32.exe 576 Jijbnppi.exe 628 Jmfoon32.exe 696 Jjjohbgl.exe 632 Jimodo32.exe 1492 Jkklpk32.exe 2208 Kcbcah32.exe 1104 Kcbcah32.exe 1764 Kbedmedg.exe 2752 Kiolio32.exe 2504 Knldaf32.exe 2052 Kbgqbdbd.exe 2384 Kefmnp32.exe 2556 Kiaiooja.exe 2700 Kgdijk32.exe 840 Kpkali32.exe 2712 Knnagehi.exe 1652 Kbjmhd32.exe 2136 Kamncagl.exe 2336 Kehidp32.exe 1640 Kicednho.exe 1996 Kgffpk32.exe 584 Kkbbqjgb.exe -
Loads dropped DLL 64 IoCs
pid Process 2876 500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe 2876 500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe 1812 Hhfqejoh.exe 1812 Hhfqejoh.exe 756 Hkdmaenk.exe 756 Hkdmaenk.exe 2624 Hanenoeh.exe 2624 Hanenoeh.exe 2572 Hdmajkdl.exe 2572 Hdmajkdl.exe 2612 Hobfgcdb.exe 2612 Hobfgcdb.exe 3024 Haqbcoce.exe 3024 Haqbcoce.exe 2976 Hdonpjbi.exe 2976 Hdonpjbi.exe 2416 Hgnjlfam.exe 2416 Hgnjlfam.exe 2924 Hngbhp32.exe 2924 Hngbhp32.exe 1592 Hpfoekhm.exe 1592 Hpfoekhm.exe 2772 Hcdkagga.exe 2772 Hcdkagga.exe 2660 Hkkcbdhc.exe 2660 Hkkcbdhc.exe 2636 Hnjonpgg.exe 2636 Hnjonpgg.exe 600 Hphljkfk.exe 600 Hphljkfk.exe 1752 Hgbdge32.exe 1752 Hgbdge32.exe 2188 Hjqpcq32.exe 2188 Hjqpcq32.exe 2864 Ipkhpk32.exe 2864 Ipkhpk32.exe 2816 Iomhkgkb.exe 2816 Iomhkgkb.exe 3056 Igdqmeke.exe 3056 Igdqmeke.exe 1916 Ijcmipjh.exe 1916 Ijcmipjh.exe 2196 Ilaieljl.exe 2196 Ilaieljl.exe 1956 Iopeagip.exe 1956 Iopeagip.exe 1028 Ianambhc.exe 1028 Ianambhc.exe 924 Ihhjjm32.exe 924 Ihhjjm32.exe 1848 Iobbfggm.exe 1848 Iobbfggm.exe 852 Icnngeof.exe 852 Icnngeof.exe 620 Ilfbpk32.exe 620 Ilfbpk32.exe 2100 Ikibkhla.exe 2100 Ikibkhla.exe 2584 Ingogcke.exe 2584 Ingogcke.exe 2540 Igpcpi32.exe 2540 Igpcpi32.exe 2056 Iogkaf32.exe 2056 Iogkaf32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Mmjqhd32.exe Mkldli32.exe File created C:\Windows\SysWOW64\Mpmfoodb.exe Mmojcceo.exe File created C:\Windows\SysWOW64\Bpcmal32.dll Odpeop32.exe File opened for modification C:\Windows\SysWOW64\Qjacai32.exe Qgbfen32.exe File created C:\Windows\SysWOW64\Fbjeao32.exe Fnoiqpqk.exe File created C:\Windows\SysWOW64\Gncblo32.exe Glefpd32.exe File opened for modification C:\Windows\SysWOW64\Gpledf32.exe Gibmglep.exe File created C:\Windows\SysWOW64\Hcdkagga.exe Hpfoekhm.exe File created C:\Windows\SysWOW64\Mipanmej.dll Okecak32.exe File created C:\Windows\SysWOW64\Ejbmpe32.dll Ipedihgm.exe File opened for modification C:\Windows\SysWOW64\Iopeagip.exe Ilaieljl.exe File opened for modification C:\Windows\SysWOW64\Fipdci32.exe Fjmdgmnl.exe File opened for modification C:\Windows\SysWOW64\Hepdml32.exe Hfmcapna.exe File created C:\Windows\SysWOW64\Iedmhlqf.exe Hbfalpab.exe File created C:\Windows\SysWOW64\Iegjnkod.exe Iaknmm32.exe File created C:\Windows\SysWOW64\Ikhlaaif.exe Icadpd32.exe File created C:\Windows\SysWOW64\Aipbidbj.exe Aahkhgag.exe File created C:\Windows\SysWOW64\Dlpdifda.exe Djahmk32.exe File created C:\Windows\SysWOW64\Ficcefan.dll Fbhhlo32.exe File created C:\Windows\SysWOW64\Jnpioe32.dll Fefdhj32.exe File opened for modification C:\Windows\SysWOW64\Ohdkop32.exe Ndhooaog.exe File created C:\Windows\SysWOW64\Abejlj32.exe Apgnpo32.exe File created C:\Windows\SysWOW64\Pemmjqgm.dll Gdchifik.exe File created C:\Windows\SysWOW64\Gjmpfp32.exe Gfadeaho.exe File opened for modification C:\Windows\SysWOW64\Hlebog32.exe Hiffbl32.exe File opened for modification C:\Windows\SysWOW64\Jhebij32.exe Jjbbmmih.exe File created C:\Windows\SysWOW64\Mcmpkcpl.dll Kgdijk32.exe File opened for modification C:\Windows\SysWOW64\Jmaedolh.exe Jdfqomom.exe File created C:\Windows\SysWOW64\Blhhag32.dll Pcdnpp32.exe File opened for modification C:\Windows\SysWOW64\Ecabfpff.exe Eoefea32.exe File opened for modification C:\Windows\SysWOW64\Gekncjfe.exe Gapbbk32.exe File opened for modification C:\Windows\SysWOW64\Iqhhin32.exe Iogkaf32.exe File created C:\Windows\SysWOW64\Pbaipg32.dll Eclejclg.exe File created C:\Windows\SysWOW64\Ffmnloih.exe Ecnbpcje.exe File created C:\Windows\SysWOW64\Oqbnil32.dll Fpnekc32.exe File created C:\Windows\SysWOW64\Gdjopf32.dll Mpmfoodb.exe File opened for modification C:\Windows\SysWOW64\Kbedmedg.exe Kcbcah32.exe File opened for modification C:\Windows\SysWOW64\Kkbbqjgb.exe Kgffpk32.exe File created C:\Windows\SysWOW64\Mojmbg32.exe Mgbeqjpd.exe File opened for modification C:\Windows\SysWOW64\Aahkhgag.exe Abejlj32.exe File created C:\Windows\SysWOW64\Blkoocfl.exe Bimbbhgh.exe File created C:\Windows\SysWOW64\Bdfpdj32.dll Fimgmj32.exe File created C:\Windows\SysWOW64\Gpledf32.exe Gibmglep.exe File opened for modification C:\Windows\SysWOW64\Jnlhbb32.exe Jknlfg32.exe File created C:\Windows\SysWOW64\Qpnkjq32.exe Qakkncmi.exe File created C:\Windows\SysWOW64\Bdbfpafn.exe Bpgjob32.exe File opened for modification C:\Windows\SysWOW64\Dcgppana.exe Dddodd32.exe File created C:\Windows\SysWOW64\Oaolne32.exe Ojhdmgkl.exe File opened for modification C:\Windows\SysWOW64\Abaaakob.exe Acnqen32.exe File created C:\Windows\SysWOW64\Aeajcf32.exe Afojgiei.exe File created C:\Windows\SysWOW64\Coejfn32.exe Ckjnfobi.exe File opened for modification C:\Windows\SysWOW64\Egchocif.exe Eddlcgjb.exe File created C:\Windows\SysWOW64\Jhebij32.exe Jjbbmmih.exe File created C:\Windows\SysWOW64\Mafmhcam.exe Mmjqhd32.exe File created C:\Windows\SysWOW64\Jmfoon32.exe Jijbnppi.exe File created C:\Windows\SysWOW64\Bmmkpm32.dll Cmkkhfmn.exe File created C:\Windows\SysWOW64\Jhbikcdn.dll Eligoe32.exe File created C:\Windows\SysWOW64\Knjfogkd.dll Eddlcgjb.exe File created C:\Windows\SysWOW64\Flcjjdpe.exe Fidmniqa.exe File created C:\Windows\SysWOW64\Hjqpcq32.exe Hgbdge32.exe File created C:\Windows\SysWOW64\Jmhdamkj.dll Pjafbfca.exe File created C:\Windows\SysWOW64\Acnqen32.exe Apbeeppo.exe File opened for modification C:\Windows\SysWOW64\Ckjnfobi.exe Cgnbepjp.exe File created C:\Windows\SysWOW64\Hbmnfajm.exe Hpnbjfjj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6080 6052 WerFault.exe 500 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjplj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebhlmlhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgebfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmojcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiedc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhknigfq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfokb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmnloih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjjcqpbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kehidp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjomlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljljflh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkglenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjglppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfgkleh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdohj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abaaakob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpicceon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glefpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igdqmeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfijmdbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noepfkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojhdmgkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebfpglkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glgcec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iomhkgkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbedmedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lneghd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkihfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmfoodb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnpoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihcidgpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiaiooja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cialng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhjjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfnfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnoiqpqk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fidmniqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nliqoofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhooaog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikmob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgnpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikemiik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmkkhfmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acnqen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caomgjnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdigocb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlcnkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebkibk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlebog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ingogcke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnhegi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpjjaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckjnfobi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dppiddie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjoaibo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qahnid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnfnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgqokp32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pafacd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aliejq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djokgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eqklhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejcaanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlomfh32.dll" Hpckee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhfida32.dll" Iankbldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpjndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcmfeldm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mclbkjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nppceo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijmibn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" 500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohfgeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhiqhdca.dll" Onhihepp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbclfmph.dll" Angafl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjhajc32.dll" Aipbidbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoeidfog.dll" Bdpjjaiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngikaijm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nglhghgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfhial32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcbcah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncock32.dll" Lfgbmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpigeblb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmlpkn32.dll" Hbfalpab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkpeg32.dll" Jijbnppi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocphembl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbaebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blhhag32.dll" Pcdnpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhnknmi.dll" Qgbfen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Icnngeof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojojmfed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfjmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpdnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imcafcpf.dll" Enajgllm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Indkgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edkbdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Behpcefk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbejabln.dll" Flnpoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hhfqejoh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jqmadn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lblflgqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nipffb32.dll" Meaiia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmlmmdga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nolffjap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okjenb32.dll" Kjgoaflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Najbbepc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chghodgj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikfokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiichkog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hojeka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjeblf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odpeop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eoefea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecnbpcje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Flnpoe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fefdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkdmaenk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpkali32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcicdkij.dll" Noepfkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooncljom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcikllja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imgmlkgh.dll" Bgablmfa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hafdbmjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2876 wrote to memory of 1812 2876 500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe 29 PID 2876 wrote to memory of 1812 2876 500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe 29 PID 2876 wrote to memory of 1812 2876 500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe 29 PID 2876 wrote to memory of 1812 2876 500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe 29 PID 1812 wrote to memory of 756 1812 Hhfqejoh.exe 30 PID 1812 wrote to memory of 756 1812 Hhfqejoh.exe 30 PID 1812 wrote to memory of 756 1812 Hhfqejoh.exe 30 PID 1812 wrote to memory of 756 1812 Hhfqejoh.exe 30 PID 756 wrote to memory of 2624 756 Hkdmaenk.exe 31 PID 756 wrote to memory of 2624 756 Hkdmaenk.exe 31 PID 756 wrote to memory of 2624 756 Hkdmaenk.exe 31 PID 756 wrote to memory of 2624 756 Hkdmaenk.exe 31 PID 2624 wrote to memory of 2572 2624 Hanenoeh.exe 32 PID 2624 wrote to memory of 2572 2624 Hanenoeh.exe 32 PID 2624 wrote to memory of 2572 2624 Hanenoeh.exe 32 PID 2624 wrote to memory of 2572 2624 Hanenoeh.exe 32 PID 2572 wrote to memory of 2612 2572 Hdmajkdl.exe 33 PID 2572 wrote to memory of 2612 2572 Hdmajkdl.exe 33 PID 2572 wrote to memory of 2612 2572 Hdmajkdl.exe 33 PID 2572 wrote to memory of 2612 2572 Hdmajkdl.exe 33 PID 2612 wrote to memory of 3024 2612 Hobfgcdb.exe 34 PID 2612 wrote to memory of 3024 2612 Hobfgcdb.exe 34 PID 2612 wrote to memory of 3024 2612 Hobfgcdb.exe 34 PID 2612 wrote to memory of 3024 2612 Hobfgcdb.exe 34 PID 3024 wrote to memory of 2976 3024 Haqbcoce.exe 35 PID 3024 wrote to memory of 2976 3024 Haqbcoce.exe 35 PID 3024 wrote to memory of 2976 3024 Haqbcoce.exe 35 PID 3024 wrote to memory of 2976 3024 Haqbcoce.exe 35 PID 2976 wrote to memory of 2416 2976 Hdonpjbi.exe 36 PID 2976 wrote to memory of 2416 2976 Hdonpjbi.exe 36 PID 2976 wrote to memory of 2416 2976 Hdonpjbi.exe 36 PID 2976 wrote to memory of 2416 2976 Hdonpjbi.exe 36 PID 2416 wrote to memory of 2924 2416 Hgnjlfam.exe 37 PID 2416 wrote to memory of 2924 2416 Hgnjlfam.exe 37 PID 2416 wrote to memory of 2924 2416 Hgnjlfam.exe 37 PID 2416 wrote to memory of 2924 2416 Hgnjlfam.exe 37 PID 2924 wrote to memory of 1592 2924 Hngbhp32.exe 38 PID 2924 wrote to memory of 1592 2924 Hngbhp32.exe 38 PID 2924 wrote to memory of 1592 2924 Hngbhp32.exe 38 PID 2924 wrote to memory of 1592 2924 Hngbhp32.exe 38 PID 1592 wrote to memory of 2772 1592 Hpfoekhm.exe 39 PID 1592 wrote to memory of 2772 1592 Hpfoekhm.exe 39 PID 1592 wrote to memory of 2772 1592 Hpfoekhm.exe 39 PID 1592 wrote to memory of 2772 1592 Hpfoekhm.exe 39 PID 2772 wrote to memory of 2660 2772 Hcdkagga.exe 40 PID 2772 wrote to memory of 2660 2772 Hcdkagga.exe 40 PID 2772 wrote to memory of 2660 2772 Hcdkagga.exe 40 PID 2772 wrote to memory of 2660 2772 Hcdkagga.exe 40 PID 2660 wrote to memory of 2636 2660 Hkkcbdhc.exe 41 PID 2660 wrote to memory of 2636 2660 Hkkcbdhc.exe 41 PID 2660 wrote to memory of 2636 2660 Hkkcbdhc.exe 41 PID 2660 wrote to memory of 2636 2660 Hkkcbdhc.exe 41 PID 2636 wrote to memory of 600 2636 Hnjonpgg.exe 42 PID 2636 wrote to memory of 600 2636 Hnjonpgg.exe 42 PID 2636 wrote to memory of 600 2636 Hnjonpgg.exe 42 PID 2636 wrote to memory of 600 2636 Hnjonpgg.exe 42 PID 600 wrote to memory of 1752 600 Hphljkfk.exe 43 PID 600 wrote to memory of 1752 600 Hphljkfk.exe 43 PID 600 wrote to memory of 1752 600 Hphljkfk.exe 43 PID 600 wrote to memory of 1752 600 Hphljkfk.exe 43 PID 1752 wrote to memory of 2188 1752 Hgbdge32.exe 44 PID 1752 wrote to memory of 2188 1752 Hgbdge32.exe 44 PID 1752 wrote to memory of 2188 1752 Hgbdge32.exe 44 PID 1752 wrote to memory of 2188 1752 Hgbdge32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe"C:\Users\Admin\AppData\Local\Temp\500b7467283c7d7cee73fa16ee91f013a014f63f1f3a950856f00dd7c335db83N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Hhfqejoh.exeC:\Windows\system32\Hhfqejoh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Windows\SysWOW64\Hkdmaenk.exeC:\Windows\system32\Hkdmaenk.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Hanenoeh.exeC:\Windows\system32\Hanenoeh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Hobfgcdb.exeC:\Windows\system32\Hobfgcdb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Haqbcoce.exeC:\Windows\system32\Haqbcoce.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Hdonpjbi.exeC:\Windows\system32\Hdonpjbi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Hgnjlfam.exeC:\Windows\system32\Hgnjlfam.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Hngbhp32.exeC:\Windows\system32\Hngbhp32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1592 -
C:\Windows\SysWOW64\Hcdkagga.exeC:\Windows\system32\Hcdkagga.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Hkkcbdhc.exeC:\Windows\system32\Hkkcbdhc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Hnjonpgg.exeC:\Windows\system32\Hnjonpgg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Windows\SysWOW64\Hphljkfk.exeC:\Windows\system32\Hphljkfk.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Hgbdge32.exeC:\Windows\system32\Hgbdge32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Hjqpcq32.exeC:\Windows\system32\Hjqpcq32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Ipkhpk32.exeC:\Windows\system32\Ipkhpk32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Iomhkgkb.exeC:\Windows\system32\Iomhkgkb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Igdqmeke.exeC:\Windows\system32\Igdqmeke.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\Ijcmipjh.exeC:\Windows\system32\Ijcmipjh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1916 -
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Iopeagip.exeC:\Windows\system32\Iopeagip.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Ianambhc.exeC:\Windows\system32\Ianambhc.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:924 -
C:\Windows\SysWOW64\Iobbfggm.exeC:\Windows\system32\Iobbfggm.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1848 -
C:\Windows\SysWOW64\Icnngeof.exeC:\Windows\system32\Icnngeof.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Ilfbpk32.exeC:\Windows\system32\Ilfbpk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:620 -
C:\Windows\SysWOW64\Ikibkhla.exeC:\Windows\system32\Ikibkhla.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2100 -
C:\Windows\SysWOW64\Ingogcke.exeC:\Windows\system32\Ingogcke.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2584 -
C:\Windows\SysWOW64\Igpcpi32.exeC:\Windows\system32\Igpcpi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2540 -
C:\Windows\SysWOW64\Iogkaf32.exeC:\Windows\system32\Iogkaf32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Iqhhin32.exeC:\Windows\system32\Iqhhin32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Idcdjmao.exeC:\Windows\system32\Idcdjmao.exe34⤵
- Executes dropped EXE
PID:2592 -
C:\Windows\SysWOW64\Jknlfg32.exeC:\Windows\system32\Jknlfg32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:672 -
C:\Windows\SysWOW64\Jnlhbb32.exeC:\Windows\system32\Jnlhbb32.exe36⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Jdfqomom.exeC:\Windows\system32\Jdfqomom.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1496 -
C:\Windows\SysWOW64\Jmaedolh.exeC:\Windows\system32\Jmaedolh.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Jqmadn32.exeC:\Windows\system32\Jqmadn32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2688 -
C:\Windows\SysWOW64\Jfijmdbh.exeC:\Windows\system32\Jfijmdbh.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Jnqanbcj.exeC:\Windows\system32\Jnqanbcj.exe41⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe42⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Jgiffg32.exeC:\Windows\system32\Jgiffg32.exe43⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Jmfoon32.exeC:\Windows\system32\Jmfoon32.exe45⤵
- Executes dropped EXE
PID:628 -
C:\Windows\SysWOW64\Jjjohbgl.exeC:\Windows\system32\Jjjohbgl.exe46⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Jimodo32.exeC:\Windows\system32\Jimodo32.exe47⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Jkklpk32.exeC:\Windows\system32\Jkklpk32.exe48⤵
- Executes dropped EXE
PID:1492 -
C:\Windows\SysWOW64\Kcbcah32.exeC:\Windows\system32\Kcbcah32.exe49⤵
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Kcbcah32.exeC:\Windows\system32\Kcbcah32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Kbedmedg.exeC:\Windows\system32\Kbedmedg.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1764 -
C:\Windows\SysWOW64\Kiolio32.exeC:\Windows\system32\Kiolio32.exe52⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Knldaf32.exeC:\Windows\system32\Knldaf32.exe53⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Kbgqbdbd.exeC:\Windows\system32\Kbgqbdbd.exe54⤵
- Executes dropped EXE
PID:2052 -
C:\Windows\SysWOW64\Kefmnp32.exeC:\Windows\system32\Kefmnp32.exe55⤵
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Kiaiooja.exeC:\Windows\system32\Kiaiooja.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Kgdijk32.exeC:\Windows\system32\Kgdijk32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe59⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Kbjmhd32.exeC:\Windows\system32\Kbjmhd32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Kamncagl.exeC:\Windows\system32\Kamncagl.exe61⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Kehidp32.exeC:\Windows\system32\Kehidp32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Kicednho.exeC:\Windows\system32\Kicednho.exe63⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Kgffpk32.exeC:\Windows\system32\Kgffpk32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1996 -
C:\Windows\SysWOW64\Kkbbqjgb.exeC:\Windows\system32\Kkbbqjgb.exe65⤵
- Executes dropped EXE
PID:584 -
C:\Windows\SysWOW64\Kjeblf32.exeC:\Windows\system32\Kjeblf32.exe66⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe67⤵PID:1656
-
C:\Windows\SysWOW64\Kejfio32.exeC:\Windows\system32\Kejfio32.exe68⤵PID:1292
-
C:\Windows\SysWOW64\Kcmfeldm.exeC:\Windows\system32\Kcmfeldm.exe69⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe70⤵PID:3016
-
C:\Windows\SysWOW64\Kjgoaflj.exeC:\Windows\system32\Kjgoaflj.exe71⤵
- Modifies registry class
PID:2324 -
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe72⤵PID:2476
-
C:\Windows\SysWOW64\Kaagnp32.exeC:\Windows\system32\Kaagnp32.exe73⤵PID:2436
-
C:\Windows\SysWOW64\Kemcookp.exeC:\Windows\system32\Kemcookp.exe74⤵PID:2716
-
C:\Windows\SysWOW64\Kfnpgg32.exeC:\Windows\system32\Kfnpgg32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2684 -
C:\Windows\SysWOW64\Kfnpgg32.exeC:\Windows\system32\Kfnpgg32.exe76⤵PID:2680
-
C:\Windows\SysWOW64\Lneghd32.exeC:\Windows\system32\Lneghd32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Laccdp32.exeC:\Windows\system32\Laccdp32.exe78⤵PID:2736
-
C:\Windows\SysWOW64\Lpfdpmho.exeC:\Windows\system32\Lpfdpmho.exe79⤵PID:2156
-
C:\Windows\SysWOW64\Lhnlqjha.exeC:\Windows\system32\Lhnlqjha.exe80⤵PID:988
-
C:\Windows\SysWOW64\Ljlhme32.exeC:\Windows\system32\Ljlhme32.exe81⤵PID:2868
-
C:\Windows\SysWOW64\Lpiqel32.exeC:\Windows\system32\Lpiqel32.exe82⤵PID:1528
-
C:\Windows\SysWOW64\Lbgmah32.exeC:\Windows\system32\Lbgmah32.exe83⤵PID:2120
-
C:\Windows\SysWOW64\Ljnebe32.exeC:\Windows\system32\Ljnebe32.exe84⤵PID:1684
-
C:\Windows\SysWOW64\Lmmaoq32.exeC:\Windows\system32\Lmmaoq32.exe85⤵PID:3048
-
C:\Windows\SysWOW64\Llpajmkq.exeC:\Windows\system32\Llpajmkq.exe86⤵PID:2368
-
C:\Windows\SysWOW64\Ldgikklb.exeC:\Windows\system32\Ldgikklb.exe87⤵PID:2604
-
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Lehfcc32.exeC:\Windows\system32\Lehfcc32.exe89⤵PID:2928
-
C:\Windows\SysWOW64\Lmondpbc.exeC:\Windows\system32\Lmondpbc.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2756 -
C:\Windows\SysWOW64\Llbnpm32.exeC:\Windows\system32\Llbnpm32.exe91⤵
- System Location Discovery: System Language Discovery
PID:1516 -
C:\Windows\SysWOW64\Lblflgqk.exeC:\Windows\system32\Lblflgqk.exe92⤵
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Lfgbmf32.exeC:\Windows\system32\Lfgbmf32.exe93⤵
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe94⤵PID:1620
-
C:\Windows\SysWOW64\Lifoia32.exeC:\Windows\system32\Lifoia32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Lldkem32.exeC:\Windows\system32\Lldkem32.exe96⤵PID:1632
-
C:\Windows\SysWOW64\Lobgah32.exeC:\Windows\system32\Lobgah32.exe97⤵PID:2620
-
C:\Windows\SysWOW64\Lbncbgoh.exeC:\Windows\system32\Lbncbgoh.exe98⤵PID:2564
-
C:\Windows\SysWOW64\Memonbnl.exeC:\Windows\system32\Memonbnl.exe99⤵PID:3004
-
C:\Windows\SysWOW64\Mihkoa32.exeC:\Windows\system32\Mihkoa32.exe100⤵PID:2128
-
C:\Windows\SysWOW64\Mlfgkleh.exeC:\Windows\system32\Mlfgkleh.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Mkihfi32.exeC:\Windows\system32\Mkihfi32.exe102⤵
- System Location Discovery: System Language Discovery
PID:1008 -
C:\Windows\SysWOW64\Moecghdl.exeC:\Windows\system32\Moecghdl.exe103⤵PID:1912
-
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe104⤵PID:2780
-
C:\Windows\SysWOW64\Mhmhpm32.exeC:\Windows\system32\Mhmhpm32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Mkldli32.exeC:\Windows\system32\Mkldli32.exe106⤵
- Drops file in System32 directory
PID:2224 -
C:\Windows\SysWOW64\Mmjqhd32.exeC:\Windows\system32\Mmjqhd32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Mafmhcam.exeC:\Windows\system32\Mafmhcam.exe108⤵PID:2036
-
C:\Windows\SysWOW64\Meaiia32.exeC:\Windows\system32\Meaiia32.exe109⤵
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Mhpeem32.exeC:\Windows\system32\Mhpeem32.exe110⤵PID:2600
-
C:\Windows\SysWOW64\Mgbeqjpd.exeC:\Windows\system32\Mgbeqjpd.exe111⤵
- Drops file in System32 directory
PID:3032 -
C:\Windows\SysWOW64\Mojmbg32.exeC:\Windows\system32\Mojmbg32.exe112⤵PID:2500
-
C:\Windows\SysWOW64\Mmlmmdga.exeC:\Windows\system32\Mmlmmdga.exe113⤵
- Modifies registry class
PID:684 -
C:\Windows\SysWOW64\Mdfejn32.exeC:\Windows\system32\Mdfejn32.exe114⤵PID:1136
-
C:\Windows\SysWOW64\Mgebfi32.exeC:\Windows\system32\Mgebfi32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1672 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe116⤵PID:2072
-
C:\Windows\SysWOW64\Mmojcceo.exeC:\Windows\system32\Mmojcceo.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:324 -
C:\Windows\SysWOW64\Mpmfoodb.exeC:\Windows\system32\Mpmfoodb.exe118⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Mggoli32.exeC:\Windows\system32\Mggoli32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2984 -
C:\Windows\SysWOW64\Miekhd32.exeC:\Windows\system32\Miekhd32.exe121⤵PID:1148
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-