Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
23/11/2024, 19:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe
-
Size
96KB
-
MD5
4f899adb207a12f6f15b42f529dc6af9
-
SHA1
e378ea78d0b72a45cdd23d47db09fd1aef9d73e2
-
SHA256
004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e
-
SHA512
8bd4695f4ebeb0188b555fc153ff050ee097f24e0c41160dfc729baee1b63f622b2191b5b51d526aa6806d7c93e1b060fe74dfd1242ab4115cd56adcac36cc6b
-
SSDEEP
1536:kKXWH19BZayTfEAB9x7DOrx1aeBfmoa2L227RZObZUUWaegPYA:k1jvZ/g5mOHClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefbnacn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heqimm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohipla32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhdpnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elaeeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhenjmbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mploiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofnpnkgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieponofk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qekbgbpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mphiqbon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kimjhnnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Appbcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bogljj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmipdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogdhik32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ablbjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbjnqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pllkpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adjhicpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnlbgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkmjlca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anecfgdc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caokmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcofica.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Elibpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbpkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glckihcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mecglbfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfpmbf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqaode32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhioioc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijpdfhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdgkjopd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klfmijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaablcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkibehc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Floeof32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgifgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oighcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qmhahkdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofdclinq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbadagln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjmbaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnofaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnofaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgegfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elaeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bngfmhbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Figocipe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbmcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnochnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkcekfad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimjhnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpmmfp32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 5 IoCs
resource yara_rule behavioral1/files/0x000400000001cb86-837.dat family_bruteratel behavioral1/files/0x000400000001d3c5-1462.dat family_bruteratel behavioral1/files/0x000300000002081c-4645.dat family_bruteratel behavioral1/files/0x0003000000020a3e-5305.dat family_bruteratel behavioral1/files/0x0003000000020fac-7090.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2780 Jfdhmk32.exe 2848 Jjpdmi32.exe 2556 Jpmmfp32.exe 2544 Jdhifooi.exe 2948 Jfgebjnm.exe 540 Kdkelolf.exe 2376 Kfibhjlj.exe 2416 Kbpbmkan.exe 1636 Kijkje32.exe 1232 Kbbobkol.exe 348 Kgnkci32.exe 1732 Kljdkpfl.exe 1500 Kcdlhj32.exe 2620 Khadpa32.exe 3016 Kokmmkcm.exe 2632 Ldheebad.exe 1156 Lhcafa32.exe 904 Lonibk32.exe 2276 Lnqjnhge.exe 1360 Lhfnkqgk.exe 1548 Lkdjglfo.exe 2452 Lncfcgeb.exe 1800 Lpabpcdf.exe 2968 Ldmopa32.exe 888 Lkggmldl.exe 2640 Lnecigcp.exe 2668 Ldokfakl.exe 2432 Ldahkaij.exe 2744 Lcdhgn32.exe 2932 Llmmpcfe.exe 1556 Mphiqbon.exe 2144 Mcfemmna.exe 2216 Mloiec32.exe 2100 Momfan32.exe 1640 Mfgnnhkc.exe 1000 Mhfjjdjf.exe 2036 Mkdffoij.exe 1988 Mhhgpc32.exe 2324 Mkfclo32.exe 3028 Mbqkiind.exe 444 Mhjcec32.exe 1664 Mnglnj32.exe 2480 Mqehjecl.exe 1616 Mdadjd32.exe 1864 Njnmbk32.exe 276 Nqhepeai.exe 2896 Ngbmlo32.exe 1852 Nnleiipc.exe 1568 Ncinap32.exe 2660 Ngdjaofc.exe 2748 Nqmnjd32.exe 2648 Nckkgp32.exe 1048 Nggggoda.exe 324 Nfigck32.exe 2152 Nihcog32.exe 2504 Nqokpd32.exe 616 Npbklabl.exe 1936 Nbpghl32.exe 2516 Nflchkii.exe 2980 Njgpij32.exe 1788 Nijpdfhm.exe 1624 Nlilqbgp.exe 692 Ncpdbohb.exe 1676 Ofnpnkgf.exe -
Loads dropped DLL 64 IoCs
pid Process 2132 004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe 2132 004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe 2780 Jfdhmk32.exe 2780 Jfdhmk32.exe 2848 Jjpdmi32.exe 2848 Jjpdmi32.exe 2556 Jpmmfp32.exe 2556 Jpmmfp32.exe 2544 Jdhifooi.exe 2544 Jdhifooi.exe 2948 Jfgebjnm.exe 2948 Jfgebjnm.exe 540 Kdkelolf.exe 540 Kdkelolf.exe 2376 Kfibhjlj.exe 2376 Kfibhjlj.exe 2416 Kbpbmkan.exe 2416 Kbpbmkan.exe 1636 Kijkje32.exe 1636 Kijkje32.exe 1232 Kbbobkol.exe 1232 Kbbobkol.exe 348 Kgnkci32.exe 348 Kgnkci32.exe 1732 Kljdkpfl.exe 1732 Kljdkpfl.exe 1500 Kcdlhj32.exe 1500 Kcdlhj32.exe 2620 Khadpa32.exe 2620 Khadpa32.exe 3016 Kokmmkcm.exe 3016 Kokmmkcm.exe 2632 Ldheebad.exe 2632 Ldheebad.exe 1156 Lhcafa32.exe 1156 Lhcafa32.exe 904 Lonibk32.exe 904 Lonibk32.exe 2276 Lnqjnhge.exe 2276 Lnqjnhge.exe 1360 Lhfnkqgk.exe 1360 Lhfnkqgk.exe 1548 Lkdjglfo.exe 1548 Lkdjglfo.exe 2452 Lncfcgeb.exe 2452 Lncfcgeb.exe 1800 Lpabpcdf.exe 1800 Lpabpcdf.exe 2968 Ldmopa32.exe 2968 Ldmopa32.exe 888 Lkggmldl.exe 888 Lkggmldl.exe 2640 Lnecigcp.exe 2640 Lnecigcp.exe 2668 Ldokfakl.exe 2668 Ldokfakl.exe 2432 Ldahkaij.exe 2432 Ldahkaij.exe 2744 Lcdhgn32.exe 2744 Lcdhgn32.exe 2932 Llmmpcfe.exe 2932 Llmmpcfe.exe 1556 Mphiqbon.exe 1556 Mphiqbon.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Lmmfnb32.exe Kkojbf32.exe File created C:\Windows\SysWOW64\Bchhqo32.exe Blnpddeo.exe File opened for modification C:\Windows\SysWOW64\Omcngamh.exe Ojeakfnd.exe File created C:\Windows\SysWOW64\Okobem32.dll Djmiejji.exe File created C:\Windows\SysWOW64\Jenndm32.dll Ojeakfnd.exe File opened for modification C:\Windows\SysWOW64\Dadbdkld.exe Dbabho32.exe File opened for modification C:\Windows\SysWOW64\Jpepkk32.exe Jmfcop32.exe File opened for modification C:\Windows\SysWOW64\Omlncc32.exe Ojmbgh32.exe File created C:\Windows\SysWOW64\Ifpelq32.exe Igmepdbc.exe File created C:\Windows\SysWOW64\Mdmmhn32.exe Maoalb32.exe File created C:\Windows\SysWOW64\Ageompfe.exe Adfbpega.exe File opened for modification C:\Windows\SysWOW64\Nknkeg32.exe Ncgcdi32.exe File created C:\Windows\SysWOW64\Nfglfdeb.exe Ngeljh32.exe File opened for modification C:\Windows\SysWOW64\Pbepkh32.exe Ppgcol32.exe File created C:\Windows\SysWOW64\Icdeee32.exe Iqfiii32.exe File created C:\Windows\SysWOW64\Lilfgq32.exe Lkifkdjm.exe File opened for modification C:\Windows\SysWOW64\Plbkfdba.exe Picojhcm.exe File opened for modification C:\Windows\SysWOW64\Hfhfhbce.exe Hcjilgdb.exe File created C:\Windows\SysWOW64\Knfddo32.dll Jlnmel32.exe File created C:\Windows\SysWOW64\Nbfnggeo.exe Nohaklfk.exe File created C:\Windows\SysWOW64\Enbogmnc.exe Eldbkbop.exe File created C:\Windows\SysWOW64\Mlahdkjc.exe Miclhpjp.exe File created C:\Windows\SysWOW64\Ckmhkeef.dll Jpgmpk32.exe File created C:\Windows\SysWOW64\Jkbcekmn.dll Kdbepm32.exe File created C:\Windows\SysWOW64\Faeihnam.dll Hhaanh32.exe File opened for modification C:\Windows\SysWOW64\Kmaphmln.exe Kiecgo32.exe File created C:\Windows\SysWOW64\Kpfbegei.exe Klkfdi32.exe File opened for modification C:\Windows\SysWOW64\Llmmpcfe.exe Lcdhgn32.exe File created C:\Windows\SysWOW64\Ojeobm32.exe Ohfcfb32.exe File created C:\Windows\SysWOW64\Cbdkbjkl.exe Cgogealf.exe File created C:\Windows\SysWOW64\Fjnignob.exe Ffbmfo32.exe File opened for modification C:\Windows\SysWOW64\Mgjpaj32.exe Mdldeo32.exe File created C:\Windows\SysWOW64\Pneanl32.dll Afmbak32.exe File created C:\Windows\SysWOW64\Pmekeg32.dll Blnpddeo.exe File opened for modification C:\Windows\SysWOW64\Lbgkfbbj.exe Kjpceebh.exe File created C:\Windows\SysWOW64\Leegbnan.exe Lbgkfbbj.exe File opened for modification C:\Windows\SysWOW64\Glpepj32.exe Giaidnkf.exe File opened for modification C:\Windows\SysWOW64\Hijhhl32.exe Genlgnhd.exe File opened for modification C:\Windows\SysWOW64\Mldeik32.exe Mdmmhn32.exe File created C:\Windows\SysWOW64\Lncfcgeb.exe Lkdjglfo.exe File opened for modification C:\Windows\SysWOW64\Mbqkiind.exe Mkfclo32.exe File created C:\Windows\SysWOW64\Nckkgp32.exe Nqmnjd32.exe File opened for modification C:\Windows\SysWOW64\Onqkclni.exe Ojeobm32.exe File opened for modification C:\Windows\SysWOW64\Ehpcehcj.exe Eeagimdf.exe File created C:\Windows\SysWOW64\Bgepogei.dll Nggipg32.exe File created C:\Windows\SysWOW64\Kfodfh32.exe Khldkllj.exe File created C:\Windows\SysWOW64\Mhqjen32.exe Mdendpbg.exe File opened for modification C:\Windows\SysWOW64\Figocipe.exe Felcbk32.exe File created C:\Windows\SysWOW64\Glgcpc32.dll Bcbfbp32.exe File opened for modification C:\Windows\SysWOW64\Hoqjqhjf.exe Hqnjek32.exe File created C:\Windows\SysWOW64\Kmnfciac.dll Jbhebfck.exe File created C:\Windows\SysWOW64\Plhodp32.dll Fbngfo32.exe File created C:\Windows\SysWOW64\Onjgkf32.exe Okkkoj32.exe File created C:\Windows\SysWOW64\Jfdhmk32.exe 004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe File created C:\Windows\SysWOW64\Jfmgba32.dll Hnmacpfj.exe File created C:\Windows\SysWOW64\Dgmjmajn.dll Hjfnnajl.exe File created C:\Windows\SysWOW64\Jfohgepi.exe Jcqlkjae.exe File opened for modification C:\Windows\SysWOW64\Bjpdhifk.exe Bedhgj32.exe File opened for modification C:\Windows\SysWOW64\Jbcelp32.exe Jngilalk.exe File created C:\Windows\SysWOW64\Cgqmpkfg.exe Cojeomee.exe File opened for modification C:\Windows\SysWOW64\Oalkih32.exe Onnnml32.exe File created C:\Windows\SysWOW64\Gjnkgi32.dll Lklikj32.exe File created C:\Windows\SysWOW64\Mmqioe32.dll Oqgjdbpi.exe File opened for modification C:\Windows\SysWOW64\Bngfmhbj.exe Bkhjamcf.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9824 9792 WerFault.exe 1024 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpmjcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcblqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceeqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khadpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpnladjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iegeonpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmgoif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboeco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kenhopmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhnfckm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkdffoij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlahdkjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdeee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckkgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmome32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejdfqogm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaholp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbbnjgik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjjkkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckfjjqhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhmldfdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imggplgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjngbihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laaabo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmcebkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnokgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noohlkpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okbapi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iediin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfohgepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lafahdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlfmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dekdikhc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keango32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glckihcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmmbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iqfiii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogdhik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmohco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkihbho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idohdhbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndafcmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbqmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdqkifmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecmjid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flabdecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chlgid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecglbfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbcfdmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcffefa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdadjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fppaej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bngfmhbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onjgkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqdgom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcelp32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafmhm32.dll" Dhdfmbjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefcmp32.dll" Paocnkph.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnmacpfj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amgjnepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cnnimkom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhbaf32.dll" Eiciig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpdhegcc.dll" Pfchqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcblqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klmbjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nijpdfhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efhqmadd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcijlpq.dll" Hgciff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jpepkk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoomflpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjkhdlkp.dll" Genlgnhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmhdihjd.dll" Mgbcfdmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddnpnigl.dll" Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhfjjdjf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gockgdeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgmnpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khhnjk32.dll" Bgokfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emeobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cjedgmpi.dll" Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfoeil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfcige32.dll" Jngilalk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klkfdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ikonfbfj.dll" Objmgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hehaja32.dll" Emdhhdqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccnifd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldeiojhn.dll" Iaimipjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pihbeaea.dll" Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdbcmcno.dll" Qlgndbil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnllkimj.dll" Dcjaeamd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cekfoolj.dll" Dcokpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdpdnpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbbobkol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgnjqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emaijk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgjjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ieponofk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cgogealf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djoeki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeoijidl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmfpmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpphdpcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dphhka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhfpdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qldjdlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgqao32.dll" Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apilcoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njnmbk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Piliii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nnmihice.dll" Noohlkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgokfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcfejhma.dll" Kbenacdm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfkclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpnehm32.dll" Bfoeil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gflclobd.dll" Okhefl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Allgoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Diqmcgca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Noggch32.dll" Mclqqeaq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmdbnnlj.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2132 wrote to memory of 2780 2132 004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe 30 PID 2132 wrote to memory of 2780 2132 004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe 30 PID 2132 wrote to memory of 2780 2132 004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe 30 PID 2132 wrote to memory of 2780 2132 004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe 30 PID 2780 wrote to memory of 2848 2780 Jfdhmk32.exe 31 PID 2780 wrote to memory of 2848 2780 Jfdhmk32.exe 31 PID 2780 wrote to memory of 2848 2780 Jfdhmk32.exe 31 PID 2780 wrote to memory of 2848 2780 Jfdhmk32.exe 31 PID 2848 wrote to memory of 2556 2848 Jjpdmi32.exe 32 PID 2848 wrote to memory of 2556 2848 Jjpdmi32.exe 32 PID 2848 wrote to memory of 2556 2848 Jjpdmi32.exe 32 PID 2848 wrote to memory of 2556 2848 Jjpdmi32.exe 32 PID 2556 wrote to memory of 2544 2556 Jpmmfp32.exe 33 PID 2556 wrote to memory of 2544 2556 Jpmmfp32.exe 33 PID 2556 wrote to memory of 2544 2556 Jpmmfp32.exe 33 PID 2556 wrote to memory of 2544 2556 Jpmmfp32.exe 33 PID 2544 wrote to memory of 2948 2544 Jdhifooi.exe 34 PID 2544 wrote to memory of 2948 2544 Jdhifooi.exe 34 PID 2544 wrote to memory of 2948 2544 Jdhifooi.exe 34 PID 2544 wrote to memory of 2948 2544 Jdhifooi.exe 34 PID 2948 wrote to memory of 540 2948 Jfgebjnm.exe 35 PID 2948 wrote to memory of 540 2948 Jfgebjnm.exe 35 PID 2948 wrote to memory of 540 2948 Jfgebjnm.exe 35 PID 2948 wrote to memory of 540 2948 Jfgebjnm.exe 35 PID 540 wrote to memory of 2376 540 Kdkelolf.exe 36 PID 540 wrote to memory of 2376 540 Kdkelolf.exe 36 PID 540 wrote to memory of 2376 540 Kdkelolf.exe 36 PID 540 wrote to memory of 2376 540 Kdkelolf.exe 36 PID 2376 wrote to memory of 2416 2376 Kfibhjlj.exe 37 PID 2376 wrote to memory of 2416 2376 Kfibhjlj.exe 37 PID 2376 wrote to memory of 2416 2376 Kfibhjlj.exe 37 PID 2376 wrote to memory of 2416 2376 Kfibhjlj.exe 37 PID 2416 wrote to memory of 1636 2416 Kbpbmkan.exe 38 PID 2416 wrote to memory of 1636 2416 Kbpbmkan.exe 38 PID 2416 wrote to memory of 1636 2416 Kbpbmkan.exe 38 PID 2416 wrote to memory of 1636 2416 Kbpbmkan.exe 38 PID 1636 wrote to memory of 1232 1636 Kijkje32.exe 39 PID 1636 wrote to memory of 1232 1636 Kijkje32.exe 39 PID 1636 wrote to memory of 1232 1636 Kijkje32.exe 39 PID 1636 wrote to memory of 1232 1636 Kijkje32.exe 39 PID 1232 wrote to memory of 348 1232 Kbbobkol.exe 40 PID 1232 wrote to memory of 348 1232 Kbbobkol.exe 40 PID 1232 wrote to memory of 348 1232 Kbbobkol.exe 40 PID 1232 wrote to memory of 348 1232 Kbbobkol.exe 40 PID 348 wrote to memory of 1732 348 Kgnkci32.exe 41 PID 348 wrote to memory of 1732 348 Kgnkci32.exe 41 PID 348 wrote to memory of 1732 348 Kgnkci32.exe 41 PID 348 wrote to memory of 1732 348 Kgnkci32.exe 41 PID 1732 wrote to memory of 1500 1732 Kljdkpfl.exe 42 PID 1732 wrote to memory of 1500 1732 Kljdkpfl.exe 42 PID 1732 wrote to memory of 1500 1732 Kljdkpfl.exe 42 PID 1732 wrote to memory of 1500 1732 Kljdkpfl.exe 42 PID 1500 wrote to memory of 2620 1500 Kcdlhj32.exe 43 PID 1500 wrote to memory of 2620 1500 Kcdlhj32.exe 43 PID 1500 wrote to memory of 2620 1500 Kcdlhj32.exe 43 PID 1500 wrote to memory of 2620 1500 Kcdlhj32.exe 43 PID 2620 wrote to memory of 3016 2620 Khadpa32.exe 44 PID 2620 wrote to memory of 3016 2620 Khadpa32.exe 44 PID 2620 wrote to memory of 3016 2620 Khadpa32.exe 44 PID 2620 wrote to memory of 3016 2620 Khadpa32.exe 44 PID 3016 wrote to memory of 2632 3016 Kokmmkcm.exe 45 PID 3016 wrote to memory of 2632 3016 Kokmmkcm.exe 45 PID 3016 wrote to memory of 2632 3016 Kokmmkcm.exe 45 PID 3016 wrote to memory of 2632 3016 Kokmmkcm.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe"C:\Users\Admin\AppData\Local\Temp\004b86c22c8acfa5b8ba45d8700d0e1a5297d399f389264d1f3d04b79c18168e.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\Jpmmfp32.exeC:\Windows\system32\Jpmmfp32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1636 -
C:\Windows\SysWOW64\Kbbobkol.exeC:\Windows\system32\Kbbobkol.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Kgnkci32.exeC:\Windows\system32\Kgnkci32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Kljdkpfl.exeC:\Windows\system32\Kljdkpfl.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2632 -
C:\Windows\SysWOW64\Lhcafa32.exeC:\Windows\system32\Lhcafa32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1156 -
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:904 -
C:\Windows\SysWOW64\Lnqjnhge.exeC:\Windows\system32\Lnqjnhge.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Lhfnkqgk.exeC:\Windows\system32\Lhfnkqgk.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Lkdjglfo.exeC:\Windows\system32\Lkdjglfo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1548 -
C:\Windows\SysWOW64\Lncfcgeb.exeC:\Windows\system32\Lncfcgeb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Lpabpcdf.exeC:\Windows\system32\Lpabpcdf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1800 -
C:\Windows\SysWOW64\Ldmopa32.exeC:\Windows\system32\Ldmopa32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Lkggmldl.exeC:\Windows\system32\Lkggmldl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:888 -
C:\Windows\SysWOW64\Lnecigcp.exeC:\Windows\system32\Lnecigcp.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Ldokfakl.exeC:\Windows\system32\Ldokfakl.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Ldahkaij.exeC:\Windows\system32\Ldahkaij.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Lcdhgn32.exeC:\Windows\system32\Lcdhgn32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2744 -
C:\Windows\SysWOW64\Llmmpcfe.exeC:\Windows\system32\Llmmpcfe.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Mphiqbon.exeC:\Windows\system32\Mphiqbon.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1556 -
C:\Windows\SysWOW64\Mcfemmna.exeC:\Windows\system32\Mcfemmna.exe33⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Mloiec32.exeC:\Windows\system32\Mloiec32.exe34⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Momfan32.exeC:\Windows\system32\Momfan32.exe35⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Mfgnnhkc.exeC:\Windows\system32\Mfgnnhkc.exe36⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Mkdffoij.exeC:\Windows\system32\Mkdffoij.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Mhhgpc32.exeC:\Windows\system32\Mhhgpc32.exe39⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Mkfclo32.exeC:\Windows\system32\Mkfclo32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2324 -
C:\Windows\SysWOW64\Mbqkiind.exeC:\Windows\system32\Mbqkiind.exe41⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Mhjcec32.exeC:\Windows\system32\Mhjcec32.exe42⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe43⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\Mqehjecl.exeC:\Windows\system32\Mqehjecl.exe44⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Mdadjd32.exeC:\Windows\system32\Mdadjd32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1616 -
C:\Windows\SysWOW64\Njnmbk32.exeC:\Windows\system32\Njnmbk32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1864 -
C:\Windows\SysWOW64\Nqhepeai.exeC:\Windows\system32\Nqhepeai.exe47⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Ngbmlo32.exeC:\Windows\system32\Ngbmlo32.exe48⤵
- Executes dropped EXE
PID:2896 -
C:\Windows\SysWOW64\Nnleiipc.exeC:\Windows\system32\Nnleiipc.exe49⤵
- Executes dropped EXE
PID:1852 -
C:\Windows\SysWOW64\Ncinap32.exeC:\Windows\system32\Ncinap32.exe50⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe51⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Nqmnjd32.exeC:\Windows\system32\Nqmnjd32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2748 -
C:\Windows\SysWOW64\Nckkgp32.exeC:\Windows\system32\Nckkgp32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\Nggggoda.exeC:\Windows\system32\Nggggoda.exe54⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Nfigck32.exeC:\Windows\system32\Nfigck32.exe55⤵
- Executes dropped EXE
PID:324 -
C:\Windows\SysWOW64\Nihcog32.exeC:\Windows\system32\Nihcog32.exe56⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Nqokpd32.exeC:\Windows\system32\Nqokpd32.exe57⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Npbklabl.exeC:\Windows\system32\Npbklabl.exe58⤵
- Executes dropped EXE
PID:616 -
C:\Windows\SysWOW64\Nbpghl32.exeC:\Windows\system32\Nbpghl32.exe59⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Nflchkii.exeC:\Windows\system32\Nflchkii.exe60⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Njgpij32.exeC:\Windows\system32\Njgpij32.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2980 -
C:\Windows\SysWOW64\Nijpdfhm.exeC:\Windows\system32\Nijpdfhm.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe63⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe64⤵
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Ofnpnkgf.exeC:\Windows\system32\Ofnpnkgf.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Oeaqig32.exeC:\Windows\system32\Oeaqig32.exe66⤵PID:2508
-
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe67⤵PID:2412
-
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe68⤵PID:1580
-
C:\Windows\SysWOW64\Obeacl32.exeC:\Windows\system32\Obeacl32.exe69⤵PID:2892
-
C:\Windows\SysWOW64\Oecmogln.exeC:\Windows\system32\Oecmogln.exe70⤵PID:2564
-
C:\Windows\SysWOW64\Olmela32.exeC:\Windows\system32\Olmela32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2220 -
C:\Windows\SysWOW64\Onlahm32.exeC:\Windows\system32\Onlahm32.exe72⤵PID:2372
-
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe73⤵PID:636
-
C:\Windows\SysWOW64\Oiafee32.exeC:\Windows\system32\Oiafee32.exe74⤵PID:1520
-
C:\Windows\SysWOW64\Ohdfqbio.exeC:\Windows\system32\Ohdfqbio.exe75⤵PID:752
-
C:\Windows\SysWOW64\Olpbaa32.exeC:\Windows\system32\Olpbaa32.exe76⤵PID:864
-
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe77⤵
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Oalkih32.exeC:\Windows\system32\Oalkih32.exe78⤵PID:916
-
C:\Windows\SysWOW64\Odkgec32.exeC:\Windows\system32\Odkgec32.exe79⤵PID:1108
-
C:\Windows\SysWOW64\Ohfcfb32.exeC:\Windows\system32\Ohfcfb32.exe80⤵
- Drops file in System32 directory
PID:1320 -
C:\Windows\SysWOW64\Ojeobm32.exeC:\Windows\system32\Ojeobm32.exe81⤵
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Onqkclni.exeC:\Windows\system32\Onqkclni.exe82⤵PID:1036
-
C:\Windows\SysWOW64\Oejcpf32.exeC:\Windows\system32\Oejcpf32.exe83⤵PID:932
-
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Oflpgnld.exeC:\Windows\system32\Oflpgnld.exe85⤵PID:2692
-
C:\Windows\SysWOW64\Pnchhllf.exeC:\Windows\system32\Pnchhllf.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2800 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe87⤵PID:2584
-
C:\Windows\SysWOW64\Ppddpd32.exeC:\Windows\system32\Ppddpd32.exe88⤵PID:1600
-
C:\Windows\SysWOW64\Phklaacg.exeC:\Windows\system32\Phklaacg.exe89⤵PID:1960
-
C:\Windows\SysWOW64\Piliii32.exeC:\Windows\system32\Piliii32.exe90⤵
- Modifies registry class
PID:1432 -
C:\Windows\SysWOW64\Pmhejhao.exeC:\Windows\system32\Pmhejhao.exe91⤵PID:836
-
C:\Windows\SysWOW64\Ppfafcpb.exeC:\Windows\system32\Ppfafcpb.exe92⤵PID:2180
-
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe93⤵PID:816
-
C:\Windows\SysWOW64\Pioeoi32.exeC:\Windows\system32\Pioeoi32.exe94⤵PID:768
-
C:\Windows\SysWOW64\Plmbkd32.exeC:\Windows\system32\Plmbkd32.exe95⤵PID:1796
-
C:\Windows\SysWOW64\Ppinkcnp.exeC:\Windows\system32\Ppinkcnp.exe96⤵PID:1928
-
C:\Windows\SysWOW64\Pddjlb32.exeC:\Windows\system32\Pddjlb32.exe97⤵PID:2540
-
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe98⤵PID:2976
-
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe99⤵PID:2704
-
C:\Windows\SysWOW64\Pmmneg32.exeC:\Windows\system32\Pmmneg32.exe100⤵PID:2328
-
C:\Windows\SysWOW64\Ponklpcg.exeC:\Windows\system32\Ponklpcg.exe101⤵
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Pehcij32.exeC:\Windows\system32\Pehcij32.exe102⤵PID:1612
-
C:\Windows\SysWOW64\Picojhcm.exeC:\Windows\system32\Picojhcm.exe103⤵
- Drops file in System32 directory
PID:1904 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe104⤵PID:2168
-
C:\Windows\SysWOW64\Ppmgfb32.exeC:\Windows\system32\Ppmgfb32.exe105⤵PID:3024
-
C:\Windows\SysWOW64\Paocnkph.exeC:\Windows\system32\Paocnkph.exe106⤵
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Qiflohqk.exeC:\Windows\system32\Qiflohqk.exe107⤵PID:2124
-
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe108⤵PID:2128
-
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe109⤵PID:3068
-
C:\Windows\SysWOW64\Qbnphngk.exeC:\Windows\system32\Qbnphngk.exe110⤵PID:2588
-
C:\Windows\SysWOW64\Qemldifo.exeC:\Windows\system32\Qemldifo.exe111⤵PID:2788
-
C:\Windows\SysWOW64\Qdompf32.exeC:\Windows\system32\Qdompf32.exe112⤵PID:2160
-
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe113⤵PID:2040
-
C:\Windows\SysWOW64\Qmhahkdj.exeC:\Windows\system32\Qmhahkdj.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Aeoijidl.exeC:\Windows\system32\Aeoijidl.exe115⤵
- Modifies registry class
PID:2940 -
C:\Windows\SysWOW64\Ahmefdcp.exeC:\Windows\system32\Ahmefdcp.exe116⤵PID:2456
-
C:\Windows\SysWOW64\Agpeaa32.exeC:\Windows\system32\Agpeaa32.exe117⤵PID:1112
-
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe118⤵PID:3048
-
C:\Windows\SysWOW64\Aaejojjq.exeC:\Windows\system32\Aaejojjq.exe119⤵PID:2316
-
C:\Windows\SysWOW64\Aphjjf32.exeC:\Windows\system32\Aphjjf32.exe120⤵PID:2816
-
C:\Windows\SysWOW64\Ahpbkd32.exeC:\Windows\system32\Ahpbkd32.exe121⤵PID:1648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-