Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
24/11/2024, 04:55
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
150 seconds
General
-
Target
f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a.exe
-
Size
96KB
-
MD5
e5fa66dec5298cd2f30e5a302e6a47dd
-
SHA1
e950dd4d3f43023ac3732138f2090d99114322fa
-
SHA256
f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a
-
SHA512
9d6ba22eea6cdf2234a773bc6fe1d9b0c74e47fb61d975d19fd20c54605218657a93f4041680f23fb31b2d84f3b9f38ff0f93aea6b325e7911ccd13b56375860
-
SSDEEP
1536:B4eU0Q1Qk3l30TRR9VI8/DKNJ2Le7RZObZUUWaegPYAm:BvU0Q1Q63I3rKIeClUUWaet
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkhhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jemkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Innbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhlnahk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhfepfme.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfbmlckg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndoifdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kheaoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Popkeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiglfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilceog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnmcge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaieai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhehmkqn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npnclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkaolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mljnaocd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabeal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qnpeijla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abeghmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnambeed.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iljkofkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcikfhed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hancef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kngaig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nlklik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofefqf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gebiefle.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qgfmlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmgddcnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpcpjbah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kloqiijm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpaoojjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbbhpegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qicoleno.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfkebkjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bphdpe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjagdlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqimoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfbdje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgcdcjpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgjfbllj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpqgkpcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbkffc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Helmiiec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciknhb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaaiobc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjkamk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feccqime.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoegoqng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cjkamk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkhhie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfando32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhniebne.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plcied32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cihojiok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Feccqime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdolga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcdihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhfoleio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibmkbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihnmfoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jempcgad.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2568 Mhfoleio.exe 2976 Mejoei32.exe 3020 Mbopon32.exe 2808 Nmjmekan.exe 2944 Npkfff32.exe 2056 Npnclf32.exe 2456 Nejkdm32.exe 2268 Ogjhnp32.exe 1928 Oklmhcdf.exe 3004 Oknjmb32.exe 1412 Ogekbchg.exe 1800 Ojfcdo32.exe 1768 Pncljmko.exe 2408 Pjjmonac.exe 2052 Pfando32.exe 2384 Pbhoip32.exe 2444 Pmmcfi32.exe 1964 Qkbpgeai.exe 1788 Qnalcqpm.exe 596 Qoqhncgp.exe 1812 Aepnkjcd.exe 1436 Anhbdpje.exe 2012 Acejlfhl.exe 1076 Acggbffj.exe 1036 Amplklmj.exe 2612 Afhpca32.exe 604 Bneancnc.exe 1608 Bikfklni.exe 2904 Bnhncclq.exe 3056 Blnkbg32.exe 3016 Bomhnb32.exe 2780 Camqpnel.exe 1156 Cfjihdcc.exe 1992 Ckhbnb32.exe 572 Cpejfjha.exe 2136 Clnhajlc.exe 1952 Dibhjokm.exe 2480 Dooqceid.exe 2084 Dhgelk32.exe 2036 Dhibakmb.exe 2428 Efhenccl.exe 2260 Efkbdbai.exe 2168 Ebdoocdk.exe 1716 Fqkieogp.exe 2016 Fgeabi32.exe 1496 Fmdfppkb.exe 2600 Gbdlnf32.exe 2028 Gindjqnc.exe 2736 Gbfhcf32.exe 1332 Gbheif32.exe 2284 Ganbjb32.exe 3048 Glcfgk32.exe 2920 Gapoob32.exe 1500 Hndoifdp.exe 2908 Hengep32.exe 2800 Hpghfn32.exe 2452 Hfaqbh32.exe 860 Hbhagiem.exe 1984 Hibidc32.exe 3052 Hdhnal32.exe 2024 Ibmkbh32.exe 2164 Ipaklm32.exe 2404 Iboghh32.exe 960 Ihlpqonl.exe -
Loads dropped DLL 64 IoCs
pid Process 2524 f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a.exe 2524 f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a.exe 2568 Mhfoleio.exe 2568 Mhfoleio.exe 2976 Mejoei32.exe 2976 Mejoei32.exe 3020 Mbopon32.exe 3020 Mbopon32.exe 2808 Nmjmekan.exe 2808 Nmjmekan.exe 2944 Npkfff32.exe 2944 Npkfff32.exe 2056 Npnclf32.exe 2056 Npnclf32.exe 2456 Nejkdm32.exe 2456 Nejkdm32.exe 2268 Ogjhnp32.exe 2268 Ogjhnp32.exe 1928 Oklmhcdf.exe 1928 Oklmhcdf.exe 3004 Oknjmb32.exe 3004 Oknjmb32.exe 1412 Ogekbchg.exe 1412 Ogekbchg.exe 1800 Ojfcdo32.exe 1800 Ojfcdo32.exe 1768 Pncljmko.exe 1768 Pncljmko.exe 2408 Pjjmonac.exe 2408 Pjjmonac.exe 2052 Pfando32.exe 2052 Pfando32.exe 2384 Pbhoip32.exe 2384 Pbhoip32.exe 2444 Pmmcfi32.exe 2444 Pmmcfi32.exe 1964 Qkbpgeai.exe 1964 Qkbpgeai.exe 1788 Qnalcqpm.exe 1788 Qnalcqpm.exe 596 Qoqhncgp.exe 596 Qoqhncgp.exe 1812 Aepnkjcd.exe 1812 Aepnkjcd.exe 1436 Anhbdpje.exe 1436 Anhbdpje.exe 2012 Acejlfhl.exe 2012 Acejlfhl.exe 1076 Acggbffj.exe 1076 Acggbffj.exe 1036 Amplklmj.exe 1036 Amplklmj.exe 2612 Afhpca32.exe 2612 Afhpca32.exe 604 Bneancnc.exe 604 Bneancnc.exe 1608 Bikfklni.exe 1608 Bikfklni.exe 2904 Bnhncclq.exe 2904 Bnhncclq.exe 3056 Blnkbg32.exe 3056 Blnkbg32.exe 3016 Bomhnb32.exe 3016 Bomhnb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Niombolm.exe Nlklik32.exe File created C:\Windows\SysWOW64\Nfbmlckg.exe Niombolm.exe File opened for modification C:\Windows\SysWOW64\Fmholgpj.exe Fcbjon32.exe File opened for modification C:\Windows\SysWOW64\Oedclm32.exe Onkjocjd.exe File created C:\Windows\SysWOW64\Khbcbcmo.dll Agakog32.exe File opened for modification C:\Windows\SysWOW64\Amplklmj.exe Acggbffj.exe File created C:\Windows\SysWOW64\Bnhncclq.exe Bikfklni.exe File opened for modification C:\Windows\SysWOW64\Kninog32.exe Kdqifajl.exe File created C:\Windows\SysWOW64\Ofdqhh32.dll Phocfd32.exe File opened for modification C:\Windows\SysWOW64\Dadehh32.exe Dhlapc32.exe File created C:\Windows\SysWOW64\Fhglil32.dll Helmiiec.exe File created C:\Windows\SysWOW64\Hpmdjf32.exe Hgaoec32.exe File created C:\Windows\SysWOW64\Ldamppgp.dll Kdooij32.exe File created C:\Windows\SysWOW64\Jicfkpch.dll Lhenmm32.exe File opened for modification C:\Windows\SysWOW64\Qpocno32.exe Qckcdj32.exe File opened for modification C:\Windows\SysWOW64\Fcbjon32.exe Eijffhjd.exe File created C:\Windows\SysWOW64\Nqdaal32.exe Nkhhie32.exe File opened for modification C:\Windows\SysWOW64\Fhcehngk.exe Fkpeojha.exe File created C:\Windows\SysWOW64\Ebeffboh.dll Mecbjd32.exe File opened for modification C:\Windows\SysWOW64\Bbdmljln.exe Bmgddcnf.exe File created C:\Windows\SysWOW64\Iigehk32.exe Ilceog32.exe File opened for modification C:\Windows\SysWOW64\Aabfqp32.exe Agmacgcc.exe File created C:\Windows\SysWOW64\Laodbj32.dll Gdjblboj.exe File opened for modification C:\Windows\SysWOW64\Clnhajlc.exe Cpejfjha.exe File created C:\Windows\SysWOW64\Nbfobllj.exe Nphbfplf.exe File opened for modification C:\Windows\SysWOW64\Qnpeijla.exe Qgfmlp32.exe File created C:\Windows\SysWOW64\Efghmkeb.dll Gdfmccfm.exe File created C:\Windows\SysWOW64\Mljgmiaq.dll Iceiibef.exe File created C:\Windows\SysWOW64\Ocmfdj32.dll Jekoljgo.exe File created C:\Windows\SysWOW64\Jjlqpp32.exe Jephgi32.exe File opened for modification C:\Windows\SysWOW64\Mjofanld.exe Mojaceln.exe File created C:\Windows\SysWOW64\Ldhpen32.dll Eccdmmpk.exe File opened for modification C:\Windows\SysWOW64\Hqhiab32.exe Hcdihn32.exe File created C:\Windows\SysWOW64\Hjdlgkfb.dll Ogjhnp32.exe File created C:\Windows\SysWOW64\Mbqaie32.dll Dlkqpg32.exe File created C:\Windows\SysWOW64\Ckpgip32.dll Jaffca32.exe File created C:\Windows\SysWOW64\Fgnpql32.dll Nhngem32.exe File opened for modification C:\Windows\SysWOW64\Cjdkllec.exe Ccjbobnf.exe File created C:\Windows\SysWOW64\Falakjag.exe Fhdlbd32.exe File created C:\Windows\SysWOW64\Ccmanjch.exe Cjdmee32.exe File opened for modification C:\Windows\SysWOW64\Deimaa32.exe Dpmeij32.exe File opened for modification C:\Windows\SysWOW64\Bpkqfdmp.exe Bphdpe32.exe File opened for modification C:\Windows\SysWOW64\Omoehf32.exe Olnipn32.exe File created C:\Windows\SysWOW64\Fcbjon32.exe Eijffhjd.exe File created C:\Windows\SysWOW64\Gjgeod32.dll Kaieai32.exe File created C:\Windows\SysWOW64\Oingii32.exe Niqgof32.exe File created C:\Windows\SysWOW64\Oakcan32.exe Oedclm32.exe File created C:\Windows\SysWOW64\Ghofhlpo.dll Dlcfnk32.exe File created C:\Windows\SysWOW64\Lkjlbg32.dll Kfdfdf32.exe File created C:\Windows\SysWOW64\Ccjbobnf.exe Bkonkpqk.exe File opened for modification C:\Windows\SysWOW64\Cjfgalcq.exe Cancif32.exe File created C:\Windows\SysWOW64\Koehka32.dll Hmdnme32.exe File created C:\Windows\SysWOW64\Hbhmfk32.exe Hkndiabh.exe File created C:\Windows\SysWOW64\Njobpa32.exe Nmkbfmpf.exe File opened for modification C:\Windows\SysWOW64\Jhniebne.exe Jpcdqpqj.exe File opened for modification C:\Windows\SysWOW64\Flmidkmn.exe Ffcahq32.exe File opened for modification C:\Windows\SysWOW64\Acbieing.exe Ahmehqna.exe File created C:\Windows\SysWOW64\Fhifmcfa.exe Faonqiod.exe File opened for modification C:\Windows\SysWOW64\Lddagi32.exe Klimcf32.exe File created C:\Windows\SysWOW64\Kfejnkfa.dll Bfpkfb32.exe File created C:\Windows\SysWOW64\Hndoifdp.exe Gapoob32.exe File created C:\Windows\SysWOW64\Pfgmna32.dll Mpalfabn.exe File created C:\Windows\SysWOW64\Mgbnoj32.dll Mncfgh32.exe File opened for modification C:\Windows\SysWOW64\Oemjbe32.exe Oppbjn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1808 2052 WerFault.exe 545 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioheci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difplf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panehkaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkekmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkhhie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljanhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfjihdcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boolhikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmeffp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehjbaooe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mookod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjdmee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomhnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbofk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbdmljln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghqchi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qckcdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfbbabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eioaillo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oikcicfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eolljk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhifmcfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Degqka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Innbde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpmpjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodlfmlb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbdje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpidm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oklmhcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Papank32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doocln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oakcan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlpofh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdggofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpeonkig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbhpegc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadphghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndnplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dooqceid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mganfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffcahq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchbcmlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnllnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oefmid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobfqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbnbfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbokda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiobcq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfookk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbflqccl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iboghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpkqfdmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oppbjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fepnhjdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghnfci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janihlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iljkofkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Falakjag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Denglpkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqimoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncljmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abeghmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obcgaill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghmohcbl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egdjfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmdalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gilhpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ganbjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jleide32.dll" Ciebdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kceeek32.dll" Dhaefepn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghbmiik.dll" Hjmolp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhdlbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppldje32.dll" Cmjdcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckidej32.dll" Jejlca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgbolhoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plffkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmmkdkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmifiahi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Memncbmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kifgllbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knaaiakh.dll" Afhpca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lkfdfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpalfabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmeffp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nbbhpegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfaqbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Innbde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjgmammj.dll" Ddkbqfcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnfgbfba.dll" Nmgjee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jocalffk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfaqbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjpkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Malpee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pieobaiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Incgfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifoljn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcifdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Camqpnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcenpoif.dll" Bcoffd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjmolp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Falakjag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkegkb32.dll" Mcbofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpcpjbah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfbaeb32.dll" Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcbedm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgomoboc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Npnclf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qoqhncgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbcimj32.dll" Pngbcldl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pfaopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcdihn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbjkiamp.dll" Hbhmfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbokda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqkieogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncnhfi32.dll" Nphbfplf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edohki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdqgkodn.dll" Odmgnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jdpidm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfimea32.dll" Cjkamk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kobfqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Difplf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eonhpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dooqceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afloik32.dll" Gbheif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ihilqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmholgpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgomoboc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdhllcnb.dll" Kbkgig32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2524 wrote to memory of 2568 2524 f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a.exe 30 PID 2524 wrote to memory of 2568 2524 f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a.exe 30 PID 2524 wrote to memory of 2568 2524 f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a.exe 30 PID 2524 wrote to memory of 2568 2524 f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a.exe 30 PID 2568 wrote to memory of 2976 2568 Mhfoleio.exe 31 PID 2568 wrote to memory of 2976 2568 Mhfoleio.exe 31 PID 2568 wrote to memory of 2976 2568 Mhfoleio.exe 31 PID 2568 wrote to memory of 2976 2568 Mhfoleio.exe 31 PID 2976 wrote to memory of 3020 2976 Mejoei32.exe 32 PID 2976 wrote to memory of 3020 2976 Mejoei32.exe 32 PID 2976 wrote to memory of 3020 2976 Mejoei32.exe 32 PID 2976 wrote to memory of 3020 2976 Mejoei32.exe 32 PID 3020 wrote to memory of 2808 3020 Mbopon32.exe 33 PID 3020 wrote to memory of 2808 3020 Mbopon32.exe 33 PID 3020 wrote to memory of 2808 3020 Mbopon32.exe 33 PID 3020 wrote to memory of 2808 3020 Mbopon32.exe 33 PID 2808 wrote to memory of 2944 2808 Nmjmekan.exe 34 PID 2808 wrote to memory of 2944 2808 Nmjmekan.exe 34 PID 2808 wrote to memory of 2944 2808 Nmjmekan.exe 34 PID 2808 wrote to memory of 2944 2808 Nmjmekan.exe 34 PID 2944 wrote to memory of 2056 2944 Npkfff32.exe 35 PID 2944 wrote to memory of 2056 2944 Npkfff32.exe 35 PID 2944 wrote to memory of 2056 2944 Npkfff32.exe 35 PID 2944 wrote to memory of 2056 2944 Npkfff32.exe 35 PID 2056 wrote to memory of 2456 2056 Npnclf32.exe 36 PID 2056 wrote to memory of 2456 2056 Npnclf32.exe 36 PID 2056 wrote to memory of 2456 2056 Npnclf32.exe 36 PID 2056 wrote to memory of 2456 2056 Npnclf32.exe 36 PID 2456 wrote to memory of 2268 2456 Nejkdm32.exe 37 PID 2456 wrote to memory of 2268 2456 Nejkdm32.exe 37 PID 2456 wrote to memory of 2268 2456 Nejkdm32.exe 37 PID 2456 wrote to memory of 2268 2456 Nejkdm32.exe 37 PID 2268 wrote to memory of 1928 2268 Ogjhnp32.exe 38 PID 2268 wrote to memory of 1928 2268 Ogjhnp32.exe 38 PID 2268 wrote to memory of 1928 2268 Ogjhnp32.exe 38 PID 2268 wrote to memory of 1928 2268 Ogjhnp32.exe 38 PID 1928 wrote to memory of 3004 1928 Oklmhcdf.exe 39 PID 1928 wrote to memory of 3004 1928 Oklmhcdf.exe 39 PID 1928 wrote to memory of 3004 1928 Oklmhcdf.exe 39 PID 1928 wrote to memory of 3004 1928 Oklmhcdf.exe 39 PID 3004 wrote to memory of 1412 3004 Oknjmb32.exe 40 PID 3004 wrote to memory of 1412 3004 Oknjmb32.exe 40 PID 3004 wrote to memory of 1412 3004 Oknjmb32.exe 40 PID 3004 wrote to memory of 1412 3004 Oknjmb32.exe 40 PID 1412 wrote to memory of 1800 1412 Ogekbchg.exe 41 PID 1412 wrote to memory of 1800 1412 Ogekbchg.exe 41 PID 1412 wrote to memory of 1800 1412 Ogekbchg.exe 41 PID 1412 wrote to memory of 1800 1412 Ogekbchg.exe 41 PID 1800 wrote to memory of 1768 1800 Ojfcdo32.exe 42 PID 1800 wrote to memory of 1768 1800 Ojfcdo32.exe 42 PID 1800 wrote to memory of 1768 1800 Ojfcdo32.exe 42 PID 1800 wrote to memory of 1768 1800 Ojfcdo32.exe 42 PID 1768 wrote to memory of 2408 1768 Pncljmko.exe 43 PID 1768 wrote to memory of 2408 1768 Pncljmko.exe 43 PID 1768 wrote to memory of 2408 1768 Pncljmko.exe 43 PID 1768 wrote to memory of 2408 1768 Pncljmko.exe 43 PID 2408 wrote to memory of 2052 2408 Pjjmonac.exe 44 PID 2408 wrote to memory of 2052 2408 Pjjmonac.exe 44 PID 2408 wrote to memory of 2052 2408 Pjjmonac.exe 44 PID 2408 wrote to memory of 2052 2408 Pjjmonac.exe 44 PID 2052 wrote to memory of 2384 2052 Pfando32.exe 45 PID 2052 wrote to memory of 2384 2052 Pfando32.exe 45 PID 2052 wrote to memory of 2384 2052 Pfando32.exe 45 PID 2052 wrote to memory of 2384 2052 Pfando32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a.exe"C:\Users\Admin\AppData\Local\Temp\f0b78e35e468c8642d5e4eb052eb6622658e9acdb40a13a9dce23979e2c5865a.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\Mhfoleio.exeC:\Windows\system32\Mhfoleio.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Mejoei32.exeC:\Windows\system32\Mejoei32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Mbopon32.exeC:\Windows\system32\Mbopon32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Nmjmekan.exeC:\Windows\system32\Nmjmekan.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Npkfff32.exeC:\Windows\system32\Npkfff32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Npnclf32.exeC:\Windows\system32\Npnclf32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Nejkdm32.exeC:\Windows\system32\Nejkdm32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Ogjhnp32.exeC:\Windows\system32\Ogjhnp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\Oknjmb32.exeC:\Windows\system32\Oknjmb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Ogekbchg.exeC:\Windows\system32\Ogekbchg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\Ojfcdo32.exeC:\Windows\system32\Ojfcdo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Pncljmko.exeC:\Windows\system32\Pncljmko.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Pjjmonac.exeC:\Windows\system32\Pjjmonac.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\Pfando32.exeC:\Windows\system32\Pfando32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Pbhoip32.exeC:\Windows\system32\Pbhoip32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2444 -
C:\Windows\SysWOW64\Qkbpgeai.exeC:\Windows\system32\Qkbpgeai.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Qnalcqpm.exeC:\Windows\system32\Qnalcqpm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Qoqhncgp.exeC:\Windows\system32\Qoqhncgp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:596 -
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Anhbdpje.exeC:\Windows\system32\Anhbdpje.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1436 -
C:\Windows\SysWOW64\Acejlfhl.exeC:\Windows\system32\Acejlfhl.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Acggbffj.exeC:\Windows\system32\Acggbffj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1076 -
C:\Windows\SysWOW64\Amplklmj.exeC:\Windows\system32\Amplklmj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Afhpca32.exeC:\Windows\system32\Afhpca32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2612 -
C:\Windows\SysWOW64\Bneancnc.exeC:\Windows\system32\Bneancnc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Bikfklni.exeC:\Windows\system32\Bikfklni.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Bnhncclq.exeC:\Windows\system32\Bnhncclq.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Blnkbg32.exeC:\Windows\system32\Blnkbg32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3056 -
C:\Windows\SysWOW64\Bomhnb32.exeC:\Windows\system32\Bomhnb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Camqpnel.exeC:\Windows\system32\Camqpnel.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:2780 -
C:\Windows\SysWOW64\Cfjihdcc.exeC:\Windows\system32\Cfjihdcc.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1156 -
C:\Windows\SysWOW64\Ckhbnb32.exeC:\Windows\system32\Ckhbnb32.exe35⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Cpejfjha.exeC:\Windows\system32\Cpejfjha.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Clnhajlc.exeC:\Windows\system32\Clnhajlc.exe37⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Dibhjokm.exeC:\Windows\system32\Dibhjokm.exe38⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Dooqceid.exeC:\Windows\system32\Dooqceid.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2480 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe40⤵
- Executes dropped EXE
PID:2084 -
C:\Windows\SysWOW64\Dhibakmb.exeC:\Windows\system32\Dhibakmb.exe41⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Efhenccl.exeC:\Windows\system32\Efhenccl.exe42⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe43⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Ebdoocdk.exeC:\Windows\system32\Ebdoocdk.exe44⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Fqkieogp.exeC:\Windows\system32\Fqkieogp.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Fgeabi32.exeC:\Windows\system32\Fgeabi32.exe46⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Fmdfppkb.exeC:\Windows\system32\Fmdfppkb.exe47⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Gbdlnf32.exeC:\Windows\system32\Gbdlnf32.exe48⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Gindjqnc.exeC:\Windows\system32\Gindjqnc.exe49⤵
- Executes dropped EXE
PID:2028 -
C:\Windows\SysWOW64\Gbfhcf32.exeC:\Windows\system32\Gbfhcf32.exe50⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Gbheif32.exeC:\Windows\system32\Gbheif32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Ganbjb32.exeC:\Windows\system32\Ganbjb32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2284 -
C:\Windows\SysWOW64\Glcfgk32.exeC:\Windows\system32\Glcfgk32.exe53⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Gapoob32.exeC:\Windows\system32\Gapoob32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Hndoifdp.exeC:\Windows\system32\Hndoifdp.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe56⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Hpghfn32.exeC:\Windows\system32\Hpghfn32.exe57⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Hfaqbh32.exeC:\Windows\system32\Hfaqbh32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2452 -
C:\Windows\SysWOW64\Hbhagiem.exeC:\Windows\system32\Hbhagiem.exe59⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Hibidc32.exeC:\Windows\system32\Hibidc32.exe60⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Hdhnal32.exeC:\Windows\system32\Hdhnal32.exe61⤵
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Ibmkbh32.exeC:\Windows\system32\Ibmkbh32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ipaklm32.exeC:\Windows\system32\Ipaklm32.exe63⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Iboghh32.exeC:\Windows\system32\Iboghh32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2404 -
C:\Windows\SysWOW64\Ihlpqonl.exeC:\Windows\system32\Ihlpqonl.exe65⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Iofhmi32.exeC:\Windows\system32\Iofhmi32.exe66⤵PID:1104
-
C:\Windows\SysWOW64\Ihnmfoli.exeC:\Windows\system32\Ihnmfoli.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Ioheci32.exeC:\Windows\system32\Ioheci32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Ihqilnig.exeC:\Windows\system32\Ihqilnig.exe69⤵PID:2296
-
C:\Windows\SysWOW64\Innbde32.exeC:\Windows\system32\Innbde32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2340 -
C:\Windows\SysWOW64\Jidbifmb.exeC:\Windows\system32\Jidbifmb.exe71⤵PID:2956
-
C:\Windows\SysWOW64\Jcmgal32.exeC:\Windows\system32\Jcmgal32.exe72⤵PID:2968
-
C:\Windows\SysWOW64\Jpqgkpcl.exeC:\Windows\system32\Jpqgkpcl.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Jempcgad.exeC:\Windows\system32\Jempcgad.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Jpcdqpqj.exeC:\Windows\system32\Jpcdqpqj.exe75⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Jhniebne.exeC:\Windows\system32\Jhniebne.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2544 -
C:\Windows\SysWOW64\Jafmngde.exeC:\Windows\system32\Jafmngde.exe77⤵PID:2472
-
C:\Windows\SysWOW64\Jhqeka32.exeC:\Windows\system32\Jhqeka32.exe78⤵PID:1472
-
C:\Windows\SysWOW64\Kfdfdf32.exeC:\Windows\system32\Kfdfdf32.exe79⤵
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Kkaolm32.exeC:\Windows\system32\Kkaolm32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:696 -
C:\Windows\SysWOW64\Kbkgig32.exeC:\Windows\system32\Kbkgig32.exe81⤵
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Koogbk32.exeC:\Windows\system32\Koogbk32.exe82⤵PID:2312
-
C:\Windows\SysWOW64\Khglkqfj.exeC:\Windows\system32\Khglkqfj.exe83⤵PID:2256
-
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe84⤵PID:2460
-
C:\Windows\SysWOW64\Kngaig32.exeC:\Windows\system32\Kngaig32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:592 -
C:\Windows\SysWOW64\Kdqifajl.exeC:\Windows\system32\Kdqifajl.exe86⤵
- Drops file in System32 directory
PID:2664 -
C:\Windows\SysWOW64\Kninog32.exeC:\Windows\system32\Kninog32.exe87⤵PID:2172
-
C:\Windows\SysWOW64\Lojjfo32.exeC:\Windows\system32\Lojjfo32.exe88⤵PID:2632
-
C:\Windows\SysWOW64\Ljpnch32.exeC:\Windows\system32\Ljpnch32.exe89⤵PID:2972
-
C:\Windows\SysWOW64\Ljbkig32.exeC:\Windows\system32\Ljbkig32.exe90⤵PID:568
-
C:\Windows\SysWOW64\Lkcgapjl.exeC:\Windows\system32\Lkcgapjl.exe91⤵PID:2784
-
C:\Windows\SysWOW64\Lelljepm.exeC:\Windows\system32\Lelljepm.exe92⤵PID:2316
-
C:\Windows\SysWOW64\Lkfdfo32.exeC:\Windows\system32\Lkfdfo32.exe93⤵
- Modifies registry class
PID:784 -
C:\Windows\SysWOW64\Lfkhch32.exeC:\Windows\system32\Lfkhch32.exe94⤵PID:2448
-
C:\Windows\SysWOW64\Lbbiii32.exeC:\Windows\system32\Lbbiii32.exe95⤵PID:580
-
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2392 -
C:\Windows\SysWOW64\Mecbjd32.exeC:\Windows\system32\Mecbjd32.exe97⤵
- Drops file in System32 directory
PID:904 -
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe98⤵
- System Location Discovery: System Language Discovery
PID:1636 -
C:\Windows\SysWOW64\Mjpkbk32.exeC:\Windows\system32\Mjpkbk32.exe99⤵
- Modifies registry class
PID:2624 -
C:\Windows\SysWOW64\Meeopdhb.exeC:\Windows\system32\Meeopdhb.exe100⤵PID:2596
-
C:\Windows\SysWOW64\Malpee32.exeC:\Windows\system32\Malpee32.exe101⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Mjddnjdf.exeC:\Windows\system32\Mjddnjdf.exe102⤵PID:2244
-
C:\Windows\SysWOW64\Mpalfabn.exeC:\Windows\system32\Mpalfabn.exe103⤵
- Drops file in System32 directory
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Mfkebkjk.exeC:\Windows\system32\Mfkebkjk.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Npcika32.exeC:\Windows\system32\Npcika32.exe105⤵PID:2828
-
C:\Windows\SysWOW64\Nmgjee32.exeC:\Windows\system32\Nmgjee32.exe106⤵
- Modifies registry class
PID:1468 -
C:\Windows\SysWOW64\Nbdbml32.exeC:\Windows\system32\Nbdbml32.exe107⤵PID:2416
-
C:\Windows\SysWOW64\Nebnigmp.exeC:\Windows\system32\Nebnigmp.exe108⤵PID:2328
-
C:\Windows\SysWOW64\Nphbfplf.exeC:\Windows\system32\Nphbfplf.exe109⤵
- Drops file in System32 directory
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Nbfobllj.exeC:\Windows\system32\Nbfobllj.exe110⤵PID:2200
-
C:\Windows\SysWOW64\Niqgof32.exeC:\Windows\system32\Niqgof32.exe111⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Oingii32.exeC:\Windows\system32\Oingii32.exe112⤵PID:2604
-
C:\Windows\SysWOW64\Panehkaj.exeC:\Windows\system32\Panehkaj.exe113⤵
- System Location Discovery: System Language Discovery
PID:1592 -
C:\Windows\SysWOW64\Plcied32.exeC:\Windows\system32\Plcied32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1320 -
C:\Windows\SysWOW64\Papank32.exeC:\Windows\system32\Papank32.exe115⤵
- System Location Discovery: System Language Discovery
PID:3060 -
C:\Windows\SysWOW64\Plffkc32.exeC:\Windows\system32\Plffkc32.exe116⤵
- Modifies registry class
PID:2756 -
C:\Windows\SysWOW64\Pngbcldl.exeC:\Windows\system32\Pngbcldl.exe117⤵
- Modifies registry class
PID:1856 -
C:\Windows\SysWOW64\Pdajpf32.exeC:\Windows\system32\Pdajpf32.exe118⤵PID:1108
-
C:\Windows\SysWOW64\Pniohk32.exeC:\Windows\system32\Pniohk32.exe119⤵PID:2356
-
C:\Windows\SysWOW64\Phocfd32.exeC:\Windows\system32\Phocfd32.exe120⤵
- Drops file in System32 directory
PID:2232 -
C:\Windows\SysWOW64\Pnllnk32.exeC:\Windows\system32\Pnllnk32.exe121⤵
- System Location Discovery: System Language Discovery
PID:680
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-