Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
40s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
02/12/2024, 04:17
Behavioral task
behavioral1
Sample
5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7.exe
-
Size
93KB
-
MD5
6a59220558c6bb15bd015a7c4c4afc35
-
SHA1
8d9eeb85e4e97563af16b50aac76de2c6e816276
-
SHA256
5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7
-
SHA512
e97dea4654772c5ca5dd6e71ccbed90b7bfade99d31f3185eba911970f354ef81391d29c3018210d93cf0432f821342ac737a31f9635267936bf982a075dbf3e
-
SSDEEP
1536:AG9MKrhOQdyLvEySbohmM9j9veW+Qe78zD1DaYfMZRWuLsV+1D:AW9hqErFMM783gYfc0DV+1D
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecfnmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pldebkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgdnnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elcpbigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcccpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekcaonhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdnjkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bieopm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfkapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idicbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knhjjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgingm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfcnegnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajcdjca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifolhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmjaohol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jikhnaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhafhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opfbngfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhknaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agpeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Clmdmm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobdgo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Agjmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkadjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fahhnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkibcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkmollme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olbogqoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjglkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqfkln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmcjedcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppkjac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkdmfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omqlpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojecajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdadjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oefjdgjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anlhkbhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hofngkga.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Panaeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olmela32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdgdji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkefbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifoqjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiljam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eimcjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egmojnlf.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1736 Amkbnp32.exe 2248 Abhkfg32.exe 2160 Amnocpdk.exe 2944 Anolkh32.exe 2212 Aidphq32.exe 2280 Anahqh32.exe 2668 Aekqmbod.exe 2452 Agjmim32.exe 1944 Ajhiei32.exe 2516 Ancefgfd.exe 3068 Aennba32.exe 3032 Akhfoldn.exe 1084 Bmibgd32.exe 1804 Bepjha32.exe 484 Bgnfdm32.exe 2384 Bfagpiam.exe 2084 Bmkomchi.exe 2644 Bpjkiogm.exe 1328 Bgqcjlhp.exe 2336 Bfccei32.exe 976 Bibpad32.exe 804 Bbjdjjdn.exe 1628 Bjallg32.exe 2568 Bidlgdlk.exe 616 Bpnddn32.exe 2432 Bbmapj32.exe 2180 Bmbemb32.exe 2948 Bncaekhp.exe 2960 Cemjae32.exe 2820 Cpcnonob.exe 2968 Cbajkiof.exe 2544 Cikbhc32.exe 2804 Cljodo32.exe 3020 Cafgle32.exe 2768 Cebcmdlg.exe 1796 Ckolek32.exe 1696 Cedpbd32.exe 1508 Chcloo32.exe 588 Ckahkk32.exe 1032 Cpnaca32.exe 828 Cheido32.exe 2352 Ckcepj32.exe 1692 Danmmd32.exe 2564 Dpqnhadq.exe 1712 Dgjfek32.exe 2456 Diibag32.exe 1340 Dbafjlaa.exe 2444 Depbfhpe.exe 2176 Dmgkgeah.exe 2192 Dpegcq32.exe 2236 Dcccpl32.exe 2200 Debplg32.exe 2884 Dhplhc32.exe 2580 Dpgcip32.exe 2996 Dcfpel32.exe 1624 Dedlag32.exe 1468 Dhbhmb32.exe 2732 Dkadjn32.exe 776 Dakmfh32.exe 2852 Degiggjm.exe 2528 Eheecbia.exe 1780 Ekcaonhe.exe 1724 Enbnkigh.exe 2708 Eeielfhk.exe -
Loads dropped DLL 64 IoCs
pid Process 2500 5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7.exe 2500 5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7.exe 1736 Amkbnp32.exe 1736 Amkbnp32.exe 2248 Abhkfg32.exe 2248 Abhkfg32.exe 2160 Amnocpdk.exe 2160 Amnocpdk.exe 2944 Anolkh32.exe 2944 Anolkh32.exe 2212 Aidphq32.exe 2212 Aidphq32.exe 2280 Anahqh32.exe 2280 Anahqh32.exe 2668 Aekqmbod.exe 2668 Aekqmbod.exe 2452 Agjmim32.exe 2452 Agjmim32.exe 1944 Ajhiei32.exe 1944 Ajhiei32.exe 2516 Ancefgfd.exe 2516 Ancefgfd.exe 3068 Aennba32.exe 3068 Aennba32.exe 3032 Akhfoldn.exe 3032 Akhfoldn.exe 1084 Bmibgd32.exe 1084 Bmibgd32.exe 1804 Bepjha32.exe 1804 Bepjha32.exe 484 Bgnfdm32.exe 484 Bgnfdm32.exe 2384 Bfagpiam.exe 2384 Bfagpiam.exe 2084 Bmkomchi.exe 2084 Bmkomchi.exe 2644 Bpjkiogm.exe 2644 Bpjkiogm.exe 1328 Bgqcjlhp.exe 1328 Bgqcjlhp.exe 2336 Bfccei32.exe 2336 Bfccei32.exe 976 Bibpad32.exe 976 Bibpad32.exe 804 Bbjdjjdn.exe 804 Bbjdjjdn.exe 1628 Bjallg32.exe 1628 Bjallg32.exe 2568 Bidlgdlk.exe 2568 Bidlgdlk.exe 616 Bpnddn32.exe 616 Bpnddn32.exe 2432 Bbmapj32.exe 2432 Bbmapj32.exe 2180 Bmbemb32.exe 2180 Bmbemb32.exe 2948 Bncaekhp.exe 2948 Bncaekhp.exe 2960 Cemjae32.exe 2960 Cemjae32.exe 2820 Cpcnonob.exe 2820 Cpcnonob.exe 2968 Cbajkiof.exe 2968 Cbajkiof.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aeoijidl.exe Qoeamo32.exe File created C:\Windows\SysWOW64\Eemnnn32.exe Efjmbaba.exe File opened for modification C:\Windows\SysWOW64\Ogknoe32.exe Ohhmcinf.exe File opened for modification C:\Windows\SysWOW64\Olpilg32.exe Ofcqcp32.exe File created C:\Windows\SysWOW64\Hqpagjge.dll Fhdjgoha.exe File created C:\Windows\SysWOW64\Gaagcpdl.exe Gockgdeh.exe File created C:\Windows\SysWOW64\Cmkfji32.exe Cjljnn32.exe File opened for modification C:\Windows\SysWOW64\Bpjkiogm.exe Bmkomchi.exe File created C:\Windows\SysWOW64\Lbnaaeim.dll Jjnhhjjk.exe File created C:\Windows\SysWOW64\Bmpcfg32.dll Amcbankf.exe File created C:\Windows\SysWOW64\Mikjpiim.exe Mfmndn32.exe File created C:\Windows\SysWOW64\Bibpad32.exe Bfccei32.exe File created C:\Windows\SysWOW64\Jjplgd32.dll Ipehmebh.exe File created C:\Windows\SysWOW64\Ffhnoj32.dll Fofpoo32.exe File opened for modification C:\Windows\SysWOW64\Okbpde32.exe Olophhjd.exe File created C:\Windows\SysWOW64\Kalipcmb.exe Jieaofmp.exe File opened for modification C:\Windows\SysWOW64\Fahhnn32.exe Eojlbb32.exe File opened for modification C:\Windows\SysWOW64\Bjallg32.exe Bbjdjjdn.exe File created C:\Windows\SysWOW64\Omqlpp32.exe Okbpde32.exe File created C:\Windows\SysWOW64\Mlionk32.dll Ijnbcmkk.exe File created C:\Windows\SysWOW64\Mcqombic.exe Mqbbagjo.exe File created C:\Windows\SysWOW64\Foahmh32.exe Fhgppnan.exe File created C:\Windows\SysWOW64\Fgmkef32.dll Ilcalnii.exe File created C:\Windows\SysWOW64\Ggpbcccn.dll Qobbofgn.exe File created C:\Windows\SysWOW64\Cjhkej32.dll Gkbcbn32.exe File created C:\Windows\SysWOW64\Mhhigm32.dll Bnnaoe32.exe File created C:\Windows\SysWOW64\Cgoelh32.exe Cfmhdpnc.exe File opened for modification C:\Windows\SysWOW64\Mokilo32.exe Llmmpcfe.exe File created C:\Windows\SysWOW64\Hffibceh.exe Hddmjk32.exe File opened for modification C:\Windows\SysWOW64\Jpepkk32.exe Jikhnaao.exe File created C:\Windows\SysWOW64\Lefggi32.dll Bjallg32.exe File created C:\Windows\SysWOW64\Ibejjo32.dll Okbpde32.exe File opened for modification C:\Windows\SysWOW64\Fofpoo32.exe Fgohna32.exe File opened for modification C:\Windows\SysWOW64\Jpjngh32.exe Joiappkp.exe File created C:\Windows\SysWOW64\Jidmcq32.dll Cfmhdpnc.exe File created C:\Windows\SysWOW64\Geoghd32.dll Icafgmbe.exe File created C:\Windows\SysWOW64\Ajhddk32.exe Agihgp32.exe File created C:\Windows\SysWOW64\Bfcodkcb.exe Bnlgbnbp.exe File opened for modification C:\Windows\SysWOW64\Dhbhmb32.exe Dedlag32.exe File opened for modification C:\Windows\SysWOW64\Eabcggll.exe Enfgfh32.exe File opened for modification C:\Windows\SysWOW64\Jipaip32.exe Jcciqi32.exe File created C:\Windows\SysWOW64\Kpgionie.exe Koflgf32.exe File created C:\Windows\SysWOW64\Fhgpia32.dll Cgoelh32.exe File opened for modification C:\Windows\SysWOW64\Dljmlj32.exe Dbaice32.exe File opened for modification C:\Windows\SysWOW64\Paocnkph.exe Ppmgfb32.exe File opened for modification C:\Windows\SysWOW64\Ageompfe.exe Adfbpega.exe File opened for modification C:\Windows\SysWOW64\Cncmcm32.exe Ckeqga32.exe File created C:\Windows\SysWOW64\Hinqgg32.exe Hfpdkl32.exe File opened for modification C:\Windows\SysWOW64\Kdpfadlm.exe Kkgahoel.exe File created C:\Windows\SysWOW64\Cfeepelg.exe Clpabm32.exe File opened for modification C:\Windows\SysWOW64\Cfhkhd32.exe Cmpgpond.exe File created C:\Windows\SysWOW64\Eanldqgf.exe Eakooqih.exe File created C:\Windows\SysWOW64\Fimmkm32.dll Mjnjjbbh.exe File opened for modification C:\Windows\SysWOW64\Bcpgdhpp.exe Amfognic.exe File opened for modification C:\Windows\SysWOW64\Njbfnjeg.exe Ncinap32.exe File created C:\Windows\SysWOW64\Ildhhm32.dll Ckeqga32.exe File created C:\Windows\SysWOW64\Jkjplo32.dll Bbjdjjdn.exe File opened for modification C:\Windows\SysWOW64\Aihfap32.exe Ajeeeblb.exe File created C:\Windows\SysWOW64\Bpifad32.dll Piabdiep.exe File created C:\Windows\SysWOW64\Ghdjfq32.dll Cjogcm32.exe File opened for modification C:\Windows\SysWOW64\Dadbdkld.exe Dnefhpma.exe File created C:\Windows\SysWOW64\Gedaglad.dll Hnbopmnm.exe File created C:\Windows\SysWOW64\Pohhna32.exe Phnpagdp.exe File opened for modification C:\Windows\SysWOW64\Ipmqgmcd.exe Imodkadq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8912 3000 WerFault.exe 962 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pafdjmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgaiobjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epmfgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dokfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kechdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcejm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgjkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfdhmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebckmaec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnacpffh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbhhdnlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhbkohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfieigio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eimcjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgjkfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kljabgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfidjbdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbflno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlfhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljcllqe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hffibceh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohojmjep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnopp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hieiqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fakdcnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdecea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mopbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqmamm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djgkii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhiakf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnhngjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odkgec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjleclph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgkhdddo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeckfndj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqnifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oajlkojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nipdkieg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppkhhjei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oanefo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngkfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egonhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpcchai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhomkcoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdegfn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaglcgdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giolnomh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfnicfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpdeogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhjcic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhldafl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjglkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbbdcgi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdhad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danmmd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phhjblpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckboie32.dll" Qdaglmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcldhnkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdekpjbk.dll" Kokmmkcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gehiioaj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fheabelm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqojbd32.dll" Hahnac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoapfe32.dll" Mcckcbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkolakkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqmnjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elgfkhpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kfkpknkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fjjpjgjj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkbcbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Obgkpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knjmll32.dll" Cpmjhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohmaibil.dll" Eecafd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fodebh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joiappkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Decfggnn.dll" Ohiffh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Domccejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gaihob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkhbgbkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bpnddn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Najpll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apgagg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nggggoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhmbnqfg.dll" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlhhndno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hcldhnkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heikgh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odkgec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfhdnn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkmmlgik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amkbnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egflhe32.dll" Oeehln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkecij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eppefg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjjdhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iigpli32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pejmfqan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iegeonpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcdlbgna.dll" Cheido32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibebjn32.dll" Hlccdboi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibkkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhjag32.dll" Gdkgkcpq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fckhhgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kikpibof.dll" Bajqfq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mikjpiim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgbioq32.dll" Mbcoio32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lngpog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfckcoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejebfdmb.dll" Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phnpagdp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgfjhcge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgpgbj32.dll" Aaimopli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmnopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmnopp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 1736 2500 5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7.exe 30 PID 2500 wrote to memory of 1736 2500 5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7.exe 30 PID 2500 wrote to memory of 1736 2500 5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7.exe 30 PID 2500 wrote to memory of 1736 2500 5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7.exe 30 PID 1736 wrote to memory of 2248 1736 Amkbnp32.exe 31 PID 1736 wrote to memory of 2248 1736 Amkbnp32.exe 31 PID 1736 wrote to memory of 2248 1736 Amkbnp32.exe 31 PID 1736 wrote to memory of 2248 1736 Amkbnp32.exe 31 PID 2248 wrote to memory of 2160 2248 Abhkfg32.exe 32 PID 2248 wrote to memory of 2160 2248 Abhkfg32.exe 32 PID 2248 wrote to memory of 2160 2248 Abhkfg32.exe 32 PID 2248 wrote to memory of 2160 2248 Abhkfg32.exe 32 PID 2160 wrote to memory of 2944 2160 Amnocpdk.exe 33 PID 2160 wrote to memory of 2944 2160 Amnocpdk.exe 33 PID 2160 wrote to memory of 2944 2160 Amnocpdk.exe 33 PID 2160 wrote to memory of 2944 2160 Amnocpdk.exe 33 PID 2944 wrote to memory of 2212 2944 Anolkh32.exe 34 PID 2944 wrote to memory of 2212 2944 Anolkh32.exe 34 PID 2944 wrote to memory of 2212 2944 Anolkh32.exe 34 PID 2944 wrote to memory of 2212 2944 Anolkh32.exe 34 PID 2212 wrote to memory of 2280 2212 Aidphq32.exe 35 PID 2212 wrote to memory of 2280 2212 Aidphq32.exe 35 PID 2212 wrote to memory of 2280 2212 Aidphq32.exe 35 PID 2212 wrote to memory of 2280 2212 Aidphq32.exe 35 PID 2280 wrote to memory of 2668 2280 Anahqh32.exe 36 PID 2280 wrote to memory of 2668 2280 Anahqh32.exe 36 PID 2280 wrote to memory of 2668 2280 Anahqh32.exe 36 PID 2280 wrote to memory of 2668 2280 Anahqh32.exe 36 PID 2668 wrote to memory of 2452 2668 Aekqmbod.exe 37 PID 2668 wrote to memory of 2452 2668 Aekqmbod.exe 37 PID 2668 wrote to memory of 2452 2668 Aekqmbod.exe 37 PID 2668 wrote to memory of 2452 2668 Aekqmbod.exe 37 PID 2452 wrote to memory of 1944 2452 Agjmim32.exe 38 PID 2452 wrote to memory of 1944 2452 Agjmim32.exe 38 PID 2452 wrote to memory of 1944 2452 Agjmim32.exe 38 PID 2452 wrote to memory of 1944 2452 Agjmim32.exe 38 PID 1944 wrote to memory of 2516 1944 Ajhiei32.exe 39 PID 1944 wrote to memory of 2516 1944 Ajhiei32.exe 39 PID 1944 wrote to memory of 2516 1944 Ajhiei32.exe 39 PID 1944 wrote to memory of 2516 1944 Ajhiei32.exe 39 PID 2516 wrote to memory of 3068 2516 Ancefgfd.exe 40 PID 2516 wrote to memory of 3068 2516 Ancefgfd.exe 40 PID 2516 wrote to memory of 3068 2516 Ancefgfd.exe 40 PID 2516 wrote to memory of 3068 2516 Ancefgfd.exe 40 PID 3068 wrote to memory of 3032 3068 Aennba32.exe 41 PID 3068 wrote to memory of 3032 3068 Aennba32.exe 41 PID 3068 wrote to memory of 3032 3068 Aennba32.exe 41 PID 3068 wrote to memory of 3032 3068 Aennba32.exe 41 PID 3032 wrote to memory of 1084 3032 Akhfoldn.exe 42 PID 3032 wrote to memory of 1084 3032 Akhfoldn.exe 42 PID 3032 wrote to memory of 1084 3032 Akhfoldn.exe 42 PID 3032 wrote to memory of 1084 3032 Akhfoldn.exe 42 PID 1084 wrote to memory of 1804 1084 Bmibgd32.exe 43 PID 1084 wrote to memory of 1804 1084 Bmibgd32.exe 43 PID 1084 wrote to memory of 1804 1084 Bmibgd32.exe 43 PID 1084 wrote to memory of 1804 1084 Bmibgd32.exe 43 PID 1804 wrote to memory of 484 1804 Bepjha32.exe 44 PID 1804 wrote to memory of 484 1804 Bepjha32.exe 44 PID 1804 wrote to memory of 484 1804 Bepjha32.exe 44 PID 1804 wrote to memory of 484 1804 Bepjha32.exe 44 PID 484 wrote to memory of 2384 484 Bgnfdm32.exe 45 PID 484 wrote to memory of 2384 484 Bgnfdm32.exe 45 PID 484 wrote to memory of 2384 484 Bgnfdm32.exe 45 PID 484 wrote to memory of 2384 484 Bgnfdm32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7.exe"C:\Users\Admin\AppData\Local\Temp\5c8111b114e180486a9e54bd09feb4f2dfb4cf4a14bf0cef04e21f52c6d3c8b7.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\Amkbnp32.exeC:\Windows\system32\Amkbnp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1736 -
C:\Windows\SysWOW64\Abhkfg32.exeC:\Windows\system32\Abhkfg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\SysWOW64\Anolkh32.exeC:\Windows\system32\Anolkh32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Aidphq32.exeC:\Windows\system32\Aidphq32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Ajhiei32.exeC:\Windows\system32\Ajhiei32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\Aennba32.exeC:\Windows\system32\Aennba32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\Akhfoldn.exeC:\Windows\system32\Akhfoldn.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2084 -
C:\Windows\SysWOW64\Bpjkiogm.exeC:\Windows\system32\Bpjkiogm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Bgqcjlhp.exeC:\Windows\system32\Bgqcjlhp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1328 -
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:804 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1628 -
C:\Windows\SysWOW64\Bidlgdlk.exeC:\Windows\system32\Bidlgdlk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Bpnddn32.exeC:\Windows\system32\Bpnddn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:616 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Bncaekhp.exeC:\Windows\system32\Bncaekhp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2960 -
C:\Windows\SysWOW64\Cpcnonob.exeC:\Windows\system32\Cpcnonob.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2820 -
C:\Windows\SysWOW64\Cbajkiof.exeC:\Windows\system32\Cbajkiof.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe33⤵
- Executes dropped EXE
PID:2544 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe34⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe35⤵
- Executes dropped EXE
PID:3020 -
C:\Windows\SysWOW64\Cebcmdlg.exeC:\Windows\system32\Cebcmdlg.exe36⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe37⤵
- Executes dropped EXE
PID:1796 -
C:\Windows\SysWOW64\Cedpbd32.exeC:\Windows\system32\Cedpbd32.exe38⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Chcloo32.exeC:\Windows\system32\Chcloo32.exe39⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe40⤵
- Executes dropped EXE
PID:588 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe41⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Cheido32.exeC:\Windows\system32\Cheido32.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:828 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe43⤵
- Executes dropped EXE
PID:2352 -
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe45⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe46⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Diibag32.exeC:\Windows\system32\Diibag32.exe47⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe48⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe49⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe50⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe51⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Debplg32.exeC:\Windows\system32\Debplg32.exe53⤵
- Executes dropped EXE
PID:2200 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe54⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe55⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Dcfpel32.exeC:\Windows\system32\Dcfpel32.exe56⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Dedlag32.exeC:\Windows\system32\Dedlag32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe58⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Dakmfh32.exeC:\Windows\system32\Dakmfh32.exe60⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe61⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe62⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Ekcaonhe.exeC:\Windows\system32\Ekcaonhe.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe64⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Eeielfhk.exeC:\Windows\system32\Eeielfhk.exe65⤵
- Executes dropped EXE
PID:2708 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe66⤵
- System Location Discovery: System Language Discovery
PID:576 -
C:\Windows\SysWOW64\Egjbdo32.exeC:\Windows\system32\Egjbdo32.exe67⤵PID:2256
-
C:\Windows\SysWOW64\Eoajel32.exeC:\Windows\system32\Eoajel32.exe68⤵PID:2164
-
C:\Windows\SysWOW64\Eapfagno.exeC:\Windows\system32\Eapfagno.exe69⤵PID:2812
-
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe70⤵PID:2588
-
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe71⤵PID:1784
-
C:\Windows\SysWOW64\Egmojnlf.exeC:\Windows\system32\Egmojnlf.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1284 -
C:\Windows\SysWOW64\Enfgfh32.exeC:\Windows\system32\Enfgfh32.exe73⤵
- Drops file in System32 directory
PID:2740 -
C:\Windows\SysWOW64\Eabcggll.exeC:\Windows\system32\Eabcggll.exe74⤵PID:3040
-
C:\Windows\SysWOW64\Edqocbkp.exeC:\Windows\system32\Edqocbkp.exe75⤵PID:1144
-
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe76⤵PID:2508
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe77⤵PID:388
-
C:\Windows\SysWOW64\Eniclh32.exeC:\Windows\system32\Eniclh32.exe78⤵PID:2208
-
C:\Windows\SysWOW64\Edclib32.exeC:\Windows\system32\Edclib32.exe79⤵PID:1856
-
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe80⤵PID:1672
-
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe81⤵PID:2964
-
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe83⤵
- Modifies registry class
PID:1000 -
C:\Windows\SysWOW64\Fcjeon32.exeC:\Windows\system32\Fcjeon32.exe84⤵PID:2288
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe85⤵PID:2984
-
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe86⤵PID:1700
-
C:\Windows\SysWOW64\Fkhgip32.exeC:\Windows\system32\Fkhgip32.exe87⤵PID:2032
-
C:\Windows\SysWOW64\Fnfcel32.exeC:\Windows\system32\Fnfcel32.exe88⤵PID:1336
-
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe89⤵PID:2028
-
C:\Windows\SysWOW64\Fgohna32.exeC:\Windows\system32\Fgohna32.exe90⤵
- Drops file in System32 directory
PID:2908 -
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe91⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Fqglggcp.exeC:\Windows\system32\Fqglggcp.exe92⤵PID:2664
-
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe93⤵PID:3016
-
C:\Windows\SysWOW64\Gjpqpl32.exeC:\Windows\system32\Gjpqpl32.exe94⤵PID:1788
-
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe95⤵PID:2060
-
C:\Windows\SysWOW64\Gkomjo32.exeC:\Windows\system32\Gkomjo32.exe96⤵PID:772
-
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe97⤵PID:892
-
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe98⤵PID:564
-
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe99⤵PID:2004
-
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe100⤵PID:2552
-
C:\Windows\SysWOW64\Gmbfggdo.exeC:\Windows\system32\Gmbfggdo.exe101⤵PID:3048
-
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe102⤵PID:1224
-
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe103⤵PID:2696
-
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe104⤵PID:2912
-
C:\Windows\SysWOW64\Gmecmg32.exeC:\Windows\system32\Gmecmg32.exe105⤵PID:1848
-
C:\Windows\SysWOW64\Gjicfk32.exeC:\Windows\system32\Gjicfk32.exe106⤵PID:1616
-
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe107⤵PID:2764
-
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe108⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Hinqgg32.exeC:\Windows\system32\Hinqgg32.exe109⤵PID:1344
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe110⤵PID:2760
-
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe111⤵PID:1192
-
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe112⤵PID:1928
-
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe113⤵PID:2796
-
C:\Windows\SysWOW64\Hnmeen32.exeC:\Windows\system32\Hnmeen32.exe114⤵PID:2492
-
C:\Windows\SysWOW64\Halbai32.exeC:\Windows\system32\Halbai32.exe115⤵PID:2224
-
C:\Windows\SysWOW64\Hibjbgbh.exeC:\Windows\system32\Hibjbgbh.exe116⤵PID:1792
-
C:\Windows\SysWOW64\Hhejnc32.exeC:\Windows\system32\Hhejnc32.exe117⤵PID:1300
-
C:\Windows\SysWOW64\Hjdfjo32.exeC:\Windows\system32\Hjdfjo32.exe118⤵PID:2556
-
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe119⤵PID:3012
-
C:\Windows\SysWOW64\Hanogipc.exeC:\Windows\system32\Hanogipc.exe120⤵PID:2676
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe121⤵
- Modifies registry class
PID:1972
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-