Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
73s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/11/2024, 12:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146acN.exe
Resource
win7-20241010-en
windows7-x64
15 signatures
120 seconds
Behavioral task
behavioral2
Sample
fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146acN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
14 signatures
120 seconds
General
-
Target
fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146acN.exe
-
Size
163KB
-
MD5
c2dba8fd6782baf4833757141722efa0
-
SHA1
e84a79aba68ab0e354ff23eff8854b21a67cfa5d
-
SHA256
fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146ac
-
SHA512
e1d4474dafd79c0915931e877ff33607ffc63060bb5a9a1b592cb2ed3ab841024c0a2323b1af1ede4c87a2b2852dac4360aabd8ca97e266db390241ce6770588
-
SSDEEP
1536:PBFm/zhe6kI+et25m9Po4kr42/lProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:GWZete8w42/ltOrWKDBr+yJb
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Extracted
Family
gozi
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Migbpocm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abgaeddg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmqieh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpengf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojjfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lchclmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Camnge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebockkal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaekljjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jidbifmb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jqbbhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpmooind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbboiknb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfebdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmlmpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjmmcgha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lighjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pogegeoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpdeoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epnkip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgjnbnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnmcli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Noagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdogldmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmcfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knfopnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjcieg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccgnelll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplbamdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geilah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddhcbnnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peqhgmdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gecklbih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Docjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hdqhambg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdlclo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpidai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klfmijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afcdpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donojm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hplphd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjjda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mkaeob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bafkookd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ekjgbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkkjeeke.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdojnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ooofcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkldgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fkldgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giejkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ocdnloph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Laaabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mlgkbi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmaqgaae.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeoeplfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkhalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kapaaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odcimipf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahfgbkpl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Felekcop.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 3 IoCs
resource yara_rule behavioral1/files/0x000400000001d99b-1872.dat family_bruteratel behavioral1/files/0x000400000001da0e-2018.dat family_bruteratel behavioral1/files/0x000400000001df95-3020.dat family_bruteratel -
Gozi family
-
Executes dropped EXE 64 IoCs
pid Process 2832 Igmepdbc.exe 2884 Ioiidfon.exe 2916 Jnbpqb32.exe 2876 Jnemfa32.exe 688 Jkkjeeke.exe 1252 Jpmooind.exe 1800 Kfggkc32.exe 796 Klfmijae.exe 2972 Kpdeoh32.exe 1964 Kbenacdm.exe 852 Lhfpdi32.exe 1608 Laaabo32.exe 1908 Mecglbfl.exe 2364 Monhjgkj.exe 2492 Mkgeehnl.exe 2156 Mdojnm32.exe 2168 Njnokdaq.exe 1036 Nlohmonb.exe 3068 Njchfc32.exe 2132 Nhkbmo32.exe 2052 Oiokholk.exe 3052 Obhpad32.exe 1636 Oqmmbqgd.exe 880 Pgibdjln.exe 2760 Pcbookpp.exe 2892 Plndcmmj.exe 1540 Qldjdlgb.exe 2812 Afqhjj32.exe 2636 Afcdpi32.exe 2740 Albjnplq.exe 1852 Aejnfe32.exe 1240 Boeoek32.exe 2432 Bdfahaaa.exe 1416 Befnbd32.exe 2508 Camnge32.exe 2588 Cglcek32.exe 1452 Cnflae32.exe 264 Cdpdnpif.exe 2428 Cgqmpkfg.exe 2128 Ccgnelll.exe 2272 Donojm32.exe 2496 Dkeoongd.exe 1012 Dqddmd32.exe 984 Dkjhjm32.exe 2056 Dqinhcoc.exe 1688 Ejabqi32.exe 2212 Epnkip32.exe 2548 Embkbdce.exe 692 Ebockkal.exe 1808 Ecnpdnho.exe 2752 Eepmlf32.exe 1548 Emgdmc32.exe 1824 Eebibf32.exe 2324 Fpgnoo32.exe 604 Fedfgejh.exe 2300 Fjaoplho.exe 2936 Fheoiqgi.exe 1696 Fmbgageq.exe 1572 Fhglop32.exe 2020 Fpbqcb32.exe 2288 Fikelhib.exe 1396 Gfoeel32.exe 892 Gpgjnbnl.exe 1476 Gipngg32.exe -
Loads dropped DLL 64 IoCs
pid Process 2448 fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146acN.exe 2448 fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146acN.exe 2832 Igmepdbc.exe 2832 Igmepdbc.exe 2884 Ioiidfon.exe 2884 Ioiidfon.exe 2916 Jnbpqb32.exe 2916 Jnbpqb32.exe 2876 Jnemfa32.exe 2876 Jnemfa32.exe 688 Jkkjeeke.exe 688 Jkkjeeke.exe 1252 Jpmooind.exe 1252 Jpmooind.exe 1800 Kfggkc32.exe 1800 Kfggkc32.exe 796 Klfmijae.exe 796 Klfmijae.exe 2972 Kpdeoh32.exe 2972 Kpdeoh32.exe 1964 Kbenacdm.exe 1964 Kbenacdm.exe 852 Lhfpdi32.exe 852 Lhfpdi32.exe 1608 Laaabo32.exe 1608 Laaabo32.exe 1908 Mecglbfl.exe 1908 Mecglbfl.exe 2364 Monhjgkj.exe 2364 Monhjgkj.exe 2492 Mkgeehnl.exe 2492 Mkgeehnl.exe 2156 Mdojnm32.exe 2156 Mdojnm32.exe 2168 Njnokdaq.exe 2168 Njnokdaq.exe 1036 Nlohmonb.exe 1036 Nlohmonb.exe 3068 Njchfc32.exe 3068 Njchfc32.exe 2132 Nhkbmo32.exe 2132 Nhkbmo32.exe 2052 Oiokholk.exe 2052 Oiokholk.exe 3052 Obhpad32.exe 3052 Obhpad32.exe 1636 Oqmmbqgd.exe 1636 Oqmmbqgd.exe 880 Pgibdjln.exe 880 Pgibdjln.exe 2760 Pcbookpp.exe 2760 Pcbookpp.exe 2892 Plndcmmj.exe 2892 Plndcmmj.exe 1540 Qldjdlgb.exe 1540 Qldjdlgb.exe 2812 Afqhjj32.exe 2812 Afqhjj32.exe 2636 Afcdpi32.exe 2636 Afcdpi32.exe 2740 Albjnplq.exe 2740 Albjnplq.exe 1852 Aejnfe32.exe 1852 Aejnfe32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Geilah32.exe Gplcia32.exe File created C:\Windows\SysWOW64\Ccekdaeg.dll Dpaqmnap.exe File opened for modification C:\Windows\SysWOW64\Bafkookd.exe Bpengf32.exe File created C:\Windows\SysWOW64\Pggocl32.dll Ileoknhh.exe File opened for modification C:\Windows\SysWOW64\Kngaig32.exe Knddcg32.exe File opened for modification C:\Windows\SysWOW64\Dekeeonn.exe Deiipp32.exe File created C:\Windows\SysWOW64\Gplebjbk.exe Gfdaid32.exe File created C:\Windows\SysWOW64\Plfmff32.dll Jfpmifoa.exe File created C:\Windows\SysWOW64\Afqhjj32.exe Qldjdlgb.exe File created C:\Windows\SysWOW64\Pbihnp32.dll Qldjdlgb.exe File created C:\Windows\SysWOW64\Gbhcpmkm.exe Gipngg32.exe File created C:\Windows\SysWOW64\Mafalppn.dll Odcimipf.exe File created C:\Windows\SysWOW64\Olgpff32.exe Nmacej32.exe File created C:\Windows\SysWOW64\Knmhidaa.dll Pmmcfi32.exe File created C:\Windows\SysWOW64\Dlpdfjjp.exe Cpidai32.exe File created C:\Windows\SysWOW64\Oiokholk.exe Nhkbmo32.exe File opened for modification C:\Windows\SysWOW64\Albjnplq.exe Afcdpi32.exe File opened for modification C:\Windows\SysWOW64\Befnbd32.exe Bdfahaaa.exe File created C:\Windows\SysWOW64\Ejabqi32.exe Dqinhcoc.exe File created C:\Windows\SysWOW64\Pphkcaig.dll Pijgbl32.exe File created C:\Windows\SysWOW64\Hbboiknb.exe Heonpf32.exe File created C:\Windows\SysWOW64\Docjne32.exe Dekeeonn.exe File created C:\Windows\SysWOW64\Nhnemdbf.exe Nmhqokcq.exe File created C:\Windows\SysWOW64\Oeoeplfn.exe Olgpff32.exe File created C:\Windows\SysWOW64\Ahfgbkpl.exe Abinjdad.exe File created C:\Windows\SysWOW64\Kljppd32.dll Mbginomj.exe File opened for modification C:\Windows\SysWOW64\Jnemfa32.exe Jnbpqb32.exe File opened for modification C:\Windows\SysWOW64\Eebibf32.exe Emgdmc32.exe File created C:\Windows\SysWOW64\Heonpf32.exe Glfjgaih.exe File opened for modification C:\Windows\SysWOW64\Kimlqfeq.exe Kcpcho32.exe File created C:\Windows\SysWOW64\Lgdojnle.dll Boeoek32.exe File created C:\Windows\SysWOW64\Oidhelof.dll Fhglop32.exe File created C:\Windows\SysWOW64\Hahjkl32.dll Dbejjfek.exe File opened for modification C:\Windows\SysWOW64\Memlki32.exe Mifkfhpa.exe File opened for modification C:\Windows\SysWOW64\Oqmmbqgd.exe Obhpad32.exe File created C:\Windows\SysWOW64\Fmbgageq.exe Fheoiqgi.exe File created C:\Windows\SysWOW64\Hginnmml.exe Hmqieh32.exe File opened for modification C:\Windows\SysWOW64\Nianjl32.exe Nmjmekan.exe File created C:\Windows\SysWOW64\Leaohdkk.dll Gipngg32.exe File created C:\Windows\SysWOW64\Jjmdaidg.dll Biiiempl.exe File created C:\Windows\SysWOW64\Hjmmcgha.exe Hadhjaaa.exe File created C:\Windows\SysWOW64\Ajbnaedb.dll Majcoepi.exe File created C:\Windows\SysWOW64\Agpmcpfm.dll Naionh32.exe File created C:\Windows\SysWOW64\Knaeeo32.exe Kffqqm32.exe File created C:\Windows\SysWOW64\Ooofcg32.exe Ogdaod32.exe File opened for modification C:\Windows\SysWOW64\Apfici32.exe Ajipkb32.exe File created C:\Windows\SysWOW64\Dkjhjm32.exe Dqddmd32.exe File opened for modification C:\Windows\SysWOW64\Mmkafhnb.exe Mcbmmbhb.exe File created C:\Windows\SysWOW64\Njljfe32.dll Memlki32.exe File created C:\Windows\SysWOW64\Afcdpi32.exe Afqhjj32.exe File opened for modification C:\Windows\SysWOW64\Fikelhib.exe Fpbqcb32.exe File created C:\Windows\SysWOW64\Pejkoijd.dll Kbpnkm32.exe File opened for modification C:\Windows\SysWOW64\Bdodmlcm.exe Ahhchk32.exe File opened for modification C:\Windows\SysWOW64\Mifkfhpa.exe Moqgiopk.exe File created C:\Windows\SysWOW64\Oqmokioh.exe Ohbjgg32.exe File opened for modification C:\Windows\SysWOW64\Laaabo32.exe Lhfpdi32.exe File created C:\Windows\SysWOW64\Bdnnjcdh.dll Embkbdce.exe File opened for modification C:\Windows\SysWOW64\Aejnfe32.exe Albjnplq.exe File created C:\Windows\SysWOW64\Bhnmcp32.dll Djjeedhp.exe File created C:\Windows\SysWOW64\Dkolfk32.dll Ohbjgg32.exe File created C:\Windows\SysWOW64\Imbige32.dll Epnkip32.exe File opened for modification C:\Windows\SysWOW64\Fheoiqgi.exe Fjaoplho.exe File created C:\Windows\SysWOW64\Hbpkaopd.dll Engjkeab.exe File opened for modification C:\Windows\SysWOW64\Agnjge32.exe Anfeop32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2192 688 WerFault.exe 350 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmbgageq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnppaill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abgaeddg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icgdcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oklmhcdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbjkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgnelll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plndcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhcpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjdgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglfndaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdojnm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbojjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmndfnpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Memlki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglfcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miiofn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkioho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbginomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Docjne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Embkbdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebabicfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmpbja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lchclmla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocihgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpengf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddjphm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqhdfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnmcli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbkaoalg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djjeedhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmaqgaae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qifpqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnbpqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfkchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Engjkeab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Magdam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Monhjgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oknjmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdaid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnkkmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doijcjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aemafjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feiaknmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hplbamdf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcfjhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fikelhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljplkonl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfebdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iboghh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdpdnpif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkaane32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaebfdba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hginnmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikicikap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmlmpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Majcoepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaggbihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejnfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjjda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpanne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbghdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdlnf32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcqoqi32.dll" Hplbamdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aengebaf.dll" Hnmcli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kaekljjo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oklmhcdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Okcchbnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdbmjldj.dll" Ngencpel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcfepmgj.dll" Aafnpkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iboghh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boeoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnppaill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qmepanje.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjnkpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdlclo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbjqik32.dll" Jndhddaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhdlcl32.dll" Lkhalo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjmmcgha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cflibl32.dll" Hbhagiem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmkcfaod.dll" Hmpbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iifedg32.dll" Ocfkaone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkjhmf32.dll" Monhjgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngonaccp.dll" Npechhgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcilnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdgfpbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hplbamdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnfmhdpb.dll" Mjmnmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhglop32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbgefa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlkcbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nianjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ooofcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfpqgmpi.dll" Geilah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaebfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npechhgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fnejdiep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kopnma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nelafe32.dll" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlgkbi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmcfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klfmijae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdfahaaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlpmakgc.dll" Jqbbhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqmmbqgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bakdjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jllakpdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkbeqfel.dll" Njchfc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Plndcmmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aejnfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjdnne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hlkcbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddpidhgj.dll" Kopnma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fkihmn32.dll" Gcchgini.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccdhdn32.dll" Goapjnoo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nhnemdbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bfpmog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qnalcqpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkkjeeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emgdmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlgkbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohbjgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dafikqcd.dll" Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcfbfaao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kapaaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdhdlbpk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2448 wrote to memory of 2832 2448 fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146acN.exe 30 PID 2448 wrote to memory of 2832 2448 fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146acN.exe 30 PID 2448 wrote to memory of 2832 2448 fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146acN.exe 30 PID 2448 wrote to memory of 2832 2448 fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146acN.exe 30 PID 2832 wrote to memory of 2884 2832 Igmepdbc.exe 31 PID 2832 wrote to memory of 2884 2832 Igmepdbc.exe 31 PID 2832 wrote to memory of 2884 2832 Igmepdbc.exe 31 PID 2832 wrote to memory of 2884 2832 Igmepdbc.exe 31 PID 2884 wrote to memory of 2916 2884 Ioiidfon.exe 32 PID 2884 wrote to memory of 2916 2884 Ioiidfon.exe 32 PID 2884 wrote to memory of 2916 2884 Ioiidfon.exe 32 PID 2884 wrote to memory of 2916 2884 Ioiidfon.exe 32 PID 2916 wrote to memory of 2876 2916 Jnbpqb32.exe 33 PID 2916 wrote to memory of 2876 2916 Jnbpqb32.exe 33 PID 2916 wrote to memory of 2876 2916 Jnbpqb32.exe 33 PID 2916 wrote to memory of 2876 2916 Jnbpqb32.exe 33 PID 2876 wrote to memory of 688 2876 Jnemfa32.exe 34 PID 2876 wrote to memory of 688 2876 Jnemfa32.exe 34 PID 2876 wrote to memory of 688 2876 Jnemfa32.exe 34 PID 2876 wrote to memory of 688 2876 Jnemfa32.exe 34 PID 688 wrote to memory of 1252 688 Jkkjeeke.exe 35 PID 688 wrote to memory of 1252 688 Jkkjeeke.exe 35 PID 688 wrote to memory of 1252 688 Jkkjeeke.exe 35 PID 688 wrote to memory of 1252 688 Jkkjeeke.exe 35 PID 1252 wrote to memory of 1800 1252 Jpmooind.exe 36 PID 1252 wrote to memory of 1800 1252 Jpmooind.exe 36 PID 1252 wrote to memory of 1800 1252 Jpmooind.exe 36 PID 1252 wrote to memory of 1800 1252 Jpmooind.exe 36 PID 1800 wrote to memory of 796 1800 Kfggkc32.exe 37 PID 1800 wrote to memory of 796 1800 Kfggkc32.exe 37 PID 1800 wrote to memory of 796 1800 Kfggkc32.exe 37 PID 1800 wrote to memory of 796 1800 Kfggkc32.exe 37 PID 796 wrote to memory of 2972 796 Klfmijae.exe 38 PID 796 wrote to memory of 2972 796 Klfmijae.exe 38 PID 796 wrote to memory of 2972 796 Klfmijae.exe 38 PID 796 wrote to memory of 2972 796 Klfmijae.exe 38 PID 2972 wrote to memory of 1964 2972 Kpdeoh32.exe 39 PID 2972 wrote to memory of 1964 2972 Kpdeoh32.exe 39 PID 2972 wrote to memory of 1964 2972 Kpdeoh32.exe 39 PID 2972 wrote to memory of 1964 2972 Kpdeoh32.exe 39 PID 1964 wrote to memory of 852 1964 Kbenacdm.exe 40 PID 1964 wrote to memory of 852 1964 Kbenacdm.exe 40 PID 1964 wrote to memory of 852 1964 Kbenacdm.exe 40 PID 1964 wrote to memory of 852 1964 Kbenacdm.exe 40 PID 852 wrote to memory of 1608 852 Lhfpdi32.exe 41 PID 852 wrote to memory of 1608 852 Lhfpdi32.exe 41 PID 852 wrote to memory of 1608 852 Lhfpdi32.exe 41 PID 852 wrote to memory of 1608 852 Lhfpdi32.exe 41 PID 1608 wrote to memory of 1908 1608 Laaabo32.exe 42 PID 1608 wrote to memory of 1908 1608 Laaabo32.exe 42 PID 1608 wrote to memory of 1908 1608 Laaabo32.exe 42 PID 1608 wrote to memory of 1908 1608 Laaabo32.exe 42 PID 1908 wrote to memory of 2364 1908 Mecglbfl.exe 43 PID 1908 wrote to memory of 2364 1908 Mecglbfl.exe 43 PID 1908 wrote to memory of 2364 1908 Mecglbfl.exe 43 PID 1908 wrote to memory of 2364 1908 Mecglbfl.exe 43 PID 2364 wrote to memory of 2492 2364 Monhjgkj.exe 44 PID 2364 wrote to memory of 2492 2364 Monhjgkj.exe 44 PID 2364 wrote to memory of 2492 2364 Monhjgkj.exe 44 PID 2364 wrote to memory of 2492 2364 Monhjgkj.exe 44 PID 2492 wrote to memory of 2156 2492 Mkgeehnl.exe 45 PID 2492 wrote to memory of 2156 2492 Mkgeehnl.exe 45 PID 2492 wrote to memory of 2156 2492 Mkgeehnl.exe 45 PID 2492 wrote to memory of 2156 2492 Mkgeehnl.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146acN.exe"C:\Users\Admin\AppData\Local\Temp\fe426fb3ab81b287bb42c5e61af2f5944fb7cee428359b7bdb6d4c90846146acN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Igmepdbc.exeC:\Windows\system32\Igmepdbc.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2832 -
C:\Windows\SysWOW64\Ioiidfon.exeC:\Windows\system32\Ioiidfon.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Jnbpqb32.exeC:\Windows\system32\Jnbpqb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:688 -
C:\Windows\SysWOW64\Jpmooind.exeC:\Windows\system32\Jpmooind.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1252 -
C:\Windows\SysWOW64\Kfggkc32.exeC:\Windows\system32\Kfggkc32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Klfmijae.exeC:\Windows\system32\Klfmijae.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:796 -
C:\Windows\SysWOW64\Kpdeoh32.exeC:\Windows\system32\Kpdeoh32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Lhfpdi32.exeC:\Windows\system32\Lhfpdi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Mecglbfl.exeC:\Windows\system32\Mecglbfl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Windows\SysWOW64\Monhjgkj.exeC:\Windows\system32\Monhjgkj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Mkgeehnl.exeC:\Windows\system32\Mkgeehnl.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Mdojnm32.exeC:\Windows\system32\Mdojnm32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Njnokdaq.exeC:\Windows\system32\Njnokdaq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1036 -
C:\Windows\SysWOW64\Njchfc32.exeC:\Windows\system32\Njchfc32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Nhkbmo32.exeC:\Windows\system32\Nhkbmo32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2132 -
C:\Windows\SysWOW64\Oiokholk.exeC:\Windows\system32\Oiokholk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Obhpad32.exeC:\Windows\system32\Obhpad32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3052 -
C:\Windows\SysWOW64\Oqmmbqgd.exeC:\Windows\system32\Oqmmbqgd.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Pgibdjln.exeC:\Windows\system32\Pgibdjln.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:880 -
C:\Windows\SysWOW64\Pcbookpp.exeC:\Windows\system32\Pcbookpp.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Plndcmmj.exeC:\Windows\system32\Plndcmmj.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Qldjdlgb.exeC:\Windows\system32\Qldjdlgb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Afqhjj32.exeC:\Windows\system32\Afqhjj32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Afcdpi32.exeC:\Windows\system32\Afcdpi32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Albjnplq.exeC:\Windows\system32\Albjnplq.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Aejnfe32.exeC:\Windows\system32\Aejnfe32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Boeoek32.exeC:\Windows\system32\Boeoek32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1240 -
C:\Windows\SysWOW64\Bdfahaaa.exeC:\Windows\system32\Bdfahaaa.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Befnbd32.exeC:\Windows\system32\Befnbd32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:1416 -
C:\Windows\SysWOW64\Camnge32.exeC:\Windows\system32\Camnge32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Cglcek32.exeC:\Windows\system32\Cglcek32.exe37⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Cnflae32.exeC:\Windows\system32\Cnflae32.exe38⤵
- Executes dropped EXE
PID:1452 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:264 -
C:\Windows\SysWOW64\Cgqmpkfg.exeC:\Windows\system32\Cgqmpkfg.exe40⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Ccgnelll.exeC:\Windows\system32\Ccgnelll.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Donojm32.exeC:\Windows\system32\Donojm32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Dkeoongd.exeC:\Windows\system32\Dkeoongd.exe43⤵
- Executes dropped EXE
PID:2496 -
C:\Windows\SysWOW64\Dqddmd32.exeC:\Windows\system32\Dqddmd32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1012 -
C:\Windows\SysWOW64\Dkjhjm32.exeC:\Windows\system32\Dkjhjm32.exe45⤵
- Executes dropped EXE
PID:984 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2056 -
C:\Windows\SysWOW64\Ejabqi32.exeC:\Windows\system32\Ejabqi32.exe47⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Epnkip32.exeC:\Windows\system32\Epnkip32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Embkbdce.exeC:\Windows\system32\Embkbdce.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Ebockkal.exeC:\Windows\system32\Ebockkal.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:692 -
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe51⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Eepmlf32.exeC:\Windows\system32\Eepmlf32.exe52⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Emgdmc32.exeC:\Windows\system32\Emgdmc32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Eebibf32.exeC:\Windows\system32\Eebibf32.exe54⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe55⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe56⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Fjaoplho.exeC:\Windows\system32\Fjaoplho.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Fheoiqgi.exeC:\Windows\system32\Fheoiqgi.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1696 -
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1572 -
C:\Windows\SysWOW64\Fpbqcb32.exeC:\Windows\system32\Fpbqcb32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2288 -
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe63⤵
- Executes dropped EXE
PID:1396 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1476 -
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe66⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Gplcia32.exeC:\Windows\system32\Gplcia32.exe67⤵
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:304 -
C:\Windows\SysWOW64\Goapjnoo.exeC:\Windows\system32\Goapjnoo.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2268 -
C:\Windows\SysWOW64\Gekhgh32.exeC:\Windows\system32\Gekhgh32.exe70⤵PID:2896
-
C:\Windows\SysWOW64\Gkhaooec.exeC:\Windows\system32\Gkhaooec.exe71⤵PID:2824
-
C:\Windows\SysWOW64\Habili32.exeC:\Windows\system32\Habili32.exe72⤵PID:2672
-
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe73⤵PID:2624
-
C:\Windows\SysWOW64\Hmijajbd.exeC:\Windows\system32\Hmijajbd.exe74⤵PID:932
-
C:\Windows\SysWOW64\Hganjo32.exeC:\Windows\system32\Hganjo32.exe75⤵PID:1648
-
C:\Windows\SysWOW64\Hdeoccgn.exeC:\Windows\system32\Hdeoccgn.exe76⤵PID:2720
-
C:\Windows\SysWOW64\Hnmcli32.exeC:\Windows\system32\Hnmcli32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:568 -
C:\Windows\SysWOW64\Hplphd32.exeC:\Windows\system32\Hplphd32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2100 -
C:\Windows\SysWOW64\Hnppaill.exeC:\Windows\system32\Hnppaill.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe80⤵PID:2044
-
C:\Windows\SysWOW64\Ipqicdim.exeC:\Windows\system32\Ipqicdim.exe81⤵PID:2256
-
C:\Windows\SysWOW64\Iemalkgd.exeC:\Windows\system32\Iemalkgd.exe82⤵PID:976
-
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1788 -
C:\Windows\SysWOW64\Jcckibfg.exeC:\Windows\system32\Jcckibfg.exe85⤵PID:1020
-
C:\Windows\SysWOW64\Kkalcdao.exeC:\Windows\system32\Kkalcdao.exe86⤵PID:2528
-
C:\Windows\SysWOW64\Kbkdpnil.exeC:\Windows\system32\Kbkdpnil.exe87⤵PID:1940
-
C:\Windows\SysWOW64\Kffqqm32.exeC:\Windows\system32\Kffqqm32.exe88⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe89⤵PID:2616
-
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:428 -
C:\Windows\SysWOW64\Kkefoc32.exeC:\Windows\system32\Kkefoc32.exe91⤵PID:3032
-
C:\Windows\SysWOW64\Kbpnkm32.exeC:\Windows\system32\Kbpnkm32.exe92⤵
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Knfopnkk.exeC:\Windows\system32\Knfopnkk.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2096 -
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe96⤵PID:316
-
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe97⤵
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Lcedne32.exeC:\Windows\system32\Lcedne32.exe98⤵PID:1148
-
C:\Windows\SysWOW64\Ljplkonl.exeC:\Windows\system32\Ljplkonl.exe99⤵
- System Location Discovery: System Language Discovery
PID:1372 -
C:\Windows\SysWOW64\Laidgi32.exeC:\Windows\system32\Laidgi32.exe100⤵PID:2092
-
C:\Windows\SysWOW64\Lbkaoalg.exeC:\Windows\system32\Lbkaoalg.exe101⤵
- System Location Discovery: System Language Discovery
PID:1552 -
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe102⤵PID:2416
-
C:\Windows\SysWOW64\Lekjal32.exeC:\Windows\system32\Lekjal32.exe103⤵PID:756
-
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe104⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Lbojjq32.exeC:\Windows\system32\Lbojjq32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2008 -
C:\Windows\SysWOW64\Lpckce32.exeC:\Windows\system32\Lpckce32.exe106⤵PID:940
-
C:\Windows\SysWOW64\Lilomj32.exeC:\Windows\system32\Lilomj32.exe107⤵PID:2164
-
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe108⤵
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Mmndfnpl.exeC:\Windows\system32\Mmndfnpl.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:904 -
C:\Windows\SysWOW64\Mkaeob32.exeC:\Windows\system32\Mkaeob32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2308 -
C:\Windows\SysWOW64\Migbpocm.exeC:\Windows\system32\Migbpocm.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1684 -
C:\Windows\SysWOW64\Miiofn32.exeC:\Windows\system32\Miiofn32.exe112⤵
- System Location Discovery: System Language Discovery
PID:1560 -
C:\Windows\SysWOW64\Mlgkbi32.exeC:\Windows\system32\Mlgkbi32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2520 -
C:\Windows\SysWOW64\Npechhgd.exeC:\Windows\system32\Npechhgd.exe114⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Ngoleb32.exeC:\Windows\system32\Ngoleb32.exe115⤵PID:2908
-
C:\Windows\SysWOW64\Naimepkp.exeC:\Windows\system32\Naimepkp.exe116⤵PID:2900
-
C:\Windows\SysWOW64\Nkaane32.exeC:\Windows\system32\Nkaane32.exe117⤵
- System Location Discovery: System Language Discovery
PID:964 -
C:\Windows\SysWOW64\Negeln32.exeC:\Windows\system32\Negeln32.exe118⤵PID:1936
-
C:\Windows\SysWOW64\Nnbjpqoa.exeC:\Windows\system32\Nnbjpqoa.exe119⤵PID:1816
-
C:\Windows\SysWOW64\Noagjc32.exeC:\Windows\system32\Noagjc32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Ojkhjabc.exeC:\Windows\system32\Ojkhjabc.exe121⤵PID:2444
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-