Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/11/2024, 09:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
12 signatures
120 seconds
General
-
Target
2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b.exe
-
Size
96KB
-
MD5
52e11c8484741ad0b09f0a052f6a54de
-
SHA1
61bf78606c9b46be68da974e00d24fe75b7b2cda
-
SHA256
2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b
-
SHA512
aa08e79e39d0952a3210de5509e1731d340f9ddde469d7823d03f1817c0656ad65b19b58f414979caef8d0dc5024690fa49ac70edc3adc5168c006bfea600ad6
-
SSDEEP
1536:eWri2cU46KqPem3G45797qA2L0Q7RZObZUUWaegPYAG:DjIqPRGy797iBClUUWae9
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmnmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qbggqfca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iaaqkkme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgienc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ianmke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beignlig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngonpgqg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfiajj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbmdig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aiegpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahomlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmeadbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfnpgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oijbkpqm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kckeno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipgeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Campbj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkafofde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mapjjdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kldofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpllg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifhinl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdgoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djfagjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjglppd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkfkjemd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjadh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdihlp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfiloiik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhnckp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glgcec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfdpgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bholco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejpkho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hffpiikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afjbecqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nihgndip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpebq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihkihe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmaialjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Indiodbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omkidb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lanpmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdkhbh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkebig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlepmnhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbpbokop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqhhin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pokkkgpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odnjbibf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dohiefpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Haldgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgddin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qahnid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcpgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjdonndl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Choejien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opaeok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhfcnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfmfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmplqp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkgnpbe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmnjgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cagpldqg.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 2 IoCs
resource yara_rule behavioral1/files/0x000400000001de60-3096.dat family_bruteratel behavioral1/files/0x000300000002079c-5343.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 952 Ffoihepa.exe 3020 Fjlaod32.exe 2520 Fooghg32.exe 2932 Faopib32.exe 2860 Gocpcfeb.exe 2692 Gdbeqmag.exe 2664 Gaffja32.exe 2716 Gdgoll32.exe 2852 Hghhngjb.exe 2916 Hhkakonn.exe 1760 Hcaehhnd.exe 776 Hohfmi32.exe 236 Hojbbiae.exe 2100 Inopce32.exe 3048 Ikcpmieg.exe 2192 Inaliedk.exe 2544 Indiodbh.exe 2136 Ijkjde32.exe 1840 Iccnmk32.exe 2976 Iipgeb32.exe 2216 Jcekbk32.exe 2468 Jkqpfmje.exe 1580 Jmplqp32.exe 2440 Jbmdig32.exe 1988 Jkeialfp.exe 2620 Jkgfgl32.exe 1620 Jadnoc32.exe 636 Kjopnh32.exe 2264 Kgcpgl32.exe 2864 Kjdiigbm.exe 2820 Kleeqp32.exe 2784 Kfkjnh32.exe 2888 Lhnckp32.exe 2744 Lebcdd32.exe 2708 Ldgpea32.exe 576 Lmpdoffo.exe 1720 Lanmde32.exe 2384 Mapjjdjb.exe 1100 Mgmbbkij.exe 2252 Mmigdend.exe 2204 Mcfpmlll.exe 824 Moomgmpm.exe 2636 Onipbl32.exe 1068 Oohmmojn.exe 792 Pjbnmm32.exe 1716 Pcjbfbmm.exe 2000 Pjdjbl32.exe 1936 Pclolakk.exe 1792 Pnbcij32.exe 2556 Ppcoqbao.exe 2396 Pjicnlqe.exe 1660 Paclje32.exe 1476 Pjkpckob.exe 2920 Pphilb32.exe 2828 Qipmdhcj.exe 2804 Qbiamm32.exe 2700 Qibjjgag.exe 2964 Qpmbgaid.exe 2728 Aiegpg32.exe 1416 Alcclb32.exe 3008 Aapkdi32.exe 2476 Ahjcqcdm.exe 2548 Aabhiikm.exe 2532 Aaeeoihj.exe -
Loads dropped DLL 64 IoCs
pid Process 2304 2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b.exe 2304 2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b.exe 952 Ffoihepa.exe 952 Ffoihepa.exe 3020 Fjlaod32.exe 3020 Fjlaod32.exe 2520 Fooghg32.exe 2520 Fooghg32.exe 2932 Faopib32.exe 2932 Faopib32.exe 2860 Gocpcfeb.exe 2860 Gocpcfeb.exe 2692 Gdbeqmag.exe 2692 Gdbeqmag.exe 2664 Gaffja32.exe 2664 Gaffja32.exe 2716 Gdgoll32.exe 2716 Gdgoll32.exe 2852 Hghhngjb.exe 2852 Hghhngjb.exe 2916 Hhkakonn.exe 2916 Hhkakonn.exe 1760 Hcaehhnd.exe 1760 Hcaehhnd.exe 776 Hohfmi32.exe 776 Hohfmi32.exe 236 Hojbbiae.exe 236 Hojbbiae.exe 2100 Inopce32.exe 2100 Inopce32.exe 3048 Ikcpmieg.exe 3048 Ikcpmieg.exe 2192 Inaliedk.exe 2192 Inaliedk.exe 2544 Indiodbh.exe 2544 Indiodbh.exe 2136 Ijkjde32.exe 2136 Ijkjde32.exe 1840 Iccnmk32.exe 1840 Iccnmk32.exe 2976 Iipgeb32.exe 2976 Iipgeb32.exe 2216 Jcekbk32.exe 2216 Jcekbk32.exe 2468 Jkqpfmje.exe 2468 Jkqpfmje.exe 1580 Jmplqp32.exe 1580 Jmplqp32.exe 2440 Jbmdig32.exe 2440 Jbmdig32.exe 1988 Jkeialfp.exe 1988 Jkeialfp.exe 2620 Jkgfgl32.exe 2620 Jkgfgl32.exe 1620 Jadnoc32.exe 1620 Jadnoc32.exe 636 Kjopnh32.exe 636 Kjopnh32.exe 2264 Kgcpgl32.exe 2264 Kgcpgl32.exe 2864 Kjdiigbm.exe 2864 Kjdiigbm.exe 2820 Kleeqp32.exe 2820 Kleeqp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qolpolge.dll Kmjhjndm.exe File opened for modification C:\Windows\SysWOW64\Oljbil32.exe Oofbph32.exe File created C:\Windows\SysWOW64\Eopbooqb.exe Efgnfi32.exe File opened for modification C:\Windows\SysWOW64\Pldobjec.exe Paojeafn.exe File opened for modification C:\Windows\SysWOW64\Akldhi32.exe Afolpb32.exe File opened for modification C:\Windows\SysWOW64\Ianmke32.exe Ifhinl32.exe File created C:\Windows\SysWOW64\Lnnaoldi.dll Hghhngjb.exe File opened for modification C:\Windows\SysWOW64\Afdjmo32.exe Amledj32.exe File created C:\Windows\SysWOW64\Nkpjfkhf.exe Nahemf32.exe File created C:\Windows\SysWOW64\Konpjafp.exe Kbjpqmhf.exe File opened for modification C:\Windows\SysWOW64\Akjhcimg.exe Aikkgnnc.exe File opened for modification C:\Windows\SysWOW64\Kbpbokop.exe Klcjfdqi.exe File opened for modification C:\Windows\SysWOW64\Jkgfgl32.exe Jkeialfp.exe File created C:\Windows\SysWOW64\Npbpjn32.exe Nihgndip.exe File opened for modification C:\Windows\SysWOW64\Qjofljho.exe Pjlifjjb.exe File opened for modification C:\Windows\SysWOW64\Fmnmih32.exe Ffcdlncp.exe File created C:\Windows\SysWOW64\Ffdgef32.exe Fcfjik32.exe File opened for modification C:\Windows\SysWOW64\Hfkidh32.exe Hleegpgb.exe File created C:\Windows\SysWOW64\Gcalcoom.dll Jegheghc.exe File opened for modification C:\Windows\SysWOW64\Jfijmdbh.exe Jqmadn32.exe File created C:\Windows\SysWOW64\Flmglfhk.exe Fagcnmie.exe File created C:\Windows\SysWOW64\Acgeldef.dll Mgebfi32.exe File opened for modification C:\Windows\SysWOW64\Hfjglppd.exe Hiffbl32.exe File created C:\Windows\SysWOW64\Ohkanb32.dll Pldobjec.exe File opened for modification C:\Windows\SysWOW64\Dhqnnk32.exe Dohiefpc.exe File created C:\Windows\SysWOW64\Icqdafal.dll Dcmkciap.exe File created C:\Windows\SysWOW64\Cfanhc32.dll Fjkije32.exe File created C:\Windows\SysWOW64\Ejpkho32.exe Eqhfoj32.exe File created C:\Windows\SysWOW64\Omjjgkfq.dll Knlpphnd.exe File opened for modification C:\Windows\SysWOW64\Meaiia32.exe Mkldli32.exe File opened for modification C:\Windows\SysWOW64\Iblcjohm.exe Ifecen32.exe File opened for modification C:\Windows\SysWOW64\Jggljqcb.exe Jajcaj32.exe File opened for modification C:\Windows\SysWOW64\Bkqnchgo.exe Bbhikcpn.exe File created C:\Windows\SysWOW64\Babpgo32.exe Bjhgjdjd.exe File created C:\Windows\SysWOW64\Pjbnmm32.exe Oohmmojn.exe File created C:\Windows\SysWOW64\Ihjfolmn.exe Iaqnbb32.exe File opened for modification C:\Windows\SysWOW64\Oagkac32.exe Oljbil32.exe File created C:\Windows\SysWOW64\Hnpkkm32.exe Hhfcnb32.exe File created C:\Windows\SysWOW64\Gaffja32.exe Gdbeqmag.exe File opened for modification C:\Windows\SysWOW64\Mpkjjofe.exe Mgbeqjpd.exe File created C:\Windows\SysWOW64\Mmojcceo.exe Mgebfi32.exe File created C:\Windows\SysWOW64\Dnbmmmhd.dll Mmgmhngk.exe File created C:\Windows\SysWOW64\Kfkjnh32.exe Kleeqp32.exe File opened for modification C:\Windows\SysWOW64\Iipgeb32.exe Iccnmk32.exe File opened for modification C:\Windows\SysWOW64\Qbiamm32.exe Qipmdhcj.exe File opened for modification C:\Windows\SysWOW64\Ddlloi32.exe Dkdhfdnj.exe File created C:\Windows\SysWOW64\Lbmlfbao.dll Gaoiol32.exe File created C:\Windows\SysWOW64\Daedpf32.dll Pjlifjjb.exe File created C:\Windows\SysWOW64\Dkeabg32.dll Amalcd32.exe File created C:\Windows\SysWOW64\Ioonfaed.exe Iaknmm32.exe File created C:\Windows\SysWOW64\Heohnaao.dll Hhkakonn.exe File created C:\Windows\SysWOW64\Bgpjhmil.dll Dlepmnhq.exe File created C:\Windows\SysWOW64\Pnphlc32.exe Pkalph32.exe File created C:\Windows\SysWOW64\Qnbhgadc.dll Mgmbbkij.exe File created C:\Windows\SysWOW64\Qpnkjq32.exe Qfegakmc.exe File opened for modification C:\Windows\SysWOW64\Bdkpob32.exe Ajelmiag.exe File opened for modification C:\Windows\SysWOW64\Ioonfaed.exe Iaknmm32.exe File created C:\Windows\SysWOW64\Nlfmoidh.exe Nbmhfdnh.exe File opened for modification C:\Windows\SysWOW64\Ogfdpfjo.exe Nibcgb32.exe File created C:\Windows\SysWOW64\Jdklcebk.exe Jggljqcb.exe File created C:\Windows\SysWOW64\Jbmdig32.exe Jmplqp32.exe File created C:\Windows\SysWOW64\Aebfof32.dll Iapjad32.exe File opened for modification C:\Windows\SysWOW64\Obhdpaqm.exe Niopgljl.exe File created C:\Windows\SysWOW64\Nldgdpjf.exe Mdibpn32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2096 2408 WerFault.exe 557 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klinmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hghhngjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kldofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpebq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbibla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neojknfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhegckpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoqjhiie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilohnopg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjglcmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkookd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqmadn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipjbokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gocpcfeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfkjnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbilimn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaeok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcjbfbmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfpllg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjglppd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfifqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaqnbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjbelf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcbbidgl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akldhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqlgikcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haldgbkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjbdmbmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geckno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nihgndip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genkhidc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmojcceo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljdgqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecibjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldobjec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkbbqjgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgcooh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbchfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooaiehhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdbeqmag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjdiigbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meaiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkpie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcfpmlll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppcoqbao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lceond32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbhikcpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knnmeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beignlig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqhfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaokhdja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlgfbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efakhk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkggel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnjgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlqao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljnbo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnckp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egmeadbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiffbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfpnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbpjn32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpcmojia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paclje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmjoiblj.dll" Opoocb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgcooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfmfjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apneip32.dll" Hhaogp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgeoapde.dll" Jadnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfnmhnhm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgnbepjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhiodnob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgekdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acncngpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ionahd32.dll" Lkhfhaea.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gocpcfeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fagcnmie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpojog32.dll" Jfijmdbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifecen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkhbahal.dll" Kbjpqmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iapjad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfcmcckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjkgampo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lfpebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godnfm32.dll" Mcfpmlll.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opoocb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmcpjg32.dll" Campbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdnicemo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnkggjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idlgohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fakkgpio.dll" Kdkhbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmolll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmpdoffo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egmeadbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccoile32.dll" Jqonjmbn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hebhog32.dll" Ecaeoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acgeldef.dll" Mgebfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Heefcm32.dll" Afbpph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgekdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lemlao32.dll" Akhopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogloedpl.dll" Bholco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehohbg32.dll" Gioigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmhckjdc.dll" Hnpkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfppja32.dll" Dfecim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Poenac32.dll" Djiegp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dddodd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmojcceo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qjofljho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnkmh32.dll" Fmnmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cagpldqg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecibjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fooghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mndgpjek.dll" Pcjbfbmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hgnjlfam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gioigf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifmbilhq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oijbkpqm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afhfpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpihinap.dll" Akldhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gmqlgppo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Haldgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghfnq32.dll" Moomgmpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqdong32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjbelf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ilohnopg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhbelo32.dll" Dejnme32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2304 wrote to memory of 952 2304 2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b.exe 29 PID 2304 wrote to memory of 952 2304 2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b.exe 29 PID 2304 wrote to memory of 952 2304 2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b.exe 29 PID 2304 wrote to memory of 952 2304 2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b.exe 29 PID 952 wrote to memory of 3020 952 Ffoihepa.exe 30 PID 952 wrote to memory of 3020 952 Ffoihepa.exe 30 PID 952 wrote to memory of 3020 952 Ffoihepa.exe 30 PID 952 wrote to memory of 3020 952 Ffoihepa.exe 30 PID 3020 wrote to memory of 2520 3020 Fjlaod32.exe 31 PID 3020 wrote to memory of 2520 3020 Fjlaod32.exe 31 PID 3020 wrote to memory of 2520 3020 Fjlaod32.exe 31 PID 3020 wrote to memory of 2520 3020 Fjlaod32.exe 31 PID 2520 wrote to memory of 2932 2520 Fooghg32.exe 32 PID 2520 wrote to memory of 2932 2520 Fooghg32.exe 32 PID 2520 wrote to memory of 2932 2520 Fooghg32.exe 32 PID 2520 wrote to memory of 2932 2520 Fooghg32.exe 32 PID 2932 wrote to memory of 2860 2932 Faopib32.exe 33 PID 2932 wrote to memory of 2860 2932 Faopib32.exe 33 PID 2932 wrote to memory of 2860 2932 Faopib32.exe 33 PID 2932 wrote to memory of 2860 2932 Faopib32.exe 33 PID 2860 wrote to memory of 2692 2860 Gocpcfeb.exe 34 PID 2860 wrote to memory of 2692 2860 Gocpcfeb.exe 34 PID 2860 wrote to memory of 2692 2860 Gocpcfeb.exe 34 PID 2860 wrote to memory of 2692 2860 Gocpcfeb.exe 34 PID 2692 wrote to memory of 2664 2692 Gdbeqmag.exe 35 PID 2692 wrote to memory of 2664 2692 Gdbeqmag.exe 35 PID 2692 wrote to memory of 2664 2692 Gdbeqmag.exe 35 PID 2692 wrote to memory of 2664 2692 Gdbeqmag.exe 35 PID 2664 wrote to memory of 2716 2664 Gaffja32.exe 36 PID 2664 wrote to memory of 2716 2664 Gaffja32.exe 36 PID 2664 wrote to memory of 2716 2664 Gaffja32.exe 36 PID 2664 wrote to memory of 2716 2664 Gaffja32.exe 36 PID 2716 wrote to memory of 2852 2716 Gdgoll32.exe 37 PID 2716 wrote to memory of 2852 2716 Gdgoll32.exe 37 PID 2716 wrote to memory of 2852 2716 Gdgoll32.exe 37 PID 2716 wrote to memory of 2852 2716 Gdgoll32.exe 37 PID 2852 wrote to memory of 2916 2852 Hghhngjb.exe 38 PID 2852 wrote to memory of 2916 2852 Hghhngjb.exe 38 PID 2852 wrote to memory of 2916 2852 Hghhngjb.exe 38 PID 2852 wrote to memory of 2916 2852 Hghhngjb.exe 38 PID 2916 wrote to memory of 1760 2916 Hhkakonn.exe 39 PID 2916 wrote to memory of 1760 2916 Hhkakonn.exe 39 PID 2916 wrote to memory of 1760 2916 Hhkakonn.exe 39 PID 2916 wrote to memory of 1760 2916 Hhkakonn.exe 39 PID 1760 wrote to memory of 776 1760 Hcaehhnd.exe 40 PID 1760 wrote to memory of 776 1760 Hcaehhnd.exe 40 PID 1760 wrote to memory of 776 1760 Hcaehhnd.exe 40 PID 1760 wrote to memory of 776 1760 Hcaehhnd.exe 40 PID 776 wrote to memory of 236 776 Hohfmi32.exe 41 PID 776 wrote to memory of 236 776 Hohfmi32.exe 41 PID 776 wrote to memory of 236 776 Hohfmi32.exe 41 PID 776 wrote to memory of 236 776 Hohfmi32.exe 41 PID 236 wrote to memory of 2100 236 Hojbbiae.exe 42 PID 236 wrote to memory of 2100 236 Hojbbiae.exe 42 PID 236 wrote to memory of 2100 236 Hojbbiae.exe 42 PID 236 wrote to memory of 2100 236 Hojbbiae.exe 42 PID 2100 wrote to memory of 3048 2100 Inopce32.exe 43 PID 2100 wrote to memory of 3048 2100 Inopce32.exe 43 PID 2100 wrote to memory of 3048 2100 Inopce32.exe 43 PID 2100 wrote to memory of 3048 2100 Inopce32.exe 43 PID 3048 wrote to memory of 2192 3048 Ikcpmieg.exe 44 PID 3048 wrote to memory of 2192 3048 Ikcpmieg.exe 44 PID 3048 wrote to memory of 2192 3048 Ikcpmieg.exe 44 PID 3048 wrote to memory of 2192 3048 Ikcpmieg.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b.exe"C:\Users\Admin\AppData\Local\Temp\2b5a23296d7a55018767fa187c1e75aeeb1fb5a0660ecb1cf0b53db5a1f3458b.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Ffoihepa.exeC:\Windows\system32\Ffoihepa.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Windows\SysWOW64\Fjlaod32.exeC:\Windows\system32\Fjlaod32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Fooghg32.exeC:\Windows\system32\Fooghg32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Faopib32.exeC:\Windows\system32\Faopib32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Gocpcfeb.exeC:\Windows\system32\Gocpcfeb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Gdbeqmag.exeC:\Windows\system32\Gdbeqmag.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Gaffja32.exeC:\Windows\system32\Gaffja32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Gdgoll32.exeC:\Windows\system32\Gdgoll32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Hghhngjb.exeC:\Windows\system32\Hghhngjb.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Hhkakonn.exeC:\Windows\system32\Hhkakonn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Hcaehhnd.exeC:\Windows\system32\Hcaehhnd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Hohfmi32.exeC:\Windows\system32\Hohfmi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Hojbbiae.exeC:\Windows\system32\Hojbbiae.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\SysWOW64\Inopce32.exeC:\Windows\system32\Inopce32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Ikcpmieg.exeC:\Windows\system32\Ikcpmieg.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Inaliedk.exeC:\Windows\system32\Inaliedk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2192 -
C:\Windows\SysWOW64\Indiodbh.exeC:\Windows\system32\Indiodbh.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Ijkjde32.exeC:\Windows\system32\Ijkjde32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Iccnmk32.exeC:\Windows\system32\Iccnmk32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1840 -
C:\Windows\SysWOW64\Iipgeb32.exeC:\Windows\system32\Iipgeb32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2976 -
C:\Windows\SysWOW64\Jcekbk32.exeC:\Windows\system32\Jcekbk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Jkqpfmje.exeC:\Windows\system32\Jkqpfmje.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2468 -
C:\Windows\SysWOW64\Jmplqp32.exeC:\Windows\system32\Jmplqp32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2440 -
C:\Windows\SysWOW64\Jkeialfp.exeC:\Windows\system32\Jkeialfp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Jkgfgl32.exeC:\Windows\system32\Jkgfgl32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Jadnoc32.exeC:\Windows\system32\Jadnoc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1620 -
C:\Windows\SysWOW64\Kjopnh32.exeC:\Windows\system32\Kjopnh32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:636 -
C:\Windows\SysWOW64\Kgcpgl32.exeC:\Windows\system32\Kgcpgl32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2264 -
C:\Windows\SysWOW64\Kjdiigbm.exeC:\Windows\system32\Kjdiigbm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Kleeqp32.exeC:\Windows\system32\Kleeqp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2820 -
C:\Windows\SysWOW64\Kfkjnh32.exeC:\Windows\system32\Kfkjnh32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2784 -
C:\Windows\SysWOW64\Lhnckp32.exeC:\Windows\system32\Lhnckp32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Lebcdd32.exeC:\Windows\system32\Lebcdd32.exe35⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Ldgpea32.exeC:\Windows\system32\Ldgpea32.exe36⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Lmpdoffo.exeC:\Windows\system32\Lmpdoffo.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:576 -
C:\Windows\SysWOW64\Lanmde32.exeC:\Windows\system32\Lanmde32.exe38⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Mapjjdjb.exeC:\Windows\system32\Mapjjdjb.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2384 -
C:\Windows\SysWOW64\Mgmbbkij.exeC:\Windows\system32\Mgmbbkij.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1100 -
C:\Windows\SysWOW64\Mmigdend.exeC:\Windows\system32\Mmigdend.exe41⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Mcfpmlll.exeC:\Windows\system32\Mcfpmlll.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Moomgmpm.exeC:\Windows\system32\Moomgmpm.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Onipbl32.exeC:\Windows\system32\Onipbl32.exe44⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Oohmmojn.exeC:\Windows\system32\Oohmmojn.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1068 -
C:\Windows\SysWOW64\Pjbnmm32.exeC:\Windows\system32\Pjbnmm32.exe46⤵
- Executes dropped EXE
PID:792 -
C:\Windows\SysWOW64\Pcjbfbmm.exeC:\Windows\system32\Pcjbfbmm.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Pjdjbl32.exeC:\Windows\system32\Pjdjbl32.exe48⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Pclolakk.exeC:\Windows\system32\Pclolakk.exe49⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Pnbcij32.exeC:\Windows\system32\Pnbcij32.exe50⤵
- Executes dropped EXE
PID:1792 -
C:\Windows\SysWOW64\Ppcoqbao.exeC:\Windows\system32\Ppcoqbao.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2556 -
C:\Windows\SysWOW64\Pjicnlqe.exeC:\Windows\system32\Pjicnlqe.exe52⤵
- Executes dropped EXE
PID:2396 -
C:\Windows\SysWOW64\Paclje32.exeC:\Windows\system32\Paclje32.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Pjkpckob.exeC:\Windows\system32\Pjkpckob.exe54⤵
- Executes dropped EXE
PID:1476 -
C:\Windows\SysWOW64\Pphilb32.exeC:\Windows\system32\Pphilb32.exe55⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Qipmdhcj.exeC:\Windows\system32\Qipmdhcj.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Qbiamm32.exeC:\Windows\system32\Qbiamm32.exe57⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Qibjjgag.exeC:\Windows\system32\Qibjjgag.exe58⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Qpmbgaid.exeC:\Windows\system32\Qpmbgaid.exe59⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Aiegpg32.exeC:\Windows\system32\Aiegpg32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Alcclb32.exeC:\Windows\system32\Alcclb32.exe61⤵
- Executes dropped EXE
PID:1416 -
C:\Windows\SysWOW64\Aapkdi32.exeC:\Windows\system32\Aapkdi32.exe62⤵
- Executes dropped EXE
PID:3008 -
C:\Windows\SysWOW64\Ahjcqcdm.exeC:\Windows\system32\Ahjcqcdm.exe63⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Aabhiikm.exeC:\Windows\system32\Aabhiikm.exe64⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Aaeeoihj.exeC:\Windows\system32\Aaeeoihj.exe65⤵
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Ahomlb32.exeC:\Windows\system32\Ahomlb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1084 -
C:\Windows\SysWOW64\Amledj32.exeC:\Windows\system32\Amledj32.exe67⤵
- Drops file in System32 directory
PID:1044 -
C:\Windows\SysWOW64\Afdjmo32.exeC:\Windows\system32\Afdjmo32.exe68⤵PID:616
-
C:\Windows\SysWOW64\Bplofekp.exeC:\Windows\system32\Bplofekp.exe69⤵PID:1548
-
C:\Windows\SysWOW64\Beignlig.exeC:\Windows\system32\Beignlig.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2612 -
C:\Windows\SysWOW64\Bpokkdim.exeC:\Windows\system32\Bpokkdim.exe71⤵PID:2348
-
C:\Windows\SysWOW64\Belcck32.exeC:\Windows\system32\Belcck32.exe72⤵PID:1668
-
C:\Windows\SysWOW64\Bpahad32.exeC:\Windows\system32\Bpahad32.exe73⤵PID:3036
-
C:\Windows\SysWOW64\Benpik32.exeC:\Windows\system32\Benpik32.exe74⤵PID:2972
-
C:\Windows\SysWOW64\Bkkiab32.exeC:\Windows\system32\Bkkiab32.exe75⤵PID:1920
-
C:\Windows\SysWOW64\Bdcmjg32.exeC:\Windows\system32\Bdcmjg32.exe76⤵PID:436
-
C:\Windows\SysWOW64\Boiagp32.exeC:\Windows\system32\Boiagp32.exe77⤵PID:1748
-
C:\Windows\SysWOW64\Bebjdjal.exeC:\Windows\system32\Bebjdjal.exe78⤵PID:2848
-
C:\Windows\SysWOW64\Ckoblapc.exeC:\Windows\system32\Ckoblapc.exe79⤵PID:1072
-
C:\Windows\SysWOW64\Chccfe32.exeC:\Windows\system32\Chccfe32.exe80⤵PID:584
-
C:\Windows\SysWOW64\Cjdonndl.exeC:\Windows\system32\Cjdonndl.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Cghpgbce.exeC:\Windows\system32\Cghpgbce.exe82⤵PID:1956
-
C:\Windows\SysWOW64\Cjglcmbi.exeC:\Windows\system32\Cjglcmbi.exe83⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Cdlppf32.exeC:\Windows\system32\Cdlppf32.exe84⤵PID:1804
-
C:\Windows\SysWOW64\Cfnmhnhm.exeC:\Windows\system32\Cfnmhnhm.exe85⤵
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Ccamabgg.exeC:\Windows\system32\Ccamabgg.exe86⤵PID:2448
-
C:\Windows\SysWOW64\Choejien.exeC:\Windows\system32\Choejien.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:904 -
C:\Windows\SysWOW64\Dbgjbo32.exeC:\Windows\system32\Dbgjbo32.exe88⤵PID:2244
-
C:\Windows\SysWOW64\Dkookd32.exeC:\Windows\system32\Dkookd32.exe89⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Dfecim32.exeC:\Windows\system32\Dfecim32.exe90⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Dlokegib.exeC:\Windows\system32\Dlokegib.exe91⤵PID:2160
-
C:\Windows\SysWOW64\Dfgpnm32.exeC:\Windows\system32\Dfgpnm32.exe92⤵PID:2836
-
C:\Windows\SysWOW64\Dkdhfdnj.exeC:\Windows\system32\Dkdhfdnj.exe93⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Ddlloi32.exeC:\Windows\system32\Ddlloi32.exe94⤵PID:2152
-
C:\Windows\SysWOW64\Djiegp32.exeC:\Windows\system32\Djiegp32.exe95⤵
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Egmeadbk.exeC:\Windows\system32\Egmeadbk.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2080 -
C:\Windows\SysWOW64\Emjnikpc.exeC:\Windows\system32\Emjnikpc.exe97⤵PID:980
-
C:\Windows\SysWOW64\Efbbba32.exeC:\Windows\system32\Efbbba32.exe98⤵PID:2564
-
C:\Windows\SysWOW64\Eqhfoj32.exeC:\Windows\system32\Eqhfoj32.exe99⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2088 -
C:\Windows\SysWOW64\Ejpkho32.exeC:\Windows\system32\Ejpkho32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2124 -
C:\Windows\SysWOW64\Epmcqf32.exeC:\Windows\system32\Epmcqf32.exe101⤵PID:1964
-
C:\Windows\SysWOW64\Epopff32.exeC:\Windows\system32\Epopff32.exe102⤵PID:1952
-
C:\Windows\SysWOW64\Ebnlba32.exeC:\Windows\system32\Ebnlba32.exe103⤵PID:2816
-
C:\Windows\SysWOW64\Emcqpjhh.exeC:\Windows\system32\Emcqpjhh.exe104⤵PID:2756
-
C:\Windows\SysWOW64\Fbpihafp.exeC:\Windows\system32\Fbpihafp.exe105⤵PID:2672
-
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe106⤵PID:2092
-
C:\Windows\SysWOW64\Fngjmb32.exeC:\Windows\system32\Fngjmb32.exe107⤵PID:2496
-
C:\Windows\SysWOW64\Faefim32.exeC:\Windows\system32\Faefim32.exe108⤵PID:1400
-
C:\Windows\SysWOW64\Fhonegbd.exeC:\Windows\system32\Fhonegbd.exe109⤵PID:2236
-
C:\Windows\SysWOW64\Fbebcp32.exeC:\Windows\system32\Fbebcp32.exe110⤵PID:2480
-
C:\Windows\SysWOW64\Fagcnmie.exeC:\Windows\system32\Fagcnmie.exe111⤵
- Drops file in System32 directory
- Modifies registry class
PID:1756 -
C:\Windows\SysWOW64\Flmglfhk.exeC:\Windows\system32\Flmglfhk.exe112⤵PID:1028
-
C:\Windows\SysWOW64\Fnkchahn.exeC:\Windows\system32\Fnkchahn.exe113⤵PID:1516
-
C:\Windows\SysWOW64\Fdhlphff.exeC:\Windows\system32\Fdhlphff.exe114⤵PID:2172
-
C:\Windows\SysWOW64\Fjbdmbmb.exeC:\Windows\system32\Fjbdmbmb.exe115⤵
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Fmqpinlf.exeC:\Windows\system32\Fmqpinlf.exe116⤵PID:2952
-
C:\Windows\SysWOW64\Fhfdffll.exeC:\Windows\system32\Fhfdffll.exe117⤵PID:2688
-
C:\Windows\SysWOW64\Gaoiol32.exeC:\Windows\system32\Gaoiol32.exe118⤵
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Gbpegdik.exeC:\Windows\system32\Gbpegdik.exe119⤵PID:2968
-
C:\Windows\SysWOW64\Glhjpjok.exeC:\Windows\system32\Glhjpjok.exe120⤵PID:780
-
C:\Windows\SysWOW64\Gfnnmboa.exeC:\Windows\system32\Gfnnmboa.exe121⤵PID:1376
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-