Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
39s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14/10/2024, 10:33
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8f960cc9fa472fcd2b8e2d4befa0135a8acd91ceec697f31318811e305531871N.exe
Resource
win7-20240729-en
windows7-x64
9 signatures
120 seconds
General
-
Target
8f960cc9fa472fcd2b8e2d4befa0135a8acd91ceec697f31318811e305531871N.exe
-
Size
163KB
-
MD5
e67ef6dbe0dd53ae85f43a36dec66ba0
-
SHA1
c1874b61ae832d4b75d25ee8c5ad814749079507
-
SHA256
8f960cc9fa472fcd2b8e2d4befa0135a8acd91ceec697f31318811e305531871
-
SHA512
265a5e37ec746baeb93d1f2bf040707b1ed7011d4c88ddafa9a455e6cf5019678ceadfd28a2d798191f04990a19831db85cb16efaf99c9535ce09b31c60ce0da
-
SSDEEP
1536:PiOr4rqUUCyD3wxQG77cG0pUewVlProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:qOrK37cGyUewVltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmdcngbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Helmiiec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phoeomjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cifdmbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jekoljgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfamko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhkiae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjimpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgeopqfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjjakg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebghkjjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emceag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geeekf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlqgob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgpnjkgi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iecohl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkmmpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhonn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmbagf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhhmle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgqeea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fleihi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imqdcjkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhkiae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdfcaegj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qoopie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhqfie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Niaihojk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nhffikob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fpcghl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lophcpam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccolja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnpbgbdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnhkkjbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnobfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjdmee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfdqpdja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cifdmbib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdpjcaij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onfadc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdcebagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmijgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqcpfcbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfnfjmgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpemob32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiqdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aenileon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jplinckj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Copljmpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kfenjq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pegpamoo.exe -
Executes dropped EXE 64 IoCs
pid Process 1100 Nfcdfiob.exe 1796 Nmmlccfp.exe 2900 Nplhooec.exe 2212 Nidmhd32.exe 2668 Ndiaem32.exe 2908 Nfhmai32.exe 1748 Njcibgcf.exe 1956 Omdbdb32.exe 2496 Obakli32.exe 1676 Obcgaill.exe 960 Oafhmf32.exe 2868 Okolfkjg.exe 3008 Oahdce32.exe 640 Olnipn32.exe 1784 Omoehf32.exe 2440 Pghjqlmi.exe 2404 Pppnia32.exe 3032 Pdljjplb.exe 2276 Papkcd32.exe 1672 Pglclk32.exe 1940 Plildb32.exe 932 Pgopak32.exe 1660 Pimlmf32.exe 2032 Ppgdjqna.exe 3060 Pojdem32.exe 1612 Qakmghbm.exe 1216 Qjbehfbo.exe 2160 Qkcbpn32.exe 2772 Qfifmghc.exe 2728 Qhgbibgg.exe 2928 Aaogbh32.exe 2812 Aocgll32.exe 2924 Abachg32.exe 1552 Adppdckh.exe 2096 Abdpngjb.exe 1332 Adbmjbif.exe 1544 Agaifnhi.exe 2872 Ankabh32.exe 1948 Aqimoc32.exe 1232 Achikonn.exe 1996 Afffgjma.exe 1992 Anmnhhmd.exe 2188 Acjfpokk.exe 1668 Afhbljko.exe 788 Bigohejb.exe 684 Bqngjcje.exe 1760 Bjfkbhae.exe 1980 Bkghjq32.exe 1840 Beplcfmd.exe 1512 Bmgddcnf.exe 1508 Bgqeea32.exe 2304 Bgcbja32.exe 2844 Bkonkpqk.exe 2888 Bnmjgkpo.exe 2644 Ccjbobnf.exe 2760 Cgeopqfp.exe 380 Cjdkllec.exe 2580 Cancif32.exe 2984 Ccloea32.exe 2940 Cfkkam32.exe 1484 Cmdcngbd.exe 2004 Cpcpjbah.exe 1308 Ccolja32.exe 1688 Cfmhfm32.exe -
Loads dropped DLL 64 IoCs
pid Process 2380 8f960cc9fa472fcd2b8e2d4befa0135a8acd91ceec697f31318811e305531871N.exe 2380 8f960cc9fa472fcd2b8e2d4befa0135a8acd91ceec697f31318811e305531871N.exe 1100 Nfcdfiob.exe 1100 Nfcdfiob.exe 1796 Nmmlccfp.exe 1796 Nmmlccfp.exe 2900 Nplhooec.exe 2900 Nplhooec.exe 2212 Nidmhd32.exe 2212 Nidmhd32.exe 2668 Ndiaem32.exe 2668 Ndiaem32.exe 2908 Nfhmai32.exe 2908 Nfhmai32.exe 1748 Njcibgcf.exe 1748 Njcibgcf.exe 1956 Omdbdb32.exe 1956 Omdbdb32.exe 2496 Obakli32.exe 2496 Obakli32.exe 1676 Obcgaill.exe 1676 Obcgaill.exe 960 Oafhmf32.exe 960 Oafhmf32.exe 2868 Okolfkjg.exe 2868 Okolfkjg.exe 3008 Oahdce32.exe 3008 Oahdce32.exe 640 Olnipn32.exe 640 Olnipn32.exe 1784 Omoehf32.exe 1784 Omoehf32.exe 2440 Pghjqlmi.exe 2440 Pghjqlmi.exe 2404 Pppnia32.exe 2404 Pppnia32.exe 3032 Pdljjplb.exe 3032 Pdljjplb.exe 2276 Papkcd32.exe 2276 Papkcd32.exe 1672 Pglclk32.exe 1672 Pglclk32.exe 1940 Plildb32.exe 1940 Plildb32.exe 932 Pgopak32.exe 932 Pgopak32.exe 1660 Pimlmf32.exe 1660 Pimlmf32.exe 2032 Ppgdjqna.exe 2032 Ppgdjqna.exe 3060 Pojdem32.exe 3060 Pojdem32.exe 1612 Qakmghbm.exe 1612 Qakmghbm.exe 1216 Qjbehfbo.exe 1216 Qjbehfbo.exe 2160 Qkcbpn32.exe 2160 Qkcbpn32.exe 2772 Qfifmghc.exe 2772 Qfifmghc.exe 2728 Qhgbibgg.exe 2728 Qhgbibgg.exe 2928 Aaogbh32.exe 2928 Aaogbh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Hnikmnho.exe Hfbckagm.exe File created C:\Windows\SysWOW64\Ndhlfh32.exe Process not Found File created C:\Windows\SysWOW64\Bkhfmlhk.dll Process not Found File opened for modification C:\Windows\SysWOW64\Hcajjf32.exe Hqbnnj32.exe File created C:\Windows\SysWOW64\Djdkcf32.dll Ldfgbb32.exe File created C:\Windows\SysWOW64\Ocbbbd32.exe Process not Found File created C:\Windows\SysWOW64\Ddqeodjj.exe Dabicikf.exe File created C:\Windows\SysWOW64\Ancacpck.dll Dedkbb32.exe File created C:\Windows\SysWOW64\Lmlofhmb.exe Lknbjlnn.exe File opened for modification C:\Windows\SysWOW64\Jdbhcfjd.exe Jadlgjjq.exe File created C:\Windows\SysWOW64\Cakoqh32.dll Jckkhplq.exe File opened for modification C:\Windows\SysWOW64\Lddjmb32.exe Lmjbphod.exe File created C:\Windows\SysWOW64\Ghpngkhm.exe Process not Found File opened for modification C:\Windows\SysWOW64\Mnpbgbdd.exe Mjeffc32.exe File created C:\Windows\SysWOW64\Jnenmnck.dll Bdehgnqc.exe File opened for modification C:\Windows\SysWOW64\Gcdmikma.exe Gpfpmonn.exe File opened for modification C:\Windows\SysWOW64\Picdejbg.exe Process not Found File created C:\Windows\SysWOW64\Mkljhe32.dll Dcaghm32.exe File created C:\Windows\SysWOW64\Jjgpjjak.exe Jcmhmp32.exe File opened for modification C:\Windows\SysWOW64\Linfpi32.exe Lgpjcnhh.exe File created C:\Windows\SysWOW64\Apeflmjc.exe Anfjpa32.exe File created C:\Windows\SysWOW64\Fldmcknm.dll Helmiiec.exe File opened for modification C:\Windows\SysWOW64\Ckbccnji.exe Cicggcke.exe File created C:\Windows\SysWOW64\Cbekip32.dll Ljhppo32.exe File created C:\Windows\SysWOW64\Eiijopan.dll Jcodcp32.exe File created C:\Windows\SysWOW64\Qmffaheh.dll Process not Found File created C:\Windows\SysWOW64\Dpolmb32.dll Eecgafkj.exe File opened for modification C:\Windows\SysWOW64\Ckamihfm.exe Ccjehkek.exe File opened for modification C:\Windows\SysWOW64\Jijqeg32.exe Jjgpjjak.exe File opened for modification C:\Windows\SysWOW64\Ombhgljn.exe Ojdlkp32.exe File created C:\Windows\SysWOW64\Nokdnail.exe Process not Found File created C:\Windows\SysWOW64\Iananl32.dll Process not Found File created C:\Windows\SysWOW64\Iamjghnm.exe Hnomkloi.exe File opened for modification C:\Windows\SysWOW64\Lddagi32.exe Lafekm32.exe File created C:\Windows\SysWOW64\Fnhpam32.dll Imccab32.exe File created C:\Windows\SysWOW64\Jjhfan32.dll Dbqajk32.exe File created C:\Windows\SysWOW64\Djqdgfho.dll Hmlmacfn.exe File created C:\Windows\SysWOW64\Oofeeflg.dll Ebmjihqn.exe File created C:\Windows\SysWOW64\Ijbjpg32.exe Igdndl32.exe File opened for modification C:\Windows\SysWOW64\Phmkaf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ccolja32.exe Cpcpjbah.exe File created C:\Windows\SysWOW64\Eipjmk32.exe Ekmjanpd.exe File created C:\Windows\SysWOW64\Lgjcdc32.exe Lppkgi32.exe File created C:\Windows\SysWOW64\Enqgpadi.dll Fangfcki.exe File opened for modification C:\Windows\SysWOW64\Lielphqc.exe Lggpdmap.exe File created C:\Windows\SysWOW64\Bhkjbbln.dll Process not Found File opened for modification C:\Windows\SysWOW64\Jmejmm32.exe Jkfnaa32.exe File opened for modification C:\Windows\SysWOW64\Hkndiabh.exe Hiphmf32.exe File opened for modification C:\Windows\SysWOW64\Phelnhnb.exe Pegpamoo.exe File created C:\Windows\SysWOW64\Kggeijok.dll Bnkpjd32.exe File created C:\Windows\SysWOW64\Agffkn32.dll Eodknifb.exe File created C:\Windows\SysWOW64\Nfbmlckg.exe Nbgakd32.exe File created C:\Windows\SysWOW64\Dpphipbk.exe Damhmc32.exe File opened for modification C:\Windows\SysWOW64\Fdmjmenh.exe Fclmem32.exe File opened for modification C:\Windows\SysWOW64\Dcgmgh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Llcfck32.exe Lhhjcmpj.exe File created C:\Windows\SysWOW64\Mkkpjg32.exe Mgodjico.exe File created C:\Windows\SysWOW64\Nqdaal32.exe Nnfeep32.exe File created C:\Windows\SysWOW64\Dlfobc32.dll Hnikmnho.exe File created C:\Windows\SysWOW64\Bkgchckl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Cmimif32.exe Cjkamk32.exe File created C:\Windows\SysWOW64\Gcgpiq32.exe Gqidme32.exe File created C:\Windows\SysWOW64\Iofiimkd.exe Ikkmho32.exe File opened for modification C:\Windows\SysWOW64\Cmgpcg32.exe Cfmhfm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 11188 11036 Process not Found 1241 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaogbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkgbioee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eidchjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adppdckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkiknb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjfhile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofohkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njdbefnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcihdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfjaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giikkehc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afqeaemk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobjia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdapggln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdljjplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadlgjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcfob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdehgnqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijolbfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjkamk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icjmpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkbkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjolpkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kplfmfmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eccdmmpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iecohl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfnjqifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dabkla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikaqppk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jajbfeop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkghjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggkdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdbdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecgafkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccloea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkigfdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmiimlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqdcgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imcaijia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoaliln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdcebagp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npngng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dicmlpje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehdpcahk.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcdqeq32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ododdlcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imaglc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efiamj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cabjhddb.dll" Ilceog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adhohapp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkjcqj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mahbhjpe.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmejmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapfmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijbjpg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpaoojjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blndhdgi.dll" Emceag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdehgnqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmhmgbif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcihdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjlacoca.dll" Feccqime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Degdgl32.dll" Pebbeq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkpieggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akfaof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dedkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmbehilp.dll" Ibplji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjdcdjcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdeaim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aniffaim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pimlmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hndaao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gaaonn32.dll" Kobfqc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbnckg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jffakm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okdqnp32.dll" Faedpdcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbokda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faljqcmk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcegqmpg.dll" Mkpieggc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhalelik.dll" Oaaghp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjoflc32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gllabp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmnkma32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhdlbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmifofko.dll" Lafekm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fijolbfh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfhpjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdmqoad.dll" Fkbadifn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbfklolh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnbqeoe.dll" Lgphke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkomepon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifloeo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eiimci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phhonn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcajlbce.dll" Bbolge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccjehkek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpfioeef.dll" Eolljk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqhhbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgnaekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoeqbo32.dll" Phmiimlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqjmdg32.dll" Ccloea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmgpcg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2380 wrote to memory of 1100 2380 8f960cc9fa472fcd2b8e2d4befa0135a8acd91ceec697f31318811e305531871N.exe 29 PID 2380 wrote to memory of 1100 2380 8f960cc9fa472fcd2b8e2d4befa0135a8acd91ceec697f31318811e305531871N.exe 29 PID 2380 wrote to memory of 1100 2380 8f960cc9fa472fcd2b8e2d4befa0135a8acd91ceec697f31318811e305531871N.exe 29 PID 2380 wrote to memory of 1100 2380 8f960cc9fa472fcd2b8e2d4befa0135a8acd91ceec697f31318811e305531871N.exe 29 PID 1100 wrote to memory of 1796 1100 Nfcdfiob.exe 30 PID 1100 wrote to memory of 1796 1100 Nfcdfiob.exe 30 PID 1100 wrote to memory of 1796 1100 Nfcdfiob.exe 30 PID 1100 wrote to memory of 1796 1100 Nfcdfiob.exe 30 PID 1796 wrote to memory of 2900 1796 Nmmlccfp.exe 31 PID 1796 wrote to memory of 2900 1796 Nmmlccfp.exe 31 PID 1796 wrote to memory of 2900 1796 Nmmlccfp.exe 31 PID 1796 wrote to memory of 2900 1796 Nmmlccfp.exe 31 PID 2900 wrote to memory of 2212 2900 Nplhooec.exe 32 PID 2900 wrote to memory of 2212 2900 Nplhooec.exe 32 PID 2900 wrote to memory of 2212 2900 Nplhooec.exe 32 PID 2900 wrote to memory of 2212 2900 Nplhooec.exe 32 PID 2212 wrote to memory of 2668 2212 Nidmhd32.exe 33 PID 2212 wrote to memory of 2668 2212 Nidmhd32.exe 33 PID 2212 wrote to memory of 2668 2212 Nidmhd32.exe 33 PID 2212 wrote to memory of 2668 2212 Nidmhd32.exe 33 PID 2668 wrote to memory of 2908 2668 Ndiaem32.exe 34 PID 2668 wrote to memory of 2908 2668 Ndiaem32.exe 34 PID 2668 wrote to memory of 2908 2668 Ndiaem32.exe 34 PID 2668 wrote to memory of 2908 2668 Ndiaem32.exe 34 PID 2908 wrote to memory of 1748 2908 Nfhmai32.exe 35 PID 2908 wrote to memory of 1748 2908 Nfhmai32.exe 35 PID 2908 wrote to memory of 1748 2908 Nfhmai32.exe 35 PID 2908 wrote to memory of 1748 2908 Nfhmai32.exe 35 PID 1748 wrote to memory of 1956 1748 Njcibgcf.exe 36 PID 1748 wrote to memory of 1956 1748 Njcibgcf.exe 36 PID 1748 wrote to memory of 1956 1748 Njcibgcf.exe 36 PID 1748 wrote to memory of 1956 1748 Njcibgcf.exe 36 PID 1956 wrote to memory of 2496 1956 Omdbdb32.exe 37 PID 1956 wrote to memory of 2496 1956 Omdbdb32.exe 37 PID 1956 wrote to memory of 2496 1956 Omdbdb32.exe 37 PID 1956 wrote to memory of 2496 1956 Omdbdb32.exe 37 PID 2496 wrote to memory of 1676 2496 Obakli32.exe 38 PID 2496 wrote to memory of 1676 2496 Obakli32.exe 38 PID 2496 wrote to memory of 1676 2496 Obakli32.exe 38 PID 2496 wrote to memory of 1676 2496 Obakli32.exe 38 PID 1676 wrote to memory of 960 1676 Obcgaill.exe 39 PID 1676 wrote to memory of 960 1676 Obcgaill.exe 39 PID 1676 wrote to memory of 960 1676 Obcgaill.exe 39 PID 1676 wrote to memory of 960 1676 Obcgaill.exe 39 PID 960 wrote to memory of 2868 960 Oafhmf32.exe 40 PID 960 wrote to memory of 2868 960 Oafhmf32.exe 40 PID 960 wrote to memory of 2868 960 Oafhmf32.exe 40 PID 960 wrote to memory of 2868 960 Oafhmf32.exe 40 PID 2868 wrote to memory of 3008 2868 Okolfkjg.exe 41 PID 2868 wrote to memory of 3008 2868 Okolfkjg.exe 41 PID 2868 wrote to memory of 3008 2868 Okolfkjg.exe 41 PID 2868 wrote to memory of 3008 2868 Okolfkjg.exe 41 PID 3008 wrote to memory of 640 3008 Oahdce32.exe 42 PID 3008 wrote to memory of 640 3008 Oahdce32.exe 42 PID 3008 wrote to memory of 640 3008 Oahdce32.exe 42 PID 3008 wrote to memory of 640 3008 Oahdce32.exe 42 PID 640 wrote to memory of 1784 640 Olnipn32.exe 43 PID 640 wrote to memory of 1784 640 Olnipn32.exe 43 PID 640 wrote to memory of 1784 640 Olnipn32.exe 43 PID 640 wrote to memory of 1784 640 Olnipn32.exe 43 PID 1784 wrote to memory of 2440 1784 Omoehf32.exe 44 PID 1784 wrote to memory of 2440 1784 Omoehf32.exe 44 PID 1784 wrote to memory of 2440 1784 Omoehf32.exe 44 PID 1784 wrote to memory of 2440 1784 Omoehf32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f960cc9fa472fcd2b8e2d4befa0135a8acd91ceec697f31318811e305531871N.exe"C:\Users\Admin\AppData\Local\Temp\8f960cc9fa472fcd2b8e2d4befa0135a8acd91ceec697f31318811e305531871N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Nfcdfiob.exeC:\Windows\system32\Nfcdfiob.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Nmmlccfp.exeC:\Windows\system32\Nmmlccfp.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Nfhmai32.exeC:\Windows\system32\Nfhmai32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Njcibgcf.exeC:\Windows\system32\Njcibgcf.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Obakli32.exeC:\Windows\system32\Obakli32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Oahdce32.exeC:\Windows\system32\Oahdce32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Olnipn32.exeC:\Windows\system32\Olnipn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\SysWOW64\Pghjqlmi.exeC:\Windows\system32\Pghjqlmi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Pppnia32.exeC:\Windows\system32\Pppnia32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2404 -
C:\Windows\SysWOW64\Pdljjplb.exeC:\Windows\system32\Pdljjplb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Papkcd32.exeC:\Windows\system32\Papkcd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Pglclk32.exeC:\Windows\system32\Pglclk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1672 -
C:\Windows\SysWOW64\Plildb32.exeC:\Windows\system32\Plildb32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Pgopak32.exeC:\Windows\system32\Pgopak32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:932 -
C:\Windows\SysWOW64\Pimlmf32.exeC:\Windows\system32\Pimlmf32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Ppgdjqna.exeC:\Windows\system32\Ppgdjqna.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2032 -
C:\Windows\SysWOW64\Pojdem32.exeC:\Windows\system32\Pojdem32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3060 -
C:\Windows\SysWOW64\Qakmghbm.exeC:\Windows\system32\Qakmghbm.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Qjbehfbo.exeC:\Windows\system32\Qjbehfbo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\Qkcbpn32.exeC:\Windows\system32\Qkcbpn32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Qfifmghc.exeC:\Windows\system32\Qfifmghc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2772 -
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2728 -
C:\Windows\SysWOW64\Aaogbh32.exeC:\Windows\system32\Aaogbh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2928 -
C:\Windows\SysWOW64\Aocgll32.exeC:\Windows\system32\Aocgll32.exe33⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Abachg32.exeC:\Windows\system32\Abachg32.exe34⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Adppdckh.exeC:\Windows\system32\Adppdckh.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe36⤵
- Executes dropped EXE
PID:2096 -
C:\Windows\SysWOW64\Adbmjbif.exeC:\Windows\system32\Adbmjbif.exe37⤵
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe38⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Ankabh32.exeC:\Windows\system32\Ankabh32.exe39⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Aqimoc32.exeC:\Windows\system32\Aqimoc32.exe40⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Achikonn.exeC:\Windows\system32\Achikonn.exe41⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe42⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe43⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe44⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Afhbljko.exeC:\Windows\system32\Afhbljko.exe45⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe46⤵
- Executes dropped EXE
PID:788 -
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe47⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Bjfkbhae.exeC:\Windows\system32\Bjfkbhae.exe48⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Bkghjq32.exeC:\Windows\system32\Bkghjq32.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1980 -
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe50⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe51⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Bgqeea32.exeC:\Windows\system32\Bgqeea32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Bgcbja32.exeC:\Windows\system32\Bgcbja32.exe53⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Bkonkpqk.exeC:\Windows\system32\Bkonkpqk.exe54⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Bnmjgkpo.exeC:\Windows\system32\Bnmjgkpo.exe55⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Ccjbobnf.exeC:\Windows\system32\Ccjbobnf.exe56⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Cjdkllec.exeC:\Windows\system32\Cjdkllec.exe58⤵
- Executes dropped EXE
PID:380 -
C:\Windows\SysWOW64\Cancif32.exeC:\Windows\system32\Cancif32.exe59⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Ccloea32.exeC:\Windows\system32\Ccloea32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Cfkkam32.exeC:\Windows\system32\Cfkkam32.exe61⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Cpcpjbah.exeC:\Windows\system32\Cpcpjbah.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Ccolja32.exeC:\Windows\system32\Ccolja32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Cfmhfm32.exeC:\Windows\system32\Cfmhfm32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1688 -
C:\Windows\SysWOW64\Cmgpcg32.exeC:\Windows\system32\Cmgpcg32.exe66⤵
- Modifies registry class
PID:2192 -
C:\Windows\SysWOW64\Cpemob32.exeC:\Windows\system32\Cpemob32.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1584 -
C:\Windows\SysWOW64\Cbcikn32.exeC:\Windows\system32\Cbcikn32.exe68⤵PID:948
-
C:\Windows\SysWOW64\Cjkamk32.exeC:\Windows\system32\Cjkamk32.exe69⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Cmimif32.exeC:\Windows\system32\Cmimif32.exe70⤵PID:796
-
C:\Windows\SysWOW64\Cllmdcej.exeC:\Windows\system32\Cllmdcej.exe71⤵PID:2332
-
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe72⤵PID:988
-
C:\Windows\SysWOW64\Cedbmi32.exeC:\Windows\system32\Cedbmi32.exe73⤵PID:2896
-
C:\Windows\SysWOW64\Dmljnfll.exeC:\Windows\system32\Dmljnfll.exe74⤵PID:2716
-
C:\Windows\SysWOW64\Dpjfjalp.exeC:\Windows\system32\Dpjfjalp.exe75⤵PID:568
-
C:\Windows\SysWOW64\Dbhbfmkd.exeC:\Windows\system32\Dbhbfmkd.exe76⤵PID:2652
-
C:\Windows\SysWOW64\Degobhjg.exeC:\Windows\system32\Degobhjg.exe77⤵PID:2180
-
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe78⤵PID:2504
-
C:\Windows\SysWOW64\Dlqgob32.exeC:\Windows\system32\Dlqgob32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:908 -
C:\Windows\SysWOW64\Dbkolmia.exeC:\Windows\system32\Dbkolmia.exe80⤵PID:2988
-
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe81⤵PID:2536
-
C:\Windows\SysWOW64\Dhggdcgh.exeC:\Windows\system32\Dhggdcgh.exe82⤵PID:940
-
C:\Windows\SysWOW64\Dkfcqo32.exeC:\Windows\system32\Dkfcqo32.exe83⤵PID:2228
-
C:\Windows\SysWOW64\Dbmlal32.exeC:\Windows\system32\Dbmlal32.exe84⤵PID:2220
-
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe85⤵PID:592
-
C:\Windows\SysWOW64\Dhjdjc32.exeC:\Windows\system32\Dhjdjc32.exe86⤵PID:1428
-
C:\Windows\SysWOW64\Dlepjbmo.exeC:\Windows\system32\Dlepjbmo.exe87⤵PID:1348
-
C:\Windows\SysWOW64\Dmgmbj32.exeC:\Windows\system32\Dmgmbj32.exe88⤵PID:1740
-
C:\Windows\SysWOW64\Dabicikf.exeC:\Windows\system32\Dabicikf.exe89⤵
- Drops file in System32 directory
PID:2952 -
C:\Windows\SysWOW64\Ddqeodjj.exeC:\Windows\system32\Ddqeodjj.exe90⤵PID:3012
-
C:\Windows\SysWOW64\Dgoakpjn.exeC:\Windows\system32\Dgoakpjn.exe91⤵PID:2704
-
C:\Windows\SysWOW64\Dmiihjak.exeC:\Windows\system32\Dmiihjak.exe92⤵PID:2144
-
C:\Windows\SysWOW64\Dadehh32.exeC:\Windows\system32\Dadehh32.exe93⤵PID:2480
-
C:\Windows\SysWOW64\Dpgedepn.exeC:\Windows\system32\Dpgedepn.exe94⤵PID:1292
-
C:\Windows\SysWOW64\Ekmjanpd.exeC:\Windows\system32\Ekmjanpd.exe95⤵
- Drops file in System32 directory
PID:2524 -
C:\Windows\SysWOW64\Eipjmk32.exeC:\Windows\system32\Eipjmk32.exe96⤵PID:1984
-
C:\Windows\SysWOW64\Eagbnh32.exeC:\Windows\system32\Eagbnh32.exe97⤵PID:1540
-
C:\Windows\SysWOW64\Epjbienl.exeC:\Windows\system32\Epjbienl.exe98⤵PID:2064
-
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe99⤵PID:648
-
C:\Windows\SysWOW64\Ekofgnna.exeC:\Windows\system32\Ekofgnna.exe100⤵PID:2612
-
C:\Windows\SysWOW64\Eibgbj32.exeC:\Windows\system32\Eibgbj32.exe101⤵PID:2848
-
C:\Windows\SysWOW64\Elqcnfdp.exeC:\Windows\system32\Elqcnfdp.exe102⤵PID:2516
-
C:\Windows\SysWOW64\Edhkpcdb.exeC:\Windows\system32\Edhkpcdb.exe103⤵PID:2944
-
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe104⤵PID:2052
-
C:\Windows\SysWOW64\Eidchjbi.exeC:\Windows\system32\Eidchjbi.exe105⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Elcpdeam.exeC:\Windows\system32\Elcpdeam.exe106⤵PID:2960
-
C:\Windows\SysWOW64\Ecmhqp32.exeC:\Windows\system32\Ecmhqp32.exe107⤵PID:2628
-
C:\Windows\SysWOW64\Eekdmk32.exeC:\Windows\system32\Eekdmk32.exe108⤵PID:964
-
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe109⤵PID:1644
-
C:\Windows\SysWOW64\Epqhjdhc.exeC:\Windows\system32\Epqhjdhc.exe110⤵PID:2184
-
C:\Windows\SysWOW64\Eabeal32.exeC:\Windows\system32\Eabeal32.exe111⤵PID:1904
-
C:\Windows\SysWOW64\Eiimci32.exeC:\Windows\system32\Eiimci32.exe112⤵
- Modifies registry class
PID:1008 -
C:\Windows\SysWOW64\Elgioe32.exeC:\Windows\system32\Elgioe32.exe113⤵PID:2120
-
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe114⤵PID:1492
-
C:\Windows\SysWOW64\Fadagl32.exeC:\Windows\system32\Fadagl32.exe115⤵PID:2732
-
C:\Windows\SysWOW64\Fepnhjdh.exeC:\Windows\system32\Fepnhjdh.exe116⤵PID:2776
-
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe117⤵PID:2136
-
C:\Windows\SysWOW64\Fkmfpabp.exeC:\Windows\system32\Fkmfpabp.exe118⤵PID:2288
-
C:\Windows\SysWOW64\Fnkblm32.exeC:\Windows\system32\Fnkblm32.exe119⤵PID:1288
-
C:\Windows\SysWOW64\Fhqfie32.exeC:\Windows\system32\Fhqfie32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:784 -
C:\Windows\SysWOW64\Fkocfa32.exeC:\Windows\system32\Fkocfa32.exe121⤵PID:2500
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-