Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
83s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
31/10/2024, 12:10
Behavioral task
behavioral1
Sample
a5db95ec163fa544b8c3838341e4df81239a4736f5c5b2bbc6b34983f87dbfd6N.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
General
-
Target
a5db95ec163fa544b8c3838341e4df81239a4736f5c5b2bbc6b34983f87dbfd6N.exe
-
Size
163KB
-
MD5
c6402b5bf4f1c6e83e93b90f2a4d1e80
-
SHA1
25dcd5946b53a7a7de2bb6ad040ec9a028ccf3c1
-
SHA256
a5db95ec163fa544b8c3838341e4df81239a4736f5c5b2bbc6b34983f87dbfd6
-
SHA512
af5b4145e86f22a376db9b5b5204f99872c5bf7430eddaa4cba8ed5efb2dd1f54266116e7f0102c3c106a838640ce7a7bc8f4a0c534a3da7213ca797825dc7d6
-
SSDEEP
1536:P2kPdjt09da+IXk3LskSNvCSt46lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:+kPSLq5DNKSt46ltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdjedk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igjckcbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kanhph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkqih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Legohm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcojbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjfhgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjlgdaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qolmip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phhhchlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmjkbfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmohcbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhnlqlf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpgjob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebekej32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqhhbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbihpbpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkfnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jljgni32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elbkbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnllppfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dadikaaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dllnphkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jflfbdqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Colgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adkbgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nffenj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcjpcmjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadhen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkqpfmje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkfnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifljcanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcajekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lamkllea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apheke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhnoocab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmnakege.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmqpinlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jnqanbcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macpcccp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlliof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kffblb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlfahgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbpaef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hccfoehi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flbgak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaihjbno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odmhjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clecnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmldj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iggbdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjfghl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimpcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeicenni.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngikaijm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgclpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oljanhmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnefiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnedilio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oemfahcn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peaibajp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blmikkle.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 4 IoCs
resource yara_rule behavioral1/files/0x000400000001e220-2943.dat family_bruteratel behavioral1/files/0x000400000001e845-3171.dat family_bruteratel behavioral1/files/0x0003000000020cca-6839.dat family_bruteratel behavioral1/files/0x00030000000210c1-9204.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2572 Abdpngjb.exe 2836 Agaifnhi.exe 2980 Ampncd32.exe 2972 Bqngjcje.exe 2912 Bmgddcnf.exe 2964 Baiingae.exe 2584 Cakfcfoc.exe 2332 Ckajqo32.exe 2988 Cmdcngbd.exe 2640 Cfoellgb.exe 2548 Cpgieb32.exe 1100 Dlnjjc32.exe 560 Dhekodik.exe 2256 Ekmjanpd.exe 2416 Echoepmo.exe 768 Eoalpaaa.exe 2460 Ehjqif32.exe 2524 Fcaaloed.exe 1600 Fohbqpki.exe 1700 Fgcgebhd.exe 1888 Fkdlaplh.exe 1676 Gcankb32.exe 2024 Gmjbchnq.exe 796 Gkoodd32.exe 2668 Gielchpp.exe 2600 Hkhbkc32.exe 2636 Hccfoehi.exe 2884 Hiblmldn.exe 2968 Idepdhia.exe 3016 Iaipmm32.exe 2904 Jigagocd.exe 2740 Jiinmnaa.exe 2792 Jljgni32.exe 2284 Jinghn32.exe 3064 Khcdijac.exe 2840 Kegebn32.exe 1380 Kanfgofa.exe 2560 Kgknpfdi.exe 580 Kgmkef32.exe 2132 Kabobo32.exe 1316 Lphlck32.exe 2404 Lpjiik32.exe 1968 Lbpolb32.exe 1532 Lkhcdhmk.exe 2544 Mqhhbn32.exe 1328 Mnlilb32.exe 772 Mjbiac32.exe 2432 Mgfjjh32.exe 972 Mpaoojjb.exe 2084 Nijcgp32.exe 884 Nfncad32.exe 1624 Nlklik32.exe 2608 Necqbp32.exe 2984 Nnkekfkd.exe 2748 Npkaei32.exe 2224 Nehjmppo.exe 2784 Naokbq32.exe 2168 Ojgokflc.exe 1180 Ojilqf32.exe 1320 Oacdmpan.exe 2400 Oaeacppk.exe 1280 Ofbikf32.exe 2136 Obijpgcf.exe 612 Omonmpcm.exe -
Loads dropped DLL 64 IoCs
pid Process 2496 a5db95ec163fa544b8c3838341e4df81239a4736f5c5b2bbc6b34983f87dbfd6N.exe 2496 a5db95ec163fa544b8c3838341e4df81239a4736f5c5b2bbc6b34983f87dbfd6N.exe 2572 Abdpngjb.exe 2572 Abdpngjb.exe 2836 Agaifnhi.exe 2836 Agaifnhi.exe 2980 Ampncd32.exe 2980 Ampncd32.exe 2972 Bqngjcje.exe 2972 Bqngjcje.exe 2912 Bmgddcnf.exe 2912 Bmgddcnf.exe 2964 Baiingae.exe 2964 Baiingae.exe 2584 Cakfcfoc.exe 2584 Cakfcfoc.exe 2332 Ckajqo32.exe 2332 Ckajqo32.exe 2988 Cmdcngbd.exe 2988 Cmdcngbd.exe 2640 Cfoellgb.exe 2640 Cfoellgb.exe 2548 Cpgieb32.exe 2548 Cpgieb32.exe 1100 Dlnjjc32.exe 1100 Dlnjjc32.exe 560 Dhekodik.exe 560 Dhekodik.exe 2256 Ekmjanpd.exe 2256 Ekmjanpd.exe 2416 Echoepmo.exe 2416 Echoepmo.exe 768 Eoalpaaa.exe 768 Eoalpaaa.exe 2460 Ehjqif32.exe 2460 Ehjqif32.exe 2524 Fcaaloed.exe 2524 Fcaaloed.exe 1600 Fohbqpki.exe 1600 Fohbqpki.exe 1700 Fgcgebhd.exe 1700 Fgcgebhd.exe 1888 Fkdlaplh.exe 1888 Fkdlaplh.exe 1676 Gcankb32.exe 1676 Gcankb32.exe 2024 Gmjbchnq.exe 2024 Gmjbchnq.exe 796 Gkoodd32.exe 796 Gkoodd32.exe 2668 Gielchpp.exe 2668 Gielchpp.exe 2600 Hkhbkc32.exe 2600 Hkhbkc32.exe 2636 Hccfoehi.exe 2636 Hccfoehi.exe 2884 Hiblmldn.exe 2884 Hiblmldn.exe 2968 Idepdhia.exe 2968 Idepdhia.exe 3016 Iaipmm32.exe 3016 Iaipmm32.exe 2904 Jigagocd.exe 2904 Jigagocd.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Kegebn32.exe Khcdijac.exe File opened for modification C:\Windows\SysWOW64\Difplf32.exe Dmopge32.exe File created C:\Windows\SysWOW64\Abehcbci.exe Abbknb32.exe File opened for modification C:\Windows\SysWOW64\Bnkbcmaj.exe Bepmokco.exe File opened for modification C:\Windows\SysWOW64\Jknnoppp.exe Jddfbf32.exe File created C:\Windows\SysWOW64\Epoemc32.dll Eained32.exe File opened for modification C:\Windows\SysWOW64\Fgdjipfc.exe Fbgaahgl.exe File created C:\Windows\SysWOW64\Incgfl32.exe Iggbdb32.exe File created C:\Windows\SysWOW64\Kkopmmim.dll Mglpjc32.exe File created C:\Windows\SysWOW64\Jiiikq32.exe Joaebkni.exe File opened for modification C:\Windows\SysWOW64\Cjglcmbi.exe Calgoken.exe File created C:\Windows\SysWOW64\Hiichkog.exe Hpqoofhg.exe File opened for modification C:\Windows\SysWOW64\Hlliof32.exe Hafdbmjp.exe File opened for modification C:\Windows\SysWOW64\Abpjgekf.exe Akfbjkdj.exe File opened for modification C:\Windows\SysWOW64\Bpgmhkfi.exe Bcqlcj32.exe File created C:\Windows\SysWOW64\Glkinb32.exe Gjjlfjoo.exe File opened for modification C:\Windows\SysWOW64\Gbpaef32.exe Gkehhlef.exe File created C:\Windows\SysWOW64\Ehgmiq32.exe Emailhfb.exe File opened for modification C:\Windows\SysWOW64\Nglmifca.exe Moahdd32.exe File created C:\Windows\SysWOW64\Opkpme32.exe Ofcldoef.exe File created C:\Windows\SysWOW64\Dacnln32.dll Iaknmm32.exe File opened for modification C:\Windows\SysWOW64\Kbdmboqk.exe Jdpmij32.exe File opened for modification C:\Windows\SysWOW64\Beqogc32.exe Bijobb32.exe File opened for modification C:\Windows\SysWOW64\Amidmldj.exe Akjhcimg.exe File opened for modification C:\Windows\SysWOW64\Gqidme32.exe Ghmohcbl.exe File created C:\Windows\SysWOW64\Lkcehkeh.exe Lkahbkgk.exe File created C:\Windows\SysWOW64\Okhgaqfj.exe Ombjpd32.exe File opened for modification C:\Windows\SysWOW64\Algida32.exe Ajelmiag.exe File opened for modification C:\Windows\SysWOW64\Qkolil32.exe Qcdgei32.exe File created C:\Windows\SysWOW64\Lqdfmihh.exe Lgladc32.exe File created C:\Windows\SysWOW64\Gqgjlb32.exe Gkjbcl32.exe File opened for modification C:\Windows\SysWOW64\Nehjmppo.exe Npkaei32.exe File opened for modification C:\Windows\SysWOW64\Fenedlec.exe Elfakg32.exe File created C:\Windows\SysWOW64\Demign32.dll Elfakg32.exe File created C:\Windows\SysWOW64\Eohhfn32.dll Dgclpp32.exe File created C:\Windows\SysWOW64\Ddgnbl32.exe Dmmffbek.exe File created C:\Windows\SysWOW64\Nglmifca.exe Moahdd32.exe File opened for modification C:\Windows\SysWOW64\Qegnii32.exe Qloiqcbn.exe File created C:\Windows\SysWOW64\Dadikaaj.exe Cdphbm32.exe File created C:\Windows\SysWOW64\Gjkeii32.exe Gbpaef32.exe File created C:\Windows\SysWOW64\Menfkp32.dll Bijobb32.exe File created C:\Windows\SysWOW64\Hcdoefdh.dll Ekgfkl32.exe File opened for modification C:\Windows\SysWOW64\Gnmdfi32.exe Gqidme32.exe File opened for modification C:\Windows\SysWOW64\Efdohq32.exe Eqhfoj32.exe File created C:\Windows\SysWOW64\Mlidpopk.dll Majfcb32.exe File created C:\Windows\SysWOW64\Nhpoda32.dll Bikemiik.exe File opened for modification C:\Windows\SysWOW64\Igmppcpm.exe Iapghlbe.exe File created C:\Windows\SysWOW64\Ekeingln.dll Abkqle32.exe File created C:\Windows\SysWOW64\Nppemgjd.exe Mheqie32.exe File opened for modification C:\Windows\SysWOW64\Jkpfcnoe.exe Jbgbjh32.exe File created C:\Windows\SysWOW64\Ffogha32.dll Fdhlphff.exe File created C:\Windows\SysWOW64\Mahinb32.exe Mgbeqjpd.exe File created C:\Windows\SysWOW64\Lqakem32.dll Momckfid.exe File created C:\Windows\SysWOW64\Nehjmppo.exe Npkaei32.exe File opened for modification C:\Windows\SysWOW64\Ffoihepa.exe Efllcf32.exe File opened for modification C:\Windows\SysWOW64\Eelinm32.exe Emadjj32.exe File opened for modification C:\Windows\SysWOW64\Mchjjc32.exe Mjofanld.exe File opened for modification C:\Windows\SysWOW64\Kobhillo.exe Kanhph32.exe File opened for modification C:\Windows\SysWOW64\Mnlkdk32.exe Mhobldaf.exe File opened for modification C:\Windows\SysWOW64\Icidlf32.exe Heedbbdb.exe File created C:\Windows\SysWOW64\Mnlodlcj.dll Emailhfb.exe File created C:\Windows\SysWOW64\Bpdkajic.exe Bkgchckl.exe File opened for modification C:\Windows\SysWOW64\Eoalpaaa.exe Echoepmo.exe File created C:\Windows\SysWOW64\Alqplmlb.exe Ankckagj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4496 1900 WerFault.exe 915 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hddoep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnkqih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamhdckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hafdbmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlcnkfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lblhep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhlphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqngjcje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpobi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljdlq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdkhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggqamh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllnphkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iccqedfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjchjcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjkeii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gielchpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abaaakob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhiiepcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igmppcpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fclmem32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipgab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjjakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jadlgjjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihfmdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omddmkhl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfieec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdgjpkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jckiolgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpjlldmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kanfgofa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldikbhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmkbfmpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjbchnq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhaibnim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqcpfcbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeokdn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhakkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joohmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gabohk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnbhpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoeiniea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkafib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkojcgga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfadeaho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfcqkafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jiphpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kadhen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqamaeii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqbekpal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macpcccp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdoblckh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gioigf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcdkmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmmdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpqoofhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Megkgpaq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmabaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oecpeqdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkehhlef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojgokflc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlcfnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ledpjdid.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nijcgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enhkifei.dll" Jecnpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlndfa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aeachphg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nehjmppo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqncnjan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilffkp32.dll" Iklajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpkgggnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqhhbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hekohm32.dll" Dfjaej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lkepdbkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcheobh.dll" Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nffenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odbhofjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhbaqhmq.dll" Fcbjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjdmee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Foidii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dblcnngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhbelo32.dll" Dejnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edgllicl.dll" Acjjch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpnibl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkpfcnoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oafclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbeimf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbaflm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkhbkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Difplf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfomdk32.dll" Lddjmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jibcja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdegnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehhenpj.dll" Nbehjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klbmjnpk.dll" Pbfehn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efmgjcjl.dll" Mfbnfcli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dlmqip32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpaoojjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pafpjljk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmmffbek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acloba32.dll" Dpbenpqh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aimkeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lielgo32.dll" Nffenj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hejcggee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iefmpl32.dll" Jlfahgpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qqiqam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbecjo32.dll" Jnafop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ieeidi32.dll" Mnlkdk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbhfcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmmgbpbh.dll" Qcdgei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlhfno32.dll" Dkdjol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlfjeppd.dll" Dafeaapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aaijbd32.dll" Oaeacppk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aoijjjcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hobcok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nblmfl32.dll" Kqncnjan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbmhfdnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klgeabga.dll" Dajiag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Poinkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhkkjnmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fbhhlo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jchjqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Endbhjbd.dll" Mjlgdaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Opkpme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlndfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lodfic32.dll" Dkakad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgnbepjp.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2496 wrote to memory of 2572 2496 a5db95ec163fa544b8c3838341e4df81239a4736f5c5b2bbc6b34983f87dbfd6N.exe 29 PID 2496 wrote to memory of 2572 2496 a5db95ec163fa544b8c3838341e4df81239a4736f5c5b2bbc6b34983f87dbfd6N.exe 29 PID 2496 wrote to memory of 2572 2496 a5db95ec163fa544b8c3838341e4df81239a4736f5c5b2bbc6b34983f87dbfd6N.exe 29 PID 2496 wrote to memory of 2572 2496 a5db95ec163fa544b8c3838341e4df81239a4736f5c5b2bbc6b34983f87dbfd6N.exe 29 PID 2572 wrote to memory of 2836 2572 Abdpngjb.exe 30 PID 2572 wrote to memory of 2836 2572 Abdpngjb.exe 30 PID 2572 wrote to memory of 2836 2572 Abdpngjb.exe 30 PID 2572 wrote to memory of 2836 2572 Abdpngjb.exe 30 PID 2836 wrote to memory of 2980 2836 Agaifnhi.exe 31 PID 2836 wrote to memory of 2980 2836 Agaifnhi.exe 31 PID 2836 wrote to memory of 2980 2836 Agaifnhi.exe 31 PID 2836 wrote to memory of 2980 2836 Agaifnhi.exe 31 PID 2980 wrote to memory of 2972 2980 Ampncd32.exe 32 PID 2980 wrote to memory of 2972 2980 Ampncd32.exe 32 PID 2980 wrote to memory of 2972 2980 Ampncd32.exe 32 PID 2980 wrote to memory of 2972 2980 Ampncd32.exe 32 PID 2972 wrote to memory of 2912 2972 Bqngjcje.exe 33 PID 2972 wrote to memory of 2912 2972 Bqngjcje.exe 33 PID 2972 wrote to memory of 2912 2972 Bqngjcje.exe 33 PID 2972 wrote to memory of 2912 2972 Bqngjcje.exe 33 PID 2912 wrote to memory of 2964 2912 Bmgddcnf.exe 34 PID 2912 wrote to memory of 2964 2912 Bmgddcnf.exe 34 PID 2912 wrote to memory of 2964 2912 Bmgddcnf.exe 34 PID 2912 wrote to memory of 2964 2912 Bmgddcnf.exe 34 PID 2964 wrote to memory of 2584 2964 Baiingae.exe 35 PID 2964 wrote to memory of 2584 2964 Baiingae.exe 35 PID 2964 wrote to memory of 2584 2964 Baiingae.exe 35 PID 2964 wrote to memory of 2584 2964 Baiingae.exe 35 PID 2584 wrote to memory of 2332 2584 Cakfcfoc.exe 36 PID 2584 wrote to memory of 2332 2584 Cakfcfoc.exe 36 PID 2584 wrote to memory of 2332 2584 Cakfcfoc.exe 36 PID 2584 wrote to memory of 2332 2584 Cakfcfoc.exe 36 PID 2332 wrote to memory of 2988 2332 Ckajqo32.exe 37 PID 2332 wrote to memory of 2988 2332 Ckajqo32.exe 37 PID 2332 wrote to memory of 2988 2332 Ckajqo32.exe 37 PID 2332 wrote to memory of 2988 2332 Ckajqo32.exe 37 PID 2988 wrote to memory of 2640 2988 Cmdcngbd.exe 38 PID 2988 wrote to memory of 2640 2988 Cmdcngbd.exe 38 PID 2988 wrote to memory of 2640 2988 Cmdcngbd.exe 38 PID 2988 wrote to memory of 2640 2988 Cmdcngbd.exe 38 PID 2640 wrote to memory of 2548 2640 Cfoellgb.exe 39 PID 2640 wrote to memory of 2548 2640 Cfoellgb.exe 39 PID 2640 wrote to memory of 2548 2640 Cfoellgb.exe 39 PID 2640 wrote to memory of 2548 2640 Cfoellgb.exe 39 PID 2548 wrote to memory of 1100 2548 Cpgieb32.exe 40 PID 2548 wrote to memory of 1100 2548 Cpgieb32.exe 40 PID 2548 wrote to memory of 1100 2548 Cpgieb32.exe 40 PID 2548 wrote to memory of 1100 2548 Cpgieb32.exe 40 PID 1100 wrote to memory of 560 1100 Dlnjjc32.exe 41 PID 1100 wrote to memory of 560 1100 Dlnjjc32.exe 41 PID 1100 wrote to memory of 560 1100 Dlnjjc32.exe 41 PID 1100 wrote to memory of 560 1100 Dlnjjc32.exe 41 PID 560 wrote to memory of 2256 560 Dhekodik.exe 42 PID 560 wrote to memory of 2256 560 Dhekodik.exe 42 PID 560 wrote to memory of 2256 560 Dhekodik.exe 42 PID 560 wrote to memory of 2256 560 Dhekodik.exe 42 PID 2256 wrote to memory of 2416 2256 Ekmjanpd.exe 43 PID 2256 wrote to memory of 2416 2256 Ekmjanpd.exe 43 PID 2256 wrote to memory of 2416 2256 Ekmjanpd.exe 43 PID 2256 wrote to memory of 2416 2256 Ekmjanpd.exe 43 PID 2416 wrote to memory of 768 2416 Echoepmo.exe 44 PID 2416 wrote to memory of 768 2416 Echoepmo.exe 44 PID 2416 wrote to memory of 768 2416 Echoepmo.exe 44 PID 2416 wrote to memory of 768 2416 Echoepmo.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a5db95ec163fa544b8c3838341e4df81239a4736f5c5b2bbc6b34983f87dbfd6N.exe"C:\Users\Admin\AppData\Local\Temp\a5db95ec163fa544b8c3838341e4df81239a4736f5c5b2bbc6b34983f87dbfd6N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Abdpngjb.exeC:\Windows\system32\Abdpngjb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Agaifnhi.exeC:\Windows\system32\Agaifnhi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Ampncd32.exeC:\Windows\system32\Ampncd32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Bqngjcje.exeC:\Windows\system32\Bqngjcje.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Bmgddcnf.exeC:\Windows\system32\Bmgddcnf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Baiingae.exeC:\Windows\system32\Baiingae.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\Cakfcfoc.exeC:\Windows\system32\Cakfcfoc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Windows\SysWOW64\Ckajqo32.exeC:\Windows\system32\Ckajqo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Cmdcngbd.exeC:\Windows\system32\Cmdcngbd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Cfoellgb.exeC:\Windows\system32\Cfoellgb.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Cpgieb32.exeC:\Windows\system32\Cpgieb32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Dlnjjc32.exeC:\Windows\system32\Dlnjjc32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Dhekodik.exeC:\Windows\system32\Dhekodik.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Windows\SysWOW64\Ekmjanpd.exeC:\Windows\system32\Ekmjanpd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\Echoepmo.exeC:\Windows\system32\Echoepmo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Eoalpaaa.exeC:\Windows\system32\Eoalpaaa.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:768 -
C:\Windows\SysWOW64\Ehjqif32.exeC:\Windows\system32\Ehjqif32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\SysWOW64\Fcaaloed.exeC:\Windows\system32\Fcaaloed.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Fohbqpki.exeC:\Windows\system32\Fohbqpki.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Fgcgebhd.exeC:\Windows\system32\Fgcgebhd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Fkdlaplh.exeC:\Windows\system32\Fkdlaplh.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Gcankb32.exeC:\Windows\system32\Gcankb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Gmjbchnq.exeC:\Windows\system32\Gmjbchnq.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2024 -
C:\Windows\SysWOW64\Gkoodd32.exeC:\Windows\system32\Gkoodd32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:796 -
C:\Windows\SysWOW64\Gielchpp.exeC:\Windows\system32\Gielchpp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Hkhbkc32.exeC:\Windows\system32\Hkhbkc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Hccfoehi.exeC:\Windows\system32\Hccfoehi.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2636 -
C:\Windows\SysWOW64\Hiblmldn.exeC:\Windows\system32\Hiblmldn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2884 -
C:\Windows\SysWOW64\Idepdhia.exeC:\Windows\system32\Idepdhia.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Iaipmm32.exeC:\Windows\system32\Iaipmm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Jigagocd.exeC:\Windows\system32\Jigagocd.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Jiinmnaa.exeC:\Windows\system32\Jiinmnaa.exe33⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Jljgni32.exeC:\Windows\system32\Jljgni32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Jinghn32.exeC:\Windows\system32\Jinghn32.exe35⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Khcdijac.exeC:\Windows\system32\Khcdijac.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Kegebn32.exeC:\Windows\system32\Kegebn32.exe37⤵
- Executes dropped EXE
PID:2840 -
C:\Windows\SysWOW64\Kanfgofa.exeC:\Windows\system32\Kanfgofa.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\SysWOW64\Kgknpfdi.exeC:\Windows\system32\Kgknpfdi.exe39⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Kgmkef32.exeC:\Windows\system32\Kgmkef32.exe40⤵
- Executes dropped EXE
PID:580 -
C:\Windows\SysWOW64\Kabobo32.exeC:\Windows\system32\Kabobo32.exe41⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Lphlck32.exeC:\Windows\system32\Lphlck32.exe42⤵
- Executes dropped EXE
PID:1316 -
C:\Windows\SysWOW64\Lpjiik32.exeC:\Windows\system32\Lpjiik32.exe43⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Lbpolb32.exeC:\Windows\system32\Lbpolb32.exe44⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Lkhcdhmk.exeC:\Windows\system32\Lkhcdhmk.exe45⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Mqhhbn32.exeC:\Windows\system32\Mqhhbn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Mnlilb32.exeC:\Windows\system32\Mnlilb32.exe47⤵
- Executes dropped EXE
PID:1328 -
C:\Windows\SysWOW64\Mjbiac32.exeC:\Windows\system32\Mjbiac32.exe48⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Mgfjjh32.exeC:\Windows\system32\Mgfjjh32.exe49⤵
- Executes dropped EXE
PID:2432 -
C:\Windows\SysWOW64\Mpaoojjb.exeC:\Windows\system32\Mpaoojjb.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:972 -
C:\Windows\SysWOW64\Nijcgp32.exeC:\Windows\system32\Nijcgp32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Nfncad32.exeC:\Windows\system32\Nfncad32.exe52⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Nlklik32.exeC:\Windows\system32\Nlklik32.exe53⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Necqbp32.exeC:\Windows\system32\Necqbp32.exe54⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Nnkekfkd.exeC:\Windows\system32\Nnkekfkd.exe55⤵
- Executes dropped EXE
PID:2984 -
C:\Windows\SysWOW64\Npkaei32.exeC:\Windows\system32\Npkaei32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Nehjmppo.exeC:\Windows\system32\Nehjmppo.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:2224 -
C:\Windows\SysWOW64\Naokbq32.exeC:\Windows\system32\Naokbq32.exe58⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Ojgokflc.exeC:\Windows\system32\Ojgokflc.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2168 -
C:\Windows\SysWOW64\Ojilqf32.exeC:\Windows\system32\Ojilqf32.exe60⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Oacdmpan.exeC:\Windows\system32\Oacdmpan.exe61⤵
- Executes dropped EXE
PID:1320 -
C:\Windows\SysWOW64\Oaeacppk.exeC:\Windows\system32\Oaeacppk.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Ofbikf32.exeC:\Windows\system32\Ofbikf32.exe63⤵
- Executes dropped EXE
PID:1280 -
C:\Windows\SysWOW64\Obijpgcf.exeC:\Windows\system32\Obijpgcf.exe64⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Omonmpcm.exeC:\Windows\system32\Omonmpcm.exe65⤵
- Executes dropped EXE
PID:612 -
C:\Windows\SysWOW64\Pejcab32.exeC:\Windows\system32\Pejcab32.exe66⤵PID:2568
-
C:\Windows\SysWOW64\Paqdgcfl.exeC:\Windows\system32\Paqdgcfl.exe67⤵PID:236
-
C:\Windows\SysWOW64\Pbppqf32.exeC:\Windows\system32\Pbppqf32.exe68⤵PID:1096
-
C:\Windows\SysWOW64\Phmiimlf.exeC:\Windows\system32\Phmiimlf.exe69⤵PID:932
-
C:\Windows\SysWOW64\Peaibajp.exeC:\Windows\system32\Peaibajp.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2252 -
C:\Windows\SysWOW64\Poinkg32.exeC:\Windows\system32\Poinkg32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2384 -
C:\Windows\SysWOW64\Phabdmgq.exeC:\Windows\system32\Phabdmgq.exe72⤵PID:2276
-
C:\Windows\SysWOW64\Qicoleno.exeC:\Windows\system32\Qicoleno.exe73⤵PID:2936
-
C:\Windows\SysWOW64\Qkbkfh32.exeC:\Windows\system32\Qkbkfh32.exe74⤵PID:2868
-
C:\Windows\SysWOW64\Qdkpomkb.exeC:\Windows\system32\Qdkpomkb.exe75⤵PID:2060
-
C:\Windows\SysWOW64\Ancdgcab.exeC:\Windows\system32\Ancdgcab.exe76⤵PID:2736
-
C:\Windows\SysWOW64\Aenileon.exeC:\Windows\system32\Aenileon.exe77⤵PID:1020
-
C:\Windows\SysWOW64\Acbieing.exeC:\Windows\system32\Acbieing.exe78⤵PID:1496
-
C:\Windows\SysWOW64\Ajlabc32.exeC:\Windows\system32\Ajlabc32.exe79⤵PID:1192
-
C:\Windows\SysWOW64\Aoijjjcl.exeC:\Windows\system32\Aoijjjcl.exe80⤵
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Adfbbabc.exeC:\Windows\system32\Adfbbabc.exe81⤵PID:2596
-
C:\Windows\SysWOW64\Akpkok32.exeC:\Windows\system32\Akpkok32.exe82⤵PID:2456
-
C:\Windows\SysWOW64\Adhohapp.exeC:\Windows\system32\Adhohapp.exe83⤵PID:964
-
C:\Windows\SysWOW64\Boncej32.exeC:\Windows\system32\Boncej32.exe84⤵PID:712
-
C:\Windows\SysWOW64\Bjjakg32.exeC:\Windows\system32\Bjjakg32.exe85⤵
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Bgnaekil.exeC:\Windows\system32\Bgnaekil.exe86⤵PID:1540
-
C:\Windows\SysWOW64\Bnhjae32.exeC:\Windows\system32\Bnhjae32.exe87⤵PID:2500
-
C:\Windows\SysWOW64\Bgpnjkgi.exeC:\Windows\system32\Bgpnjkgi.exe88⤵PID:2632
-
C:\Windows\SysWOW64\Bmmgbbeq.exeC:\Windows\system32\Bmmgbbeq.exe89⤵PID:2076
-
C:\Windows\SysWOW64\Bcgoolln.exeC:\Windows\system32\Bcgoolln.exe90⤵PID:1916
-
C:\Windows\SysWOW64\Cicggcke.exeC:\Windows\system32\Cicggcke.exe91⤵PID:1824
-
C:\Windows\SysWOW64\Cifdmbib.exeC:\Windows\system32\Cifdmbib.exe92⤵PID:2852
-
C:\Windows\SysWOW64\Cfjdfg32.exeC:\Windows\system32\Cfjdfg32.exe93⤵PID:2976
-
C:\Windows\SysWOW64\Cneiki32.exeC:\Windows\system32\Cneiki32.exe94⤵PID:676
-
C:\Windows\SysWOW64\Cngfqi32.exeC:\Windows\system32\Cngfqi32.exe95⤵PID:2436
-
C:\Windows\SysWOW64\Cjngej32.exeC:\Windows\system32\Cjngej32.exe96⤵PID:2424
-
C:\Windows\SysWOW64\Dfegjknm.exeC:\Windows\system32\Dfegjknm.exe97⤵PID:2040
-
C:\Windows\SysWOW64\Dmopge32.exeC:\Windows\system32\Dmopge32.exe98⤵
- Drops file in System32 directory
PID:2672 -
C:\Windows\SysWOW64\Difplf32.exeC:\Windows\system32\Difplf32.exe99⤵
- Modifies registry class
PID:1948 -
C:\Windows\SysWOW64\Dfjaej32.exeC:\Windows\system32\Dfjaej32.exe100⤵
- Modifies registry class
PID:2248 -
C:\Windows\SysWOW64\Dpbenpqh.exeC:\Windows\system32\Dpbenpqh.exe101⤵
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Dijjgegh.exeC:\Windows\system32\Dijjgegh.exe102⤵PID:1176
-
C:\Windows\SysWOW64\Dfnjqifb.exeC:\Windows\system32\Dfnjqifb.exe103⤵PID:2320
-
C:\Windows\SysWOW64\Ebekej32.exeC:\Windows\system32\Ebekej32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2476 -
C:\Windows\SysWOW64\Ekppjmia.exeC:\Windows\system32\Ekppjmia.exe105⤵PID:3024
-
C:\Windows\SysWOW64\Ehdpcahk.exeC:\Windows\system32\Ehdpcahk.exe106⤵PID:2780
-
C:\Windows\SysWOW64\Emailhfb.exeC:\Windows\system32\Emailhfb.exe107⤵
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Ehgmiq32.exeC:\Windows\system32\Ehgmiq32.exe108⤵PID:2728
-
C:\Windows\SysWOW64\Emceag32.exeC:\Windows\system32\Emceag32.exe109⤵PID:2148
-
C:\Windows\SysWOW64\Ekgfkl32.exeC:\Windows\system32\Ekgfkl32.exe110⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Fcbjon32.exeC:\Windows\system32\Fcbjon32.exe111⤵
- Modifies registry class
PID:2120 -
C:\Windows\SysWOW64\Fpfkhbon.exeC:\Windows\system32\Fpfkhbon.exe112⤵PID:2484
-
C:\Windows\SysWOW64\Fmjkbfnh.exeC:\Windows\system32\Fmjkbfnh.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2420 -
C:\Windows\SysWOW64\Fpkdca32.exeC:\Windows\system32\Fpkdca32.exe114⤵PID:2612
-
C:\Windows\SysWOW64\Fclmem32.exeC:\Windows\system32\Fclmem32.exe115⤵
- System Location Discovery: System Language Discovery
PID:1820 -
C:\Windows\SysWOW64\Gkgbioee.exeC:\Windows\system32\Gkgbioee.exe116⤵PID:776
-
C:\Windows\SysWOW64\Gkiooocb.exeC:\Windows\system32\Gkiooocb.exe117⤵PID:2128
-
C:\Windows\SysWOW64\Ghmohcbl.exeC:\Windows\system32\Ghmohcbl.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Gqidme32.exeC:\Windows\system32\Gqidme32.exe119⤵
- Drops file in System32 directory
PID:3028 -
C:\Windows\SysWOW64\Gnmdfi32.exeC:\Windows\system32\Gnmdfi32.exe120⤵PID:2860
-
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe121⤵PID:2788
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-