Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
08/12/2024, 03:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3.exe
-
Size
443KB
-
MD5
7dc988c81b1f02241c04102ebfde05aa
-
SHA1
bac3465cb9016e2424adac2b7b35fb1d0bb2106e
-
SHA256
cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3
-
SHA512
be2a5c2799df1e0d96335bfd36a9a2e4a0eb46bb45c16e0e8883c2e7d9889f156c0686f6c6a30556c06136acc24f74fa3533bfae7af465d5c14ed01acf84b5a7
-
SSDEEP
6144:m77B13n4GAvs0PEpNF0pNO021fv13n4GA3uKjwszeXmOEgHixuqjwszeXm:w1HJ1Uj+HiPj
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiknnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fejfmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lophacfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmaijdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgjgol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgdmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flfkoeoh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfbpaeo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heqimm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hajfgnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jijacjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plpqim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpniokan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eiciig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjlemlnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcdadhjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klhioioc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bggjjlnb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhilimb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcjeaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkkhpadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ekghcq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjggap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qpcjeaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfinam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eelgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flabdecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhjoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggdekbgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hqochjnk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Immjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Khagijcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lofifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpphdpcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhbabif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahchdb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Okpdjjil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkqiek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nohaklfk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfbjhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oqojhp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgnjke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekmceaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnpddeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpfkeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gajjhkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifpelq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iokfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qaofgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnpjkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgqion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbgdgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecgjdong.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebockkal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nigldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obkcajde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdedde32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2736 Loaokjjg.exe 3012 Lifcib32.exe 2436 Lofifi32.exe 2744 Ladebd32.exe 2648 Mhqjen32.exe 612 Mghckj32.exe 1044 Mpphdpcf.exe 2000 Mgjpaj32.exe 1428 Mjilmejf.exe 868 Mqbejp32.exe 1256 Mgmmfjip.exe 2448 Mhninb32.exe 976 Nohaklfk.exe 1244 Nfbjhf32.exe 2176 Nllbdp32.exe 3064 Ncfjajma.exe 2272 Ndggib32.exe 1544 Nmnojp32.exe 1480 Nnokahip.exe 1716 Nffccejb.exe 1852 Nhepoaif.exe 1464 Noohlkpc.exe 1764 Nbmdhfog.exe 1264 Nigldq32.exe 2672 Njhilimb.exe 2708 Nndemg32.exe 2852 Ogliemkk.exe 1500 Ojkeah32.exe 2216 Omiand32.exe 2960 Oepjoa32.exe 2716 Ofafgipc.exe 2640 Omlncc32.exe 2588 Ocefpnom.exe 324 Ojpomh32.exe 1808 Oaigib32.exe 1984 Oplgeoea.exe 1216 Obkcajde.exe 2432 Oielnd32.exe 2784 Ocjpkm32.exe 2036 Oekmceaf.exe 484 Ombddbah.exe 2192 Opaqpn32.exe 2404 Pfkimhhi.exe 2516 Phledp32.exe 1280 Pnfnajed.exe 1616 Padjmfdg.exe 1676 Pilbocej.exe 1864 Pebbcdkn.exe 3016 Pllkpn32.exe 1884 Qpcjeaad.exe 2832 Qbafalph.exe 2884 Aiknnf32.exe 1964 Ainkcf32.exe 2604 Ahchdb32.exe 3044 Akadpn32.exe 904 Aaklmhak.exe 3028 Aoomflpd.exe 2924 Aeiecfga.exe 852 Bpcfcddp.exe 1872 Bpebidam.exe 2160 Bccoeo32.exe 2352 Bedhgj32.exe 2804 Blnpddeo.exe 632 Bchhqo32.exe -
Loads dropped DLL 64 IoCs
pid Process 2008 cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3.exe 2008 cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3.exe 2736 Loaokjjg.exe 2736 Loaokjjg.exe 3012 Lifcib32.exe 3012 Lifcib32.exe 2436 Lofifi32.exe 2436 Lofifi32.exe 2744 Ladebd32.exe 2744 Ladebd32.exe 2648 Mhqjen32.exe 2648 Mhqjen32.exe 612 Mghckj32.exe 612 Mghckj32.exe 1044 Mpphdpcf.exe 1044 Mpphdpcf.exe 2000 Mgjpaj32.exe 2000 Mgjpaj32.exe 1428 Mjilmejf.exe 1428 Mjilmejf.exe 868 Mqbejp32.exe 868 Mqbejp32.exe 1256 Mgmmfjip.exe 1256 Mgmmfjip.exe 2448 Mhninb32.exe 2448 Mhninb32.exe 976 Nohaklfk.exe 976 Nohaklfk.exe 1244 Nfbjhf32.exe 1244 Nfbjhf32.exe 2176 Nllbdp32.exe 2176 Nllbdp32.exe 3064 Ncfjajma.exe 3064 Ncfjajma.exe 2272 Ndggib32.exe 2272 Ndggib32.exe 1544 Nmnojp32.exe 1544 Nmnojp32.exe 1480 Nnokahip.exe 1480 Nnokahip.exe 1716 Nffccejb.exe 1716 Nffccejb.exe 1852 Nhepoaif.exe 1852 Nhepoaif.exe 1464 Noohlkpc.exe 1464 Noohlkpc.exe 1764 Nbmdhfog.exe 1764 Nbmdhfog.exe 1264 Nigldq32.exe 1264 Nigldq32.exe 2672 Njhilimb.exe 2672 Njhilimb.exe 2708 Nndemg32.exe 2708 Nndemg32.exe 2852 Ogliemkk.exe 2852 Ogliemkk.exe 1500 Ojkeah32.exe 1500 Ojkeah32.exe 2216 Omiand32.exe 2216 Omiand32.exe 2960 Oepjoa32.exe 2960 Oepjoa32.exe 2716 Ofafgipc.exe 2716 Ofafgipc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jkdcdf32.exe Iejkhlip.exe File opened for modification C:\Windows\SysWOW64\Obcffefa.exe Okinik32.exe File opened for modification C:\Windows\SysWOW64\Cgjgol32.exe Chggdoee.exe File opened for modification C:\Windows\SysWOW64\Nhepoaif.exe Nffccejb.exe File opened for modification C:\Windows\SysWOW64\Fobkfqpo.exe Fhhbif32.exe File opened for modification C:\Windows\SysWOW64\Hhcndhap.exe Hajfgnjc.exe File opened for modification C:\Windows\SysWOW64\Koibpd32.exe Kimjhnnl.exe File created C:\Windows\SysWOW64\Cnfnhaca.dll Nhhehpbc.exe File created C:\Windows\SysWOW64\Njhbabif.exe Ncnjeh32.exe File opened for modification C:\Windows\SysWOW64\Aaflgb32.exe Afqhjj32.exe File opened for modification C:\Windows\SysWOW64\Eebibf32.exe Enhaeldn.exe File created C:\Windows\SysWOW64\Ndggib32.exe Ncfjajma.exe File opened for modification C:\Windows\SysWOW64\Eelgcg32.exe Ejfbfo32.exe File opened for modification C:\Windows\SysWOW64\Ioiidfon.exe Ijlaloaf.exe File opened for modification C:\Windows\SysWOW64\Ajamfh32.exe Apkihofl.exe File created C:\Windows\SysWOW64\Dangeigl.dll Cnabffeo.exe File created C:\Windows\SysWOW64\Clnehado.exe Cgqmpkfg.exe File created C:\Windows\SysWOW64\Jjghbbmo.dll Dglpdomh.exe File created C:\Windows\SysWOW64\Gkbokl32.dll Epnkip32.exe File created C:\Windows\SysWOW64\Honjhkme.dll Ogliemkk.exe File created C:\Windows\SysWOW64\Aanddk32.dll Bpcfcddp.exe File created C:\Windows\SysWOW64\Nckmpicl.exe Nopaoj32.exe File created C:\Windows\SysWOW64\Ecnpdnho.exe Ekghcq32.exe File opened for modification C:\Windows\SysWOW64\Enhaeldn.exe Elieipej.exe File created C:\Windows\SysWOW64\Njhilimb.exe Nigldq32.exe File opened for modification C:\Windows\SysWOW64\Jgkdigfa.exe Jfjhbo32.exe File opened for modification C:\Windows\SysWOW64\Lkgifd32.exe Ldmaijdc.exe File opened for modification C:\Windows\SysWOW64\Glfgnh32.exe Gigkbm32.exe File created C:\Windows\SysWOW64\Qekbgbpf.exe Qaofgc32.exe File created C:\Windows\SysWOW64\Dbdagg32.exe Dkjhjm32.exe File created C:\Windows\SysWOW64\Mqbejp32.exe Mjilmejf.exe File created C:\Windows\SysWOW64\Flabdecn.exe Floeof32.exe File opened for modification C:\Windows\SysWOW64\Pmhgba32.exe Pimkbbpi.exe File created C:\Windows\SysWOW64\Apilcoho.exe Aaflgb32.exe File opened for modification C:\Windows\SysWOW64\Lophacfl.exe Lfippfej.exe File created C:\Windows\SysWOW64\Bkqiek32.exe Bdfahaaa.exe File created C:\Windows\SysWOW64\Akomon32.dll Eepmlf32.exe File created C:\Windows\SysWOW64\Knlhlg32.dll Heqimm32.exe File created C:\Windows\SysWOW64\Igpaec32.exe Ioiidfon.exe File created C:\Windows\SysWOW64\Klfgipmk.dll Igpaec32.exe File created C:\Windows\SysWOW64\Empomd32.exe Ecgjdong.exe File opened for modification C:\Windows\SysWOW64\Qekbgbpf.exe Qaofgc32.exe File created C:\Windows\SysWOW64\Khdlbn32.dll Aicmadmm.exe File created C:\Windows\SysWOW64\Jkkcdb32.dll Amafgc32.exe File opened for modification C:\Windows\SysWOW64\Cnhhge32.exe Cfaqfh32.exe File created C:\Windows\SysWOW64\Pdmbdddn.dll Padjmfdg.exe File created C:\Windows\SysWOW64\Lhioglih.dll Idmlniea.exe File created C:\Windows\SysWOW64\Jijacjnc.exe Jeoeclek.exe File created C:\Windows\SysWOW64\Ajjgei32.exe Qhkkim32.exe File created C:\Windows\SysWOW64\Kjkoop32.dll Chggdoee.exe File opened for modification C:\Windows\SysWOW64\Einebddd.exe Eebibf32.exe File created C:\Windows\SysWOW64\Mlanmb32.dll Cpiaipmh.exe File created C:\Windows\SysWOW64\Epnkip32.exe Empomd32.exe File created C:\Windows\SysWOW64\Eifobe32.exe Ejcofica.exe File created C:\Windows\SysWOW64\Bnfoepmg.dll Ebockkal.exe File created C:\Windows\SysWOW64\Lbgkfbbj.exe Khagijcd.exe File created C:\Windows\SysWOW64\Ldpnoj32.exe Lmeebpkd.exe File opened for modification C:\Windows\SysWOW64\Ajjgei32.exe Qhkkim32.exe File created C:\Windows\SysWOW64\Dkbbinig.exe Djafaf32.exe File created C:\Windows\SysWOW64\Ejcofica.exe Epnkip32.exe File created C:\Windows\SysWOW64\Oepjoa32.exe Omiand32.exe File created C:\Windows\SysWOW64\Iciopdca.exe Iickckcl.exe File created C:\Windows\SysWOW64\Jgmaog32.exe Jijacjnc.exe File created C:\Windows\SysWOW64\Dghjkpck.exe Doabjbci.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4768 4692 WerFault.exe 396 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjilmejf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqkpmaif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeoongd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddjhb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nllbdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flabdecn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imhqbkbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keoabo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfjkphjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kiecgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgifd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnndp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofafgipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oielnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilbocej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjggap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijlaloaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndemg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opaqpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimkbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfeeff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaigib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpfkeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmqmpdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adblnnbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adiaommc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naegmabc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diqmcgca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelgcg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggfbpaeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngilalk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Koibpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chjjde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjlemlnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lophacfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beogaenl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcbookpp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimphc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccqhdmbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfbjhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edcqjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcggef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooggpiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdfahaaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifobe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejfbfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhjoof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkhpadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gigkbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcppkbia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Addhcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eebibf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfjajma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nffccejb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omiand32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedhgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfidqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocefpnom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiciig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okpdjjil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofifi32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oebblmoe.dll" Hofqpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Glmbma32.dll" Lpfnckhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odacbpee.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qemomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mffdnf32.dll" Jijacjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfmijae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlolnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qemomb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amhcad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlijld32.dll" Ejfbfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bocjgfch.dll" Ecnpdnho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhioglih.dll" Idmlniea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmclmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejfmkamg.dll" Aoomflpd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjhlmfio.dll" Hkbkpcpd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iqcmcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ioiidfon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kfidqb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mecglbfl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ocjpkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqhmfl32.dll" Ejklan32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlolnllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Macjgadf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbmkfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnfnajed.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Khagijcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nnodgbed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjecp32.dll" Qldjdlgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjcmdmiq.dll" Dhgccbhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijlaloaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jijacjnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhflcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipoidefp.dll" Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eccjdobp.dll" Efjpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Amafgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bimphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkoop32.dll" Chggdoee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inehcind.dll" Nklopg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcfjhebe.dll" Nohaklfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hajfgnjc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dbgdgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlglpa32.dll" Mehpga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfaqfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oopqjabc.dll" Lifcib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiknnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eddjhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oepjoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eelgcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lilfgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plpqim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olahgd32.dll" Dnjalhpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojpomh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ablbjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cdpdnpif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dglpdomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplkghjl.dll" Hnnjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afgdde32.dll" Jcdadhjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Copjlmfa.dll" Okinik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bakaaepk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjggap32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jijacjnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpmpji32.dll" Gdcmig32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2008 wrote to memory of 2736 2008 cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3.exe 30 PID 2008 wrote to memory of 2736 2008 cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3.exe 30 PID 2008 wrote to memory of 2736 2008 cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3.exe 30 PID 2008 wrote to memory of 2736 2008 cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3.exe 30 PID 2736 wrote to memory of 3012 2736 Loaokjjg.exe 31 PID 2736 wrote to memory of 3012 2736 Loaokjjg.exe 31 PID 2736 wrote to memory of 3012 2736 Loaokjjg.exe 31 PID 2736 wrote to memory of 3012 2736 Loaokjjg.exe 31 PID 3012 wrote to memory of 2436 3012 Lifcib32.exe 32 PID 3012 wrote to memory of 2436 3012 Lifcib32.exe 32 PID 3012 wrote to memory of 2436 3012 Lifcib32.exe 32 PID 3012 wrote to memory of 2436 3012 Lifcib32.exe 32 PID 2436 wrote to memory of 2744 2436 Lofifi32.exe 33 PID 2436 wrote to memory of 2744 2436 Lofifi32.exe 33 PID 2436 wrote to memory of 2744 2436 Lofifi32.exe 33 PID 2436 wrote to memory of 2744 2436 Lofifi32.exe 33 PID 2744 wrote to memory of 2648 2744 Ladebd32.exe 34 PID 2744 wrote to memory of 2648 2744 Ladebd32.exe 34 PID 2744 wrote to memory of 2648 2744 Ladebd32.exe 34 PID 2744 wrote to memory of 2648 2744 Ladebd32.exe 34 PID 2648 wrote to memory of 612 2648 Mhqjen32.exe 35 PID 2648 wrote to memory of 612 2648 Mhqjen32.exe 35 PID 2648 wrote to memory of 612 2648 Mhqjen32.exe 35 PID 2648 wrote to memory of 612 2648 Mhqjen32.exe 35 PID 612 wrote to memory of 1044 612 Mghckj32.exe 36 PID 612 wrote to memory of 1044 612 Mghckj32.exe 36 PID 612 wrote to memory of 1044 612 Mghckj32.exe 36 PID 612 wrote to memory of 1044 612 Mghckj32.exe 36 PID 1044 wrote to memory of 2000 1044 Mpphdpcf.exe 37 PID 1044 wrote to memory of 2000 1044 Mpphdpcf.exe 37 PID 1044 wrote to memory of 2000 1044 Mpphdpcf.exe 37 PID 1044 wrote to memory of 2000 1044 Mpphdpcf.exe 37 PID 2000 wrote to memory of 1428 2000 Mgjpaj32.exe 38 PID 2000 wrote to memory of 1428 2000 Mgjpaj32.exe 38 PID 2000 wrote to memory of 1428 2000 Mgjpaj32.exe 38 PID 2000 wrote to memory of 1428 2000 Mgjpaj32.exe 38 PID 1428 wrote to memory of 868 1428 Mjilmejf.exe 39 PID 1428 wrote to memory of 868 1428 Mjilmejf.exe 39 PID 1428 wrote to memory of 868 1428 Mjilmejf.exe 39 PID 1428 wrote to memory of 868 1428 Mjilmejf.exe 39 PID 868 wrote to memory of 1256 868 Mqbejp32.exe 40 PID 868 wrote to memory of 1256 868 Mqbejp32.exe 40 PID 868 wrote to memory of 1256 868 Mqbejp32.exe 40 PID 868 wrote to memory of 1256 868 Mqbejp32.exe 40 PID 1256 wrote to memory of 2448 1256 Mgmmfjip.exe 41 PID 1256 wrote to memory of 2448 1256 Mgmmfjip.exe 41 PID 1256 wrote to memory of 2448 1256 Mgmmfjip.exe 41 PID 1256 wrote to memory of 2448 1256 Mgmmfjip.exe 41 PID 2448 wrote to memory of 976 2448 Mhninb32.exe 42 PID 2448 wrote to memory of 976 2448 Mhninb32.exe 42 PID 2448 wrote to memory of 976 2448 Mhninb32.exe 42 PID 2448 wrote to memory of 976 2448 Mhninb32.exe 42 PID 976 wrote to memory of 1244 976 Nohaklfk.exe 43 PID 976 wrote to memory of 1244 976 Nohaklfk.exe 43 PID 976 wrote to memory of 1244 976 Nohaklfk.exe 43 PID 976 wrote to memory of 1244 976 Nohaklfk.exe 43 PID 1244 wrote to memory of 2176 1244 Nfbjhf32.exe 44 PID 1244 wrote to memory of 2176 1244 Nfbjhf32.exe 44 PID 1244 wrote to memory of 2176 1244 Nfbjhf32.exe 44 PID 1244 wrote to memory of 2176 1244 Nfbjhf32.exe 44 PID 2176 wrote to memory of 3064 2176 Nllbdp32.exe 45 PID 2176 wrote to memory of 3064 2176 Nllbdp32.exe 45 PID 2176 wrote to memory of 3064 2176 Nllbdp32.exe 45 PID 2176 wrote to memory of 3064 2176 Nllbdp32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3.exe"C:\Users\Admin\AppData\Local\Temp\cdf9307583faeac3cf7df10eb4f1a3cc1542997a3318d8f14f220715e96fa2b3.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Loaokjjg.exeC:\Windows\system32\Loaokjjg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Lifcib32.exeC:\Windows\system32\Lifcib32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Lofifi32.exeC:\Windows\system32\Lofifi32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Mhqjen32.exeC:\Windows\system32\Mhqjen32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Mghckj32.exeC:\Windows\system32\Mghckj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Mpphdpcf.exeC:\Windows\system32\Mpphdpcf.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Mjilmejf.exeC:\Windows\system32\Mjilmejf.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\Mgmmfjip.exeC:\Windows\system32\Mgmmfjip.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:976 -
C:\Windows\SysWOW64\Nfbjhf32.exeC:\Windows\system32\Nfbjhf32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3064 -
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1480 -
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Nhepoaif.exeC:\Windows\system32\Nhepoaif.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1764 -
C:\Windows\SysWOW64\Nigldq32.exeC:\Windows\system32\Nigldq32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2672 -
C:\Windows\SysWOW64\Nndemg32.exeC:\Windows\system32\Nndemg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2708 -
C:\Windows\SysWOW64\Ogliemkk.exeC:\Windows\system32\Ogliemkk.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1500 -
C:\Windows\SysWOW64\Omiand32.exeC:\Windows\system32\Omiand32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Ofafgipc.exeC:\Windows\system32\Ofafgipc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2716 -
C:\Windows\SysWOW64\Omlncc32.exeC:\Windows\system32\Omlncc32.exe33⤵
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Ocefpnom.exeC:\Windows\system32\Ocefpnom.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2588 -
C:\Windows\SysWOW64\Ojpomh32.exeC:\Windows\system32\Ojpomh32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Oplgeoea.exeC:\Windows\system32\Oplgeoea.exe37⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Obkcajde.exeC:\Windows\system32\Obkcajde.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1216 -
C:\Windows\SysWOW64\Oielnd32.exeC:\Windows\system32\Oielnd32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2784 -
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe42⤵
- Executes dropped EXE
PID:484 -
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2192 -
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe44⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe45⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1280 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1616 -
C:\Windows\SysWOW64\Pilbocej.exeC:\Windows\system32\Pilbocej.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1676 -
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe49⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe50⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Qpcjeaad.exeC:\Windows\system32\Qpcjeaad.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe52⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe54⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Ahchdb32.exeC:\Windows\system32\Ahchdb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Akadpn32.exeC:\Windows\system32\Akadpn32.exe56⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Aaklmhak.exeC:\Windows\system32\Aaklmhak.exe57⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:3028 -
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe59⤵
- Executes dropped EXE
PID:2924 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:852 -
C:\Windows\SysWOW64\Bpebidam.exeC:\Windows\system32\Bpebidam.exe61⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe62⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2352 -
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe65⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe66⤵PID:1140
-
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe67⤵PID:924
-
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Ckkcep32.exeC:\Windows\system32\Ckkcep32.exe69⤵PID:1644
-
C:\Windows\SysWOW64\Cbdkbjkl.exeC:\Windows\system32\Cbdkbjkl.exe70⤵PID:2520
-
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe71⤵PID:2688
-
C:\Windows\SysWOW64\Cdedde32.exeC:\Windows\system32\Cdedde32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2888 -
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe73⤵PID:1752
-
C:\Windows\SysWOW64\Dfinam32.exeC:\Windows\system32\Dfinam32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2368 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe75⤵
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe76⤵PID:752
-
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe77⤵PID:2552
-
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe79⤵PID:2600
-
C:\Windows\SysWOW64\Dmjlof32.exeC:\Windows\system32\Dmjlof32.exe80⤵PID:780
-
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe82⤵PID:1416
-
C:\Windows\SysWOW64\Diqmcgca.exeC:\Windows\system32\Diqmcgca.exe83⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe84⤵PID:1212
-
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe85⤵PID:2812
-
C:\Windows\SysWOW64\Eiciig32.exeC:\Windows\system32\Eiciig32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1248 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe87⤵PID:408
-
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe88⤵PID:2140
-
C:\Windows\SysWOW64\Eejjnhgc.exeC:\Windows\system32\Eejjnhgc.exe89⤵PID:592
-
C:\Windows\SysWOW64\Ejfbfo32.exeC:\Windows\system32\Ejfbfo32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1532 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe92⤵PID:2568
-
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe93⤵PID:2620
-
C:\Windows\SysWOW64\Ejklan32.exeC:\Windows\system32\Ejklan32.exe94⤵
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe95⤵PID:1552
-
C:\Windows\SysWOW64\Edcqjc32.exeC:\Windows\system32\Edcqjc32.exe96⤵
- System Location Discovery: System Language Discovery
PID:1460 -
C:\Windows\SysWOW64\Floeof32.exeC:\Windows\system32\Floeof32.exe97⤵
- Drops file in System32 directory
PID:2724 -
C:\Windows\SysWOW64\Flabdecn.exeC:\Windows\system32\Flabdecn.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2712 -
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2356 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe100⤵
- Drops file in System32 directory
PID:1136 -
C:\Windows\SysWOW64\Fobkfqpo.exeC:\Windows\system32\Fobkfqpo.exe101⤵PID:2896
-
C:\Windows\SysWOW64\Fapgblob.exeC:\Windows\system32\Fapgblob.exe102⤵PID:2788
-
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1652 -
C:\Windows\SysWOW64\Flfkoeoh.exeC:\Windows\system32\Flfkoeoh.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1204 -
C:\Windows\SysWOW64\Facdgl32.exeC:\Windows\system32\Facdgl32.exe105⤵PID:2320
-
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe106⤵PID:2704
-
C:\Windows\SysWOW64\Fkkhpadq.exeC:\Windows\system32\Fkkhpadq.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2608 -
C:\Windows\SysWOW64\Gaeqmk32.exeC:\Windows\system32\Gaeqmk32.exe108⤵PID:2252
-
C:\Windows\SysWOW64\Gdcmig32.exeC:\Windows\system32\Gdcmig32.exe109⤵
- Modifies registry class
PID:1736 -
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe110⤵PID:1412
-
C:\Windows\SysWOW64\Gmlablaa.exeC:\Windows\system32\Gmlablaa.exe111⤵PID:3036
-
C:\Windows\SysWOW64\Gpjmnh32.exeC:\Windows\system32\Gpjmnh32.exe112⤵PID:2472
-
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe114⤵PID:824
-
C:\Windows\SysWOW64\Gajjhkgh.exeC:\Windows\system32\Gajjhkgh.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1688 -
C:\Windows\SysWOW64\Gpmjcg32.exeC:\Windows\system32\Gpmjcg32.exe116⤵PID:2456
-
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2348 -
C:\Windows\SysWOW64\Gmqkml32.exeC:\Windows\system32\Gmqkml32.exe118⤵PID:380
-
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe119⤵PID:2836
-
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe120⤵PID:1748
-
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe121⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2576
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-