Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
68s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
17/10/2024, 22:40
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe
-
Size
64KB
-
MD5
a1be047dbef85f0564ab031186c7bfa0
-
SHA1
7763920194f7528c363795aa8c98ddbec3e7df63
-
SHA256
8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55
-
SHA512
bb9b3738941415e075cf519d3273babfa3c5e4f73de5971e00f38aa654412f2b02eda631093cc80dc8dfc9514e3f961fda937c44d514795d8bd9e255b74e16e9
-
SSDEEP
1536:0Oxzsy+WWG4RS7AnnnYu8FScu12g2LlyXdZgQe:zxzB+1G4dnnb1cvlyXds
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fagqed32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnpknl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dopdgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohfgeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkbcjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnbepjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokdaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljpqlqmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdhlphff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bakgmgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pppnia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkiooocb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkhjcing.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjcdp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbolce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcgdgnmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pafacd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hemggm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkmln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eoalpaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keehmobp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Himkgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdcbjal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhaobd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aijgemok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpfmnmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocnanmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fidmniqa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iniidj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmobpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adohpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnohmog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enijcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpeebhhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amdmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdcebagp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jjqlbdog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lphlck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohmljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aahhoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noiiaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfbmlckg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlqdmj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meafpibb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lebcdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbnpcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghcdpjqj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkihfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jifhdphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khmnio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbocak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kopikdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkigfdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Appfggjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejhhcdjm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gokpgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idojon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ocbekmpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieaekdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcfpmlll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cabldeik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmmcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmjoe32.exe -
Executes dropped EXE 64 IoCs
pid Process 2560 Idkcjk32.exe 2380 Iaoddodf.exe 2576 Idnppjcj.exe 2952 Ifqfge32.exe 2988 Ibgglfdl.exe 2920 Jlbhjkij.exe 2796 Jifhdphd.exe 2388 Jaamhb32.exe 3036 Jhnbklji.exe 2964 Knmghb32.exe 2632 Kgelahmn.exe 2540 Kdilkllh.exe 432 Kldaon32.exe 2428 Kpbiempj.exe 2152 Khmnio32.exe 2120 Lojclibo.exe 1144 Lbjlnd32.exe 2628 Lbmicc32.exe 2500 Ljhngfkh.exe 2592 Ldnbeokn.exe 772 Mcbofk32.exe 2440 Mcekkkmc.exe 2208 Mfchgflg.exe 2192 Mcghajkq.exe 2672 Mlbmem32.exe 2660 Mlejkl32.exe 2200 Nnfbmgcj.exe 1628 Nhngem32.exe 1128 Nplhooec.exe 2872 Njammhei.exe 2732 Ndiaem32.exe 3020 Oppbjn32.exe 2860 Opbopn32.exe 2844 Oikcicfl.exe 2704 Obcgaill.exe 2080 Okolfkjg.exe 1884 Oedqcdim.exe 2916 Omoehf32.exe 2140 Pooaaink.exe 1556 Pppnia32.exe 1748 Pcagkmaj.exe 1612 Qhgbibgg.exe 2512 Anfggicl.exe 2368 Ahllda32.exe 2228 Ajmhljip.exe 832 Acemeo32.exe 2328 Ajoebigm.exe 108 Afffgjma.exe 1700 Anmnhhmd.exe 2824 Acjfpokk.exe 1504 Bigohejb.exe 2308 Bbocak32.exe 1640 Biikne32.exe 756 Bocckoom.exe 2928 Beplcfmd.exe 2972 Bebiifka.exe 2740 Bedene32.exe 2352 Bbhfgj32.exe 1872 Cgeopqfp.exe 1876 Ccloea32.exe 2764 Cjfgalcq.exe 396 Cgjhkpbj.exe 2304 Cabldeik.exe 1304 Cfoellgb.exe -
Loads dropped DLL 64 IoCs
pid Process 2116 8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe 2116 8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe 2560 Idkcjk32.exe 2560 Idkcjk32.exe 2380 Iaoddodf.exe 2380 Iaoddodf.exe 2576 Idnppjcj.exe 2576 Idnppjcj.exe 2952 Ifqfge32.exe 2952 Ifqfge32.exe 2988 Ibgglfdl.exe 2988 Ibgglfdl.exe 2920 Jlbhjkij.exe 2920 Jlbhjkij.exe 2796 Jifhdphd.exe 2796 Jifhdphd.exe 2388 Jaamhb32.exe 2388 Jaamhb32.exe 3036 Jhnbklji.exe 3036 Jhnbklji.exe 2964 Knmghb32.exe 2964 Knmghb32.exe 2632 Kgelahmn.exe 2632 Kgelahmn.exe 2540 Kdilkllh.exe 2540 Kdilkllh.exe 432 Kldaon32.exe 432 Kldaon32.exe 2428 Kpbiempj.exe 2428 Kpbiempj.exe 2152 Khmnio32.exe 2152 Khmnio32.exe 2120 Lojclibo.exe 2120 Lojclibo.exe 1144 Lbjlnd32.exe 1144 Lbjlnd32.exe 2628 Lbmicc32.exe 2628 Lbmicc32.exe 2500 Ljhngfkh.exe 2500 Ljhngfkh.exe 2592 Ldnbeokn.exe 2592 Ldnbeokn.exe 772 Mcbofk32.exe 772 Mcbofk32.exe 2440 Mcekkkmc.exe 2440 Mcekkkmc.exe 2208 Mfchgflg.exe 2208 Mfchgflg.exe 2192 Mcghajkq.exe 2192 Mcghajkq.exe 2672 Mlbmem32.exe 2672 Mlbmem32.exe 2660 Mlejkl32.exe 2660 Mlejkl32.exe 2200 Nnfbmgcj.exe 2200 Nnfbmgcj.exe 1628 Nhngem32.exe 1628 Nhngem32.exe 1128 Nplhooec.exe 1128 Nplhooec.exe 2872 Njammhei.exe 2872 Njammhei.exe 2732 Ndiaem32.exe 2732 Ndiaem32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Dbcnpk32.exe Dmffhd32.exe File created C:\Windows\SysWOW64\Pfhofj32.dll Jifkmh32.exe File created C:\Windows\SysWOW64\Eekpknlf.exe Eeicenni.exe File opened for modification C:\Windows\SysWOW64\Ohgnoeii.exe Ngcebnen.exe File opened for modification C:\Windows\SysWOW64\Pooaaink.exe Omoehf32.exe File created C:\Windows\SysWOW64\Hpdalj32.dll Hjmolp32.exe File created C:\Windows\SysWOW64\Kkmddm32.dll Fjdqbbkp.exe File opened for modification C:\Windows\SysWOW64\Gmgenh32.exe Fcoaebjc.exe File created C:\Windows\SysWOW64\Kkigfdjo.exe Kdooij32.exe File created C:\Windows\SysWOW64\Dfnalqca.dll Jfnaok32.exe File created C:\Windows\SysWOW64\Lgodphlm.dll Ogldfl32.exe File opened for modification C:\Windows\SysWOW64\Mhdcbjal.exe Mlnbmikh.exe File opened for modification C:\Windows\SysWOW64\Iionacad.exe Iniidj32.exe File opened for modification C:\Windows\SysWOW64\Anfggicl.exe Qhgbibgg.exe File opened for modification C:\Windows\SysWOW64\Fofhdidp.exe Fhlogo32.exe File opened for modification C:\Windows\SysWOW64\Gokpgd32.exe Geckno32.exe File created C:\Windows\SysWOW64\Kmdbdfeg.dll Cocnanmd.exe File created C:\Windows\SysWOW64\Bjeecj32.dll Dghekobe.exe File opened for modification C:\Windows\SysWOW64\Pjhaec32.exe Pmdalo32.exe File created C:\Windows\SysWOW64\Edjdel32.dll Nimaic32.exe File opened for modification C:\Windows\SysWOW64\Poddphee.exe Pbnckg32.exe File created C:\Windows\SysWOW64\Hdcebagp.exe Hnimeg32.exe File created C:\Windows\SysWOW64\Koenkl32.dll Jjqlbdog.exe File opened for modification C:\Windows\SysWOW64\Phmiimlf.exe Poddphee.exe File created C:\Windows\SysWOW64\Dconnjln.dll Kopldl32.exe File opened for modification C:\Windows\SysWOW64\Dpkpie32.exe Dcgppana.exe File created C:\Windows\SysWOW64\Ooncljom.exe Nhbnjpic.exe File opened for modification C:\Windows\SysWOW64\Pbnfdpge.exe Opicgenj.exe File created C:\Windows\SysWOW64\Apbblg32.exe Aihjpman.exe File created C:\Windows\SysWOW64\Pkcnkj32.dll Aolihc32.exe File created C:\Windows\SysWOW64\Haoikd32.dll Iqdbqp32.exe File opened for modification C:\Windows\SysWOW64\Lpekln32.exe Likbpceb.exe File created C:\Windows\SysWOW64\Lakqoe32.exe Lhclfphg.exe File opened for modification C:\Windows\SysWOW64\Cdjckfda.exe Cnpknl32.exe File created C:\Windows\SysWOW64\Phmiimlf.exe Poddphee.exe File opened for modification C:\Windows\SysWOW64\Obdjjb32.exe Oljanhmc.exe File opened for modification C:\Windows\SysWOW64\Dihojnqo.exe Dqmkflcd.exe File created C:\Windows\SysWOW64\Mefiog32.exe Mhbhecjc.exe File opened for modification C:\Windows\SysWOW64\Iaoddodf.exe Idkcjk32.exe File created C:\Windows\SysWOW64\Bjgdfg32.exe Bdklnq32.exe File created C:\Windows\SysWOW64\Mojdel32.dll Bjgdfg32.exe File created C:\Windows\SysWOW64\Akfaof32.exe Qamleagn.exe File created C:\Windows\SysWOW64\Annpaq32.exe Achlch32.exe File created C:\Windows\SysWOW64\Bgbkhnja.dll Hhjhgpcn.exe File created C:\Windows\SysWOW64\Knhoig32.exe Jccjln32.exe File opened for modification C:\Windows\SysWOW64\Dfgpnm32.exe Dnpgmp32.exe File created C:\Windows\SysWOW64\Boobcigh.dll Gohqhl32.exe File created C:\Windows\SysWOW64\Blpibghg.exe Aolihc32.exe File created C:\Windows\SysWOW64\Eepeng32.dll Chafpfqp.exe File created C:\Windows\SysWOW64\Lphmdc32.dll Dmobpn32.exe File created C:\Windows\SysWOW64\Cdlppf32.exe Clehoiam.exe File created C:\Windows\SysWOW64\Abpann32.dll Pfhghgie.exe File opened for modification C:\Windows\SysWOW64\Ehjqif32.exe Eoalpaaa.exe File created C:\Windows\SysWOW64\Kejahn32.exe Kopikdgn.exe File created C:\Windows\SysWOW64\Almmlg32.exe Aahhoo32.exe File created C:\Windows\SysWOW64\Fkhpogmi.dll Ckboba32.exe File opened for modification C:\Windows\SysWOW64\Amdhidqk.exe Acldpojj.exe File created C:\Windows\SysWOW64\Infnmf32.dll Fpgpjdnf.exe File created C:\Windows\SysWOW64\Ikfokb32.exe Inbobn32.exe File created C:\Windows\SysWOW64\Eeameodq.exe Djhldahb.exe File created C:\Windows\SysWOW64\Lojclibo.exe Khmnio32.exe File opened for modification C:\Windows\SysWOW64\Kokppd32.exe Jinghn32.exe File opened for modification C:\Windows\SysWOW64\Fcegdnna.exe Fgnfpm32.exe File created C:\Windows\SysWOW64\Kidjfl32.exe Kaieai32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4044 3428 WerFault.exe 725 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqjehngm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdkmld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cipnng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagqed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqemlbqi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmgkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgpnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcdmekne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omlahqeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdoeipjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Himkgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncaejie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkklflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocbbbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Appfggjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbihmcqp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abejlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljhngfkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dajlhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkmdmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnagehi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkffohon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmgnl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomjckqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnpfckmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpfoekhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caajmilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijcgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqijmkfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meafpibb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aolihc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifhkpgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnjbmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlejkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bocckoom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egchocif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgchjhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enijcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okolfkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llainlje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhnpplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cofohkgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gohnpcmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nilpmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npieoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clpeajjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlell32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhcoei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkglenej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kidjfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjhcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhhcdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopikdgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhjcing.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkcagn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebqbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnodjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbgdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odjikh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgdmeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkhjcing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemfahcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fehodaqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imfgahao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ikhqbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilihij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdpinonc.dll" Dmalmdcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edidcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kcgdgnmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gkeobofn.dll" Ofkoijhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhmjha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooncljom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eehfdldj.dll" Jdhlih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cofaad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhdamkj.dll" Ommfibdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jiinmnaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbajcaio.dll" Hhhkbqea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohgnoeii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbedafec.dll" Ohikeegf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ngafdepl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eighpgge.dll" Nbmcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dghjmlnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmhaep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eohhfn32.dll" Dcgppana.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjkgampo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqaliabh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opicgenj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jocceo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oemfahcn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbihmcqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmqfffcn.dll" Iopeagip.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alhaho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcgppana.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hhnpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpenhj32.dll" Mdlfpcnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihhjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdkfbo32.dll" Chdlidjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egchocif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phmiimlf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdbchd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpjhcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kefmdbck.dll" Pclolakk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efglmpbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gjpakdbl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epgabhdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejcaanfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pppnia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ehonebqq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhfehjna.dll" Jiinmnaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqambacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aidpiiop.dll" Cncmei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahoamplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eamqahed.dll" Jncenh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkcagn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbclfmph.dll" Amfeodoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qhgbibgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pajicf32.dll" Mbhnpplb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqemlbqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehmglh32.dll" Cnpknl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpdfph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnpgmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jnnehb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpnhnoo.dll" Acldpojj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2116 wrote to memory of 2560 2116 8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe 30 PID 2116 wrote to memory of 2560 2116 8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe 30 PID 2116 wrote to memory of 2560 2116 8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe 30 PID 2116 wrote to memory of 2560 2116 8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe 30 PID 2560 wrote to memory of 2380 2560 Idkcjk32.exe 31 PID 2560 wrote to memory of 2380 2560 Idkcjk32.exe 31 PID 2560 wrote to memory of 2380 2560 Idkcjk32.exe 31 PID 2560 wrote to memory of 2380 2560 Idkcjk32.exe 31 PID 2380 wrote to memory of 2576 2380 Iaoddodf.exe 32 PID 2380 wrote to memory of 2576 2380 Iaoddodf.exe 32 PID 2380 wrote to memory of 2576 2380 Iaoddodf.exe 32 PID 2380 wrote to memory of 2576 2380 Iaoddodf.exe 32 PID 2576 wrote to memory of 2952 2576 Idnppjcj.exe 33 PID 2576 wrote to memory of 2952 2576 Idnppjcj.exe 33 PID 2576 wrote to memory of 2952 2576 Idnppjcj.exe 33 PID 2576 wrote to memory of 2952 2576 Idnppjcj.exe 33 PID 2952 wrote to memory of 2988 2952 Ifqfge32.exe 34 PID 2952 wrote to memory of 2988 2952 Ifqfge32.exe 34 PID 2952 wrote to memory of 2988 2952 Ifqfge32.exe 34 PID 2952 wrote to memory of 2988 2952 Ifqfge32.exe 34 PID 2988 wrote to memory of 2920 2988 Ibgglfdl.exe 35 PID 2988 wrote to memory of 2920 2988 Ibgglfdl.exe 35 PID 2988 wrote to memory of 2920 2988 Ibgglfdl.exe 35 PID 2988 wrote to memory of 2920 2988 Ibgglfdl.exe 35 PID 2920 wrote to memory of 2796 2920 Jlbhjkij.exe 36 PID 2920 wrote to memory of 2796 2920 Jlbhjkij.exe 36 PID 2920 wrote to memory of 2796 2920 Jlbhjkij.exe 36 PID 2920 wrote to memory of 2796 2920 Jlbhjkij.exe 36 PID 2796 wrote to memory of 2388 2796 Jifhdphd.exe 37 PID 2796 wrote to memory of 2388 2796 Jifhdphd.exe 37 PID 2796 wrote to memory of 2388 2796 Jifhdphd.exe 37 PID 2796 wrote to memory of 2388 2796 Jifhdphd.exe 37 PID 2388 wrote to memory of 3036 2388 Jaamhb32.exe 38 PID 2388 wrote to memory of 3036 2388 Jaamhb32.exe 38 PID 2388 wrote to memory of 3036 2388 Jaamhb32.exe 38 PID 2388 wrote to memory of 3036 2388 Jaamhb32.exe 38 PID 3036 wrote to memory of 2964 3036 Jhnbklji.exe 39 PID 3036 wrote to memory of 2964 3036 Jhnbklji.exe 39 PID 3036 wrote to memory of 2964 3036 Jhnbklji.exe 39 PID 3036 wrote to memory of 2964 3036 Jhnbklji.exe 39 PID 2964 wrote to memory of 2632 2964 Knmghb32.exe 40 PID 2964 wrote to memory of 2632 2964 Knmghb32.exe 40 PID 2964 wrote to memory of 2632 2964 Knmghb32.exe 40 PID 2964 wrote to memory of 2632 2964 Knmghb32.exe 40 PID 2632 wrote to memory of 2540 2632 Kgelahmn.exe 41 PID 2632 wrote to memory of 2540 2632 Kgelahmn.exe 41 PID 2632 wrote to memory of 2540 2632 Kgelahmn.exe 41 PID 2632 wrote to memory of 2540 2632 Kgelahmn.exe 41 PID 2540 wrote to memory of 432 2540 Kdilkllh.exe 42 PID 2540 wrote to memory of 432 2540 Kdilkllh.exe 42 PID 2540 wrote to memory of 432 2540 Kdilkllh.exe 42 PID 2540 wrote to memory of 432 2540 Kdilkllh.exe 42 PID 432 wrote to memory of 2428 432 Kldaon32.exe 43 PID 432 wrote to memory of 2428 432 Kldaon32.exe 43 PID 432 wrote to memory of 2428 432 Kldaon32.exe 43 PID 432 wrote to memory of 2428 432 Kldaon32.exe 43 PID 2428 wrote to memory of 2152 2428 Kpbiempj.exe 44 PID 2428 wrote to memory of 2152 2428 Kpbiempj.exe 44 PID 2428 wrote to memory of 2152 2428 Kpbiempj.exe 44 PID 2428 wrote to memory of 2152 2428 Kpbiempj.exe 44 PID 2152 wrote to memory of 2120 2152 Khmnio32.exe 45 PID 2152 wrote to memory of 2120 2152 Khmnio32.exe 45 PID 2152 wrote to memory of 2120 2152 Khmnio32.exe 45 PID 2152 wrote to memory of 2120 2152 Khmnio32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe"C:\Users\Admin\AppData\Local\Temp\8aabe20176c5a1e5763298f51e6ce790269502cb3a5fc2c888469da38664ba55N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Idkcjk32.exeC:\Windows\system32\Idkcjk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\SysWOW64\Iaoddodf.exeC:\Windows\system32\Iaoddodf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Idnppjcj.exeC:\Windows\system32\Idnppjcj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Ifqfge32.exeC:\Windows\system32\Ifqfge32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Ibgglfdl.exeC:\Windows\system32\Ibgglfdl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Jlbhjkij.exeC:\Windows\system32\Jlbhjkij.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Jifhdphd.exeC:\Windows\system32\Jifhdphd.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Jaamhb32.exeC:\Windows\system32\Jaamhb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\Jhnbklji.exeC:\Windows\system32\Jhnbklji.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Knmghb32.exeC:\Windows\system32\Knmghb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Kgelahmn.exeC:\Windows\system32\Kgelahmn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Kdilkllh.exeC:\Windows\system32\Kdilkllh.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Kldaon32.exeC:\Windows\system32\Kldaon32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\SysWOW64\Kpbiempj.exeC:\Windows\system32\Kpbiempj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Khmnio32.exeC:\Windows\system32\Khmnio32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Lojclibo.exeC:\Windows\system32\Lojclibo.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Lbjlnd32.exeC:\Windows\system32\Lbjlnd32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Lbmicc32.exeC:\Windows\system32\Lbmicc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Ljhngfkh.exeC:\Windows\system32\Ljhngfkh.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2500 -
C:\Windows\SysWOW64\Ldnbeokn.exeC:\Windows\system32\Ldnbeokn.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Mcbofk32.exeC:\Windows\system32\Mcbofk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:772 -
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Mfchgflg.exeC:\Windows\system32\Mfchgflg.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2660 -
C:\Windows\SysWOW64\Nnfbmgcj.exeC:\Windows\system32\Nnfbmgcj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2200 -
C:\Windows\SysWOW64\Nhngem32.exeC:\Windows\system32\Nhngem32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Nplhooec.exeC:\Windows\system32\Nplhooec.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1128 -
C:\Windows\SysWOW64\Njammhei.exeC:\Windows\system32\Njammhei.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Ndiaem32.exeC:\Windows\system32\Ndiaem32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe33⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Opbopn32.exeC:\Windows\system32\Opbopn32.exe34⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Oikcicfl.exeC:\Windows\system32\Oikcicfl.exe35⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Obcgaill.exeC:\Windows\system32\Obcgaill.exe36⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Oedqcdim.exeC:\Windows\system32\Oedqcdim.exe38⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Omoehf32.exeC:\Windows\system32\Omoehf32.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2916 -
C:\Windows\SysWOW64\Pooaaink.exeC:\Windows\system32\Pooaaink.exe40⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Pppnia32.exeC:\Windows\system32\Pppnia32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe42⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Qhgbibgg.exeC:\Windows\system32\Qhgbibgg.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Anfggicl.exeC:\Windows\system32\Anfggicl.exe44⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Ahllda32.exeC:\Windows\system32\Ahllda32.exe45⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ajmhljip.exeC:\Windows\system32\Ajmhljip.exe46⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Acemeo32.exeC:\Windows\system32\Acemeo32.exe47⤵
- Executes dropped EXE
PID:832 -
C:\Windows\SysWOW64\Ajoebigm.exeC:\Windows\system32\Ajoebigm.exe48⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Afffgjma.exeC:\Windows\system32\Afffgjma.exe49⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Anmnhhmd.exeC:\Windows\system32\Anmnhhmd.exe50⤵
- Executes dropped EXE
PID:1700 -
C:\Windows\SysWOW64\Acjfpokk.exeC:\Windows\system32\Acjfpokk.exe51⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Bigohejb.exeC:\Windows\system32\Bigohejb.exe52⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Bbocak32.exeC:\Windows\system32\Bbocak32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Biikne32.exeC:\Windows\system32\Biikne32.exe54⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Bocckoom.exeC:\Windows\system32\Bocckoom.exe55⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:756 -
C:\Windows\SysWOW64\Beplcfmd.exeC:\Windows\system32\Beplcfmd.exe56⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Bebiifka.exeC:\Windows\system32\Bebiifka.exe57⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Bedene32.exeC:\Windows\system32\Bedene32.exe58⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Bbhfgj32.exeC:\Windows\system32\Bbhfgj32.exe59⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Cgeopqfp.exeC:\Windows\system32\Cgeopqfp.exe60⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Ccloea32.exeC:\Windows\system32\Ccloea32.exe61⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Cjfgalcq.exeC:\Windows\system32\Cjfgalcq.exe62⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Cgjhkpbj.exeC:\Windows\system32\Cgjhkpbj.exe63⤵
- Executes dropped EXE
PID:396 -
C:\Windows\SysWOW64\Cabldeik.exeC:\Windows\system32\Cabldeik.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe65⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Cllmdcej.exeC:\Windows\system32\Cllmdcej.exe66⤵PID:1680
-
C:\Windows\SysWOW64\Ccceeqfl.exeC:\Windows\system32\Ccceeqfl.exe67⤵PID:520
-
C:\Windows\SysWOW64\Cipnng32.exeC:\Windows\system32\Cipnng32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Dplbpaim.exeC:\Windows\system32\Dplbpaim.exe69⤵PID:1004
-
C:\Windows\SysWOW64\Deikhhhe.exeC:\Windows\system32\Deikhhhe.exe70⤵PID:1800
-
C:\Windows\SysWOW64\Daplmimi.exeC:\Windows\system32\Daplmimi.exe71⤵PID:2564
-
C:\Windows\SysWOW64\Dhjdjc32.exeC:\Windows\system32\Dhjdjc32.exe72⤵PID:2696
-
C:\Windows\SysWOW64\Dendcg32.exeC:\Windows\system32\Dendcg32.exe73⤵PID:1524
-
C:\Windows\SysWOW64\Dkkmln32.exeC:\Windows\system32\Dkkmln32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Dadehh32.exeC:\Windows\system32\Dadehh32.exe75⤵
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Ehonebqq.exeC:\Windows\system32\Ehonebqq.exe76⤵
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Emkfmioh.exeC:\Windows\system32\Emkfmioh.exe77⤵PID:2896
-
C:\Windows\SysWOW64\Egdjfo32.exeC:\Windows\system32\Egdjfo32.exe78⤵PID:2468
-
C:\Windows\SysWOW64\Eplood32.exeC:\Windows\system32\Eplood32.exe79⤵PID:2272
-
C:\Windows\SysWOW64\Egfglocf.exeC:\Windows\system32\Egfglocf.exe80⤵PID:2548
-
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2160 -
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe82⤵PID:760
-
C:\Windows\SysWOW64\Eiimci32.exeC:\Windows\system32\Eiimci32.exe83⤵PID:2260
-
C:\Windows\SysWOW64\Fofekp32.exeC:\Windows\system32\Fofekp32.exe84⤵PID:1976
-
C:\Windows\SysWOW64\Fljfdd32.exeC:\Windows\system32\Fljfdd32.exe85⤵PID:788
-
C:\Windows\SysWOW64\Fdekigip.exeC:\Windows\system32\Fdekigip.exe86⤵PID:1372
-
C:\Windows\SysWOW64\Fkocfa32.exeC:\Windows\system32\Fkocfa32.exe87⤵PID:2504
-
C:\Windows\SysWOW64\Faikbkhj.exeC:\Windows\system32\Faikbkhj.exe88⤵PID:2648
-
C:\Windows\SysWOW64\Fjdpgnee.exeC:\Windows\system32\Fjdpgnee.exe89⤵PID:1460
-
C:\Windows\SysWOW64\Fdjddf32.exeC:\Windows\system32\Fdjddf32.exe90⤵PID:2828
-
C:\Windows\SysWOW64\Fnbhmlkk.exeC:\Windows\system32\Fnbhmlkk.exe91⤵PID:2552
-
C:\Windows\SysWOW64\Fcoaebjc.exeC:\Windows\system32\Fcoaebjc.exe92⤵
- Drops file in System32 directory
PID:2772 -
C:\Windows\SysWOW64\Gmgenh32.exeC:\Windows\system32\Gmgenh32.exe93⤵PID:2776
-
C:\Windows\SysWOW64\Gcankb32.exeC:\Windows\system32\Gcankb32.exe94⤵PID:1040
-
C:\Windows\SysWOW64\Ghnfci32.exeC:\Windows\system32\Ghnfci32.exe95⤵PID:684
-
C:\Windows\SysWOW64\Gohnpcmd.exeC:\Windows\system32\Gohnpcmd.exe96⤵
- System Location Discovery: System Language Discovery
PID:2340 -
C:\Windows\SysWOW64\Gmloigln.exeC:\Windows\system32\Gmloigln.exe97⤵PID:1908
-
C:\Windows\SysWOW64\Gdgcnj32.exeC:\Windows\system32\Gdgcnj32.exe98⤵PID:1276
-
C:\Windows\SysWOW64\Gomhkb32.exeC:\Windows\system32\Gomhkb32.exe99⤵PID:744
-
C:\Windows\SysWOW64\Gkchpcoc.exeC:\Windows\system32\Gkchpcoc.exe100⤵PID:1428
-
C:\Windows\SysWOW64\Hkfeec32.exeC:\Windows\system32\Hkfeec32.exe101⤵PID:1664
-
C:\Windows\SysWOW64\Hbpmbndm.exeC:\Windows\system32\Hbpmbndm.exe102⤵PID:1960
-
C:\Windows\SysWOW64\Hgmfjdbe.exeC:\Windows\system32\Hgmfjdbe.exe103⤵PID:1596
-
C:\Windows\SysWOW64\Hminbkql.exeC:\Windows\system32\Hminbkql.exe104⤵PID:2444
-
C:\Windows\SysWOW64\Hjmolp32.exeC:\Windows\system32\Hjmolp32.exe105⤵
- Drops file in System32 directory
PID:2680 -
C:\Windows\SysWOW64\Hpjgdf32.exeC:\Windows\system32\Hpjgdf32.exe106⤵PID:2780
-
C:\Windows\SysWOW64\Hmnhnk32.exeC:\Windows\system32\Hmnhnk32.exe107⤵PID:2768
-
C:\Windows\SysWOW64\Hchpjddc.exeC:\Windows\system32\Hchpjddc.exe108⤵PID:2604
-
C:\Windows\SysWOW64\Hiehbl32.exeC:\Windows\system32\Hiehbl32.exe109⤵PID:1316
-
C:\Windows\SysWOW64\Ibmmkaik.exeC:\Windows\system32\Ibmmkaik.exe110⤵PID:1964
-
C:\Windows\SysWOW64\Iilocklc.exeC:\Windows\system32\Iilocklc.exe111⤵PID:1488
-
C:\Windows\SysWOW64\Ihaldgak.exeC:\Windows\system32\Ihaldgak.exe112⤵PID:964
-
C:\Windows\SysWOW64\Iokdaa32.exeC:\Windows\system32\Iokdaa32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2528 -
C:\Windows\SysWOW64\Jdhlih32.exeC:\Windows\system32\Jdhlih32.exe114⤵
- Modifies registry class
PID:1312 -
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe115⤵
- Modifies registry class
PID:1608 -
C:\Windows\SysWOW64\Jepoao32.exeC:\Windows\system32\Jepoao32.exe116⤵PID:1544
-
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe117⤵
- Drops file in System32 directory
PID:1124 -
C:\Windows\SysWOW64\Kokppd32.exeC:\Windows\system32\Kokppd32.exe118⤵PID:2932
-
C:\Windows\SysWOW64\Keehmobp.exeC:\Windows\system32\Keehmobp.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2848 -
C:\Windows\SysWOW64\Kkaaee32.exeC:\Windows\system32\Kkaaee32.exe120⤵PID:800
-
C:\Windows\SysWOW64\Klamohhj.exeC:\Windows\system32\Klamohhj.exe121⤵PID:1676
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-