Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
25/12/2024, 18:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe
-
Size
74KB
-
MD5
c6a0939cf076e4a973904fd4006cd00f
-
SHA1
7081f05b590b86cfa527f1e7cc7c6ea31fa648c7
-
SHA256
148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1
-
SHA512
0e341192cf437c7e2c7f3859c80603c15b926310f8d6f498160588de90346a20f3f0b40dc0696f0081b8402dfabe93ea2d22c84599e60859801079e9a3a35de7
-
SSDEEP
1536:HaL5QefEVWhlp5pKvJjHHajdsRsS49vCRA1FMbA38J7:HGBE0hn5AdOiRsS49vCRaFWN7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihpcinld.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbdnne32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbdgec32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkaeih32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbjbnnfg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hioflcbj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgeenfog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oikjkc32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Baepolni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Djegekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijbbfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onmfimga.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojfcdnjc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afbgkl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfiokmkc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfldgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bagmdllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dggkipii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hgapmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ofhknodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhnojl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piocecgj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmbnnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cgklmacf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkbkmqed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpaihooo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpdennml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocdnln32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcneeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcneeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lhbkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coqncejg.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iogopi32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkiamp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fijdjfdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdiakp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hchqbkkm.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kefiopki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Llqjbhdc.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njjmni32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilmedf32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhfbog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adhdjpjf.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogddd32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddgibkpc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iondqhpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ookoaokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ddcebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Enhifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdhkcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jppnpjel.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Conanfli.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjeplijj.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqbeoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jejbhk32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpdennml.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hldiinke.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhkbdmbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbhgoh32.exe Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apjdikqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dknnoofg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkjfakng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gnohnffc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbgkei32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 740 Nfjola32.exe 1176 Nqpcjj32.exe 3904 Ngjkfd32.exe 4364 Nmfcok32.exe 1836 Npepkf32.exe 3500 Nglhld32.exe 4756 Nadleilm.exe 3324 Ngndaccj.exe 2092 Nnhmnn32.exe 2608 Npiiffqe.exe 812 Ojomcopk.exe 2088 Oaifpi32.exe 2124 Ocgbld32.exe 4904 Onmfimga.exe 1144 Opnbae32.exe 2304 Ofhknodl.exe 2816 Ombcji32.exe 2240 Ojfcdnjc.exe 1512 Ofmdio32.exe 324 Ocaebc32.exe 2284 Paeelgnj.exe 636 Pfandnla.exe 1560 Pdenmbkk.exe 4932 Pmnbfhal.exe 1048 Pdhkcb32.exe 1064 Palklf32.exe 1116 Phfcipoo.exe 2756 Ppahmb32.exe 1056 Qfkqjmdg.exe 2372 Qmeigg32.exe 1000 Qjiipk32.exe 2796 Qdaniq32.exe 4500 Amjbbfgo.exe 3820 Afbgkl32.exe 2700 Apjkcadp.exe 3652 Aokkahlo.exe 3320 Adhdjpjf.exe 4492 Akblfj32.exe 2964 Adkqoohc.exe 1060 Aopemh32.exe 1872 Bhhiemoj.exe 4960 Bkgeainn.exe 4264 Baannc32.exe 4928 Bdojjo32.exe 1724 Bhkfkmmg.exe 4592 Boenhgdd.exe 2144 Bdagpnbk.exe 2244 Bogkmgba.exe 2632 Bphgeo32.exe 2636 Boihcf32.exe 4696 Boldhf32.exe 3456 Chdialdl.exe 224 Conanfli.exe 2488 Cponen32.exe 3864 Coqncejg.exe 1252 Cdmfllhn.exe 3984 Ckgohf32.exe 1944 Cpdgqmnb.exe 1332 Cgnomg32.exe 2332 Cnhgjaml.exe 3684 Chnlgjlb.exe 1736 Cogddd32.exe 4472 Dddllkbf.exe 4000 Dhphmj32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Dgihop32.exe Dalofi32.exe File created C:\Windows\SysWOW64\Nijmbbnl.dll Hbdgec32.exe File created C:\Windows\SysWOW64\Akfiji32.dll 148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe File created C:\Windows\SysWOW64\Bdojjo32.exe Baannc32.exe File opened for modification C:\Windows\SysWOW64\Ihdldn32.exe Iajdgcab.exe File created C:\Windows\SysWOW64\Klggli32.exe Kabcopmg.exe File opened for modification C:\Windows\SysWOW64\Ljpaqmgb.exe Laiipofp.exe File created C:\Windows\SysWOW64\Pjjfdfbb.exe Pbcncibp.exe File created C:\Windows\SysWOW64\Eclhcj32.dll Ecikjoep.exe File created C:\Windows\SysWOW64\Hbdgec32.exe Hkjohi32.exe File opened for modification C:\Windows\SysWOW64\Lddble32.exe Logicn32.exe File opened for modification C:\Windows\SysWOW64\Qfkqjmdg.exe Ppahmb32.exe File created C:\Windows\SysWOW64\Lindkm32.exe Lohqnd32.exe File opened for modification C:\Windows\SysWOW64\Mofmobmo.exe Mfnhfm32.exe File created C:\Windows\SysWOW64\Ojgljk32.dll Pmhbqbae.exe File opened for modification C:\Windows\SysWOW64\Calfpk32.exe Cbkfbcpb.exe File opened for modification C:\Windows\SysWOW64\Pmnbfhal.exe Pdenmbkk.exe File created C:\Windows\SysWOW64\Mohidbkl.exe Mhoahh32.exe File opened for modification C:\Windows\SysWOW64\Ibnjkbog.exe Hkcbnh32.exe File opened for modification C:\Windows\SysWOW64\Pdhkcb32.exe Pmnbfhal.exe File opened for modification C:\Windows\SysWOW64\Ilnlom32.exe Ieccbbkn.exe File created C:\Windows\SysWOW64\Lpgmhg32.exe Lindkm32.exe File created C:\Windows\SysWOW64\Fekmfnbj.dll Bapgdm32.exe File opened for modification C:\Windows\SysWOW64\Dbocfo32.exe Doagjc32.exe File created C:\Windows\SysWOW64\Calfpk32.exe Cbkfbcpb.exe File opened for modification C:\Windows\SysWOW64\Apjkcadp.exe Afbgkl32.exe File created C:\Windows\SysWOW64\Aobmce32.dll Feqeog32.exe File created C:\Windows\SysWOW64\Mqjbddpl.exe Mfenglqf.exe File created C:\Windows\SysWOW64\Jooeqo32.dll Iabglnco.exe File created C:\Windows\SysWOW64\Ghcfpl32.dll Njbgmjgl.exe File created C:\Windows\SysWOW64\Nimmifgo.exe Njjmni32.exe File created C:\Windows\SysWOW64\Ilmedf32.exe Iagqgn32.exe File created C:\Windows\SysWOW64\Ekqckmfb.exe Ecikjoep.exe File opened for modification C:\Windows\SysWOW64\Iagqgn32.exe Inidkb32.exe File opened for modification C:\Windows\SysWOW64\Ehpadhll.exe Enkmfolf.exe File created C:\Windows\SysWOW64\Lpochfji.exe Llcghg32.exe File opened for modification C:\Windows\SysWOW64\Pbekii32.exe Padnaq32.exe File opened for modification C:\Windows\SysWOW64\Dmjmekgn.exe Dinael32.exe File opened for modification C:\Windows\SysWOW64\Eaceghcg.exe Enhifi32.exe File created C:\Windows\SysWOW64\Ondhkbee.dll Egohdegl.exe File created C:\Windows\SysWOW64\Dpmcmf32.exe Dkpjdo32.exe File created C:\Windows\SysWOW64\Dapgni32.dll Adhdjpjf.exe File created C:\Windows\SysWOW64\Eiacog32.dll Jblmgf32.exe File opened for modification C:\Windows\SysWOW64\Fbdnne32.exe Fkjfakng.exe File created C:\Windows\SysWOW64\Gcghkm32.exe Fbfkceca.exe File created C:\Windows\SysWOW64\Jejbhk32.exe Jjdokb32.exe File created C:\Windows\SysWOW64\Elfahb32.dll Ddmhhd32.exe File created C:\Windows\SysWOW64\Kaaldjil.exe Kdmlkfjb.exe File created C:\Windows\SysWOW64\Hhblffgn.dll Ppahmb32.exe File created C:\Windows\SysWOW64\Jilpfgkh.dll Dhphmj32.exe File created C:\Windows\SysWOW64\Jjpdeo32.dll Gpmomo32.exe File created C:\Windows\SysWOW64\Mhjhmhhd.exe Mjggal32.exe File opened for modification C:\Windows\SysWOW64\Bagmdllg.exe Bfaigclq.exe File created C:\Windows\SysWOW64\Heepfn32.exe Hnkhjdle.exe File created C:\Windows\SysWOW64\Hioflcbj.exe Hpfbcn32.exe File created C:\Windows\SysWOW64\Piocecgj.exe Pbekii32.exe File created C:\Windows\SysWOW64\Lefkkg32.exe Llngbabj.exe File opened for modification C:\Windows\SysWOW64\Gpdennml.exe Gijmad32.exe File created C:\Windows\SysWOW64\Pbhgoh32.exe Piocecgj.exe File created C:\Windows\SysWOW64\Infhebbh.exe Icachjbb.exe File created C:\Windows\SysWOW64\Epaaihpg.dll Iagqgn32.exe File opened for modification C:\Windows\SysWOW64\Jjihfbno.exe Jdopjh32.exe File opened for modification C:\Windows\SysWOW64\Lhbkac32.exe Lahbei32.exe File created C:\Windows\SysWOW64\Jcknij32.dll Ddgibkpc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9316 10184 WerFault.exe 470 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmnnimak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dphiaffa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqphic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibgmaqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhhodg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdaniq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljpaqmgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjggal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddble32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodiqp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilmedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bogkmgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhplpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laiipofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpakj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icogcjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noblkqca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooibkpmi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgqennl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnffhgon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gclafmej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkfkmmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbocfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbnajqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgapmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbcncibp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjeplijj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jddiegbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npepkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hihibbjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mofmobmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpjjmg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidlqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddmhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egaejeej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnphoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejqldci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggkipii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdopjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdcmkgmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgdemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afappe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgklmacf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcneeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boldhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbpedjnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khbiello.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaaldjil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhbkac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofmdio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klggli32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmnkdal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmjfodne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hejjanpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhknodl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmaea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lljdai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqoloc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppdbgncl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jeolckne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaemilci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnkfmm32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mfenglqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gejqna32.dll" Ojqcnhkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkoplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ofkhpmpa.dll" Ngjkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cponen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iajdgcab.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcckiibj.dll" Apjdikqd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mohpjh32.dll" Hchqbkkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbnefjjd.dll" Jnbgaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dikifc32.dll" Ekgqennl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbdgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jaemilci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbpnjdkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hbdgec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fenpmnno.dll" Ocgbld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imqpnq32.dll" Mfenglqf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojemig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lpphjbnh.dll" Baepolni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djegekil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epaaihpg.dll" Iagqgn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jbijgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adfnba32.dll" Nadleilm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlohlk32.dll" Aopemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpqlc32.dll" Foapaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmfchehg.dll" Lhbkac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lckggdbo.dll" Ieccbbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kcjjhdjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fjhmbihg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bogkmgba.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpdennml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Llqjbhdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mlljnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bagmdllg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ddcebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ecbeip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jodamh32.dll" Ekngemhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igafkb32.dll" Pdhkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Baannc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpceplkl.dll" Hbnaeh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Icachjbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijaaij32.dll" Jlidpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egohdegl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmapoggk.dll" Giecfejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifcnk32.dll" Gkoplk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boihcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hicpgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hkaeih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgnomg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpoejj32.dll" Ojemig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dinael32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fldeljei.dll" Mhoahh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ooibkpmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pmhbqbae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Biklho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqfnqg32.dll" Kdmlkfjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Khkdad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Doagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibepke32.dll" Kcjjhdjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmgjnl32.dll" Ppdbgncl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ookoaokf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gcqjal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klmnkdal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Himfiblh.dll" Ipdndloi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjoiip32.dll" Mcfbkpab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2204 wrote to memory of 740 2204 148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe 83 PID 2204 wrote to memory of 740 2204 148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe 83 PID 2204 wrote to memory of 740 2204 148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe 83 PID 740 wrote to memory of 1176 740 Nfjola32.exe 84 PID 740 wrote to memory of 1176 740 Nfjola32.exe 84 PID 740 wrote to memory of 1176 740 Nfjola32.exe 84 PID 1176 wrote to memory of 3904 1176 Nqpcjj32.exe 85 PID 1176 wrote to memory of 3904 1176 Nqpcjj32.exe 85 PID 1176 wrote to memory of 3904 1176 Nqpcjj32.exe 85 PID 3904 wrote to memory of 4364 3904 Ngjkfd32.exe 86 PID 3904 wrote to memory of 4364 3904 Ngjkfd32.exe 86 PID 3904 wrote to memory of 4364 3904 Ngjkfd32.exe 86 PID 4364 wrote to memory of 1836 4364 Nmfcok32.exe 87 PID 4364 wrote to memory of 1836 4364 Nmfcok32.exe 87 PID 4364 wrote to memory of 1836 4364 Nmfcok32.exe 87 PID 1836 wrote to memory of 3500 1836 Npepkf32.exe 88 PID 1836 wrote to memory of 3500 1836 Npepkf32.exe 88 PID 1836 wrote to memory of 3500 1836 Npepkf32.exe 88 PID 3500 wrote to memory of 4756 3500 Nglhld32.exe 89 PID 3500 wrote to memory of 4756 3500 Nglhld32.exe 89 PID 3500 wrote to memory of 4756 3500 Nglhld32.exe 89 PID 4756 wrote to memory of 3324 4756 Nadleilm.exe 90 PID 4756 wrote to memory of 3324 4756 Nadleilm.exe 90 PID 4756 wrote to memory of 3324 4756 Nadleilm.exe 90 PID 3324 wrote to memory of 2092 3324 Ngndaccj.exe 91 PID 3324 wrote to memory of 2092 3324 Ngndaccj.exe 91 PID 3324 wrote to memory of 2092 3324 Ngndaccj.exe 91 PID 2092 wrote to memory of 2608 2092 Nnhmnn32.exe 92 PID 2092 wrote to memory of 2608 2092 Nnhmnn32.exe 92 PID 2092 wrote to memory of 2608 2092 Nnhmnn32.exe 92 PID 2608 wrote to memory of 812 2608 Npiiffqe.exe 93 PID 2608 wrote to memory of 812 2608 Npiiffqe.exe 93 PID 2608 wrote to memory of 812 2608 Npiiffqe.exe 93 PID 812 wrote to memory of 2088 812 Ojomcopk.exe 94 PID 812 wrote to memory of 2088 812 Ojomcopk.exe 94 PID 812 wrote to memory of 2088 812 Ojomcopk.exe 94 PID 2088 wrote to memory of 2124 2088 Oaifpi32.exe 95 PID 2088 wrote to memory of 2124 2088 Oaifpi32.exe 95 PID 2088 wrote to memory of 2124 2088 Oaifpi32.exe 95 PID 2124 wrote to memory of 4904 2124 Ocgbld32.exe 96 PID 2124 wrote to memory of 4904 2124 Ocgbld32.exe 96 PID 2124 wrote to memory of 4904 2124 Ocgbld32.exe 96 PID 4904 wrote to memory of 1144 4904 Onmfimga.exe 97 PID 4904 wrote to memory of 1144 4904 Onmfimga.exe 97 PID 4904 wrote to memory of 1144 4904 Onmfimga.exe 97 PID 1144 wrote to memory of 2304 1144 Opnbae32.exe 98 PID 1144 wrote to memory of 2304 1144 Opnbae32.exe 98 PID 1144 wrote to memory of 2304 1144 Opnbae32.exe 98 PID 2304 wrote to memory of 2816 2304 Ofhknodl.exe 99 PID 2304 wrote to memory of 2816 2304 Ofhknodl.exe 99 PID 2304 wrote to memory of 2816 2304 Ofhknodl.exe 99 PID 2816 wrote to memory of 2240 2816 Ombcji32.exe 100 PID 2816 wrote to memory of 2240 2816 Ombcji32.exe 100 PID 2816 wrote to memory of 2240 2816 Ombcji32.exe 100 PID 2240 wrote to memory of 1512 2240 Ojfcdnjc.exe 101 PID 2240 wrote to memory of 1512 2240 Ojfcdnjc.exe 101 PID 2240 wrote to memory of 1512 2240 Ojfcdnjc.exe 101 PID 1512 wrote to memory of 324 1512 Ofmdio32.exe 102 PID 1512 wrote to memory of 324 1512 Ofmdio32.exe 102 PID 1512 wrote to memory of 324 1512 Ofmdio32.exe 102 PID 324 wrote to memory of 2284 324 Ocaebc32.exe 103 PID 324 wrote to memory of 2284 324 Ocaebc32.exe 103 PID 324 wrote to memory of 2284 324 Ocaebc32.exe 103 PID 2284 wrote to memory of 636 2284 Paeelgnj.exe 104
Processes
-
C:\Users\Admin\AppData\Local\Temp\148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe"C:\Users\Admin\AppData\Local\Temp\148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Nfjola32.exeC:\Windows\system32\Nfjola32.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\Nqpcjj32.exeC:\Windows\system32\Nqpcjj32.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\Ngjkfd32.exeC:\Windows\system32\Ngjkfd32.exe4⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3904 -
C:\Windows\SysWOW64\Nmfcok32.exeC:\Windows\system32\Nmfcok32.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4364 -
C:\Windows\SysWOW64\Npepkf32.exeC:\Windows\system32\Npepkf32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\SysWOW64\Nglhld32.exeC:\Windows\system32\Nglhld32.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3500 -
C:\Windows\SysWOW64\Nadleilm.exeC:\Windows\system32\Nadleilm.exe8⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4756 -
C:\Windows\SysWOW64\Ngndaccj.exeC:\Windows\system32\Ngndaccj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3324 -
C:\Windows\SysWOW64\Nnhmnn32.exeC:\Windows\system32\Nnhmnn32.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2092 -
C:\Windows\SysWOW64\Npiiffqe.exeC:\Windows\system32\Npiiffqe.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Ojomcopk.exeC:\Windows\system32\Ojomcopk.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\Oaifpi32.exeC:\Windows\system32\Oaifpi32.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ocgbld32.exeC:\Windows\system32\Ocgbld32.exe14⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Onmfimga.exeC:\Windows\system32\Onmfimga.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\Opnbae32.exeC:\Windows\system32\Opnbae32.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Ofhknodl.exeC:\Windows\system32\Ofhknodl.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\SysWOW64\Ombcji32.exeC:\Windows\system32\Ombcji32.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Ojfcdnjc.exeC:\Windows\system32\Ojfcdnjc.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Ofmdio32.exeC:\Windows\system32\Ofmdio32.exe20⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\Ocaebc32.exeC:\Windows\system32\Ocaebc32.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:324 -
C:\Windows\SysWOW64\Paeelgnj.exeC:\Windows\system32\Paeelgnj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Pfandnla.exeC:\Windows\system32\Pfandnla.exe23⤵
- Executes dropped EXE
PID:636 -
C:\Windows\SysWOW64\Pdenmbkk.exeC:\Windows\system32\Pdenmbkk.exe24⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1560 -
C:\Windows\SysWOW64\Pmnbfhal.exeC:\Windows\system32\Pmnbfhal.exe25⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4932 -
C:\Windows\SysWOW64\Pdhkcb32.exeC:\Windows\system32\Pdhkcb32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1048 -
C:\Windows\SysWOW64\Palklf32.exeC:\Windows\system32\Palklf32.exe27⤵
- Executes dropped EXE
PID:1064 -
C:\Windows\SysWOW64\Phfcipoo.exeC:\Windows\system32\Phfcipoo.exe28⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Ppahmb32.exeC:\Windows\system32\Ppahmb32.exe29⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Qfkqjmdg.exeC:\Windows\system32\Qfkqjmdg.exe30⤵
- Executes dropped EXE
PID:1056 -
C:\Windows\SysWOW64\Qmeigg32.exeC:\Windows\system32\Qmeigg32.exe31⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Qjiipk32.exeC:\Windows\system32\Qjiipk32.exe32⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\Qdaniq32.exeC:\Windows\system32\Qdaniq32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2796 -
C:\Windows\SysWOW64\Amjbbfgo.exeC:\Windows\system32\Amjbbfgo.exe34⤵
- Executes dropped EXE
PID:4500 -
C:\Windows\SysWOW64\Afbgkl32.exeC:\Windows\system32\Afbgkl32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3820 -
C:\Windows\SysWOW64\Apjkcadp.exeC:\Windows\system32\Apjkcadp.exe36⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Aokkahlo.exeC:\Windows\system32\Aokkahlo.exe37⤵
- Executes dropped EXE
PID:3652 -
C:\Windows\SysWOW64\Adhdjpjf.exeC:\Windows\system32\Adhdjpjf.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3320 -
C:\Windows\SysWOW64\Akblfj32.exeC:\Windows\system32\Akblfj32.exe39⤵
- Executes dropped EXE
PID:4492 -
C:\Windows\SysWOW64\Adkqoohc.exeC:\Windows\system32\Adkqoohc.exe40⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Aopemh32.exeC:\Windows\system32\Aopemh32.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Bhhiemoj.exeC:\Windows\system32\Bhhiemoj.exe42⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Bkgeainn.exeC:\Windows\system32\Bkgeainn.exe43⤵
- Executes dropped EXE
PID:4960 -
C:\Windows\SysWOW64\Baannc32.exeC:\Windows\system32\Baannc32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4264 -
C:\Windows\SysWOW64\Bdojjo32.exeC:\Windows\system32\Bdojjo32.exe45⤵
- Executes dropped EXE
PID:4928 -
C:\Windows\SysWOW64\Bhkfkmmg.exeC:\Windows\system32\Bhkfkmmg.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1724 -
C:\Windows\SysWOW64\Boenhgdd.exeC:\Windows\system32\Boenhgdd.exe47⤵
- Executes dropped EXE
PID:4592 -
C:\Windows\SysWOW64\Bdagpnbk.exeC:\Windows\system32\Bdagpnbk.exe48⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Bogkmgba.exeC:\Windows\system32\Bogkmgba.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Bphgeo32.exeC:\Windows\system32\Bphgeo32.exe50⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Boihcf32.exeC:\Windows\system32\Boihcf32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Boldhf32.exeC:\Windows\system32\Boldhf32.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Windows\SysWOW64\Chdialdl.exeC:\Windows\system32\Chdialdl.exe53⤵
- Executes dropped EXE
PID:3456 -
C:\Windows\SysWOW64\Conanfli.exeC:\Windows\system32\Conanfli.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:224 -
C:\Windows\SysWOW64\Cponen32.exeC:\Windows\system32\Cponen32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Coqncejg.exeC:\Windows\system32\Coqncejg.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3864 -
C:\Windows\SysWOW64\Cdmfllhn.exeC:\Windows\system32\Cdmfllhn.exe57⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Ckgohf32.exeC:\Windows\system32\Ckgohf32.exe58⤵
- Executes dropped EXE
PID:3984 -
C:\Windows\SysWOW64\Cpdgqmnb.exeC:\Windows\system32\Cpdgqmnb.exe59⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Cgnomg32.exeC:\Windows\system32\Cgnomg32.exe60⤵
- Executes dropped EXE
- Modifies registry class
PID:1332 -
C:\Windows\SysWOW64\Cnhgjaml.exeC:\Windows\system32\Cnhgjaml.exe61⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Chnlgjlb.exeC:\Windows\system32\Chnlgjlb.exe62⤵
- Executes dropped EXE
PID:3684 -
C:\Windows\SysWOW64\Cogddd32.exeC:\Windows\system32\Cogddd32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Dddllkbf.exeC:\Windows\system32\Dddllkbf.exe64⤵
- Executes dropped EXE
PID:4472 -
C:\Windows\SysWOW64\Dhphmj32.exeC:\Windows\system32\Dhphmj32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4000 -
C:\Windows\SysWOW64\Dnmaea32.exeC:\Windows\system32\Dnmaea32.exe66⤵
- System Location Discovery: System Language Discovery
PID:4372 -
C:\Windows\SysWOW64\Ddgibkpc.exeC:\Windows\system32\Ddgibkpc.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2996 -
C:\Windows\SysWOW64\Dgeenfog.exeC:\Windows\system32\Dgeenfog.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2520 -
C:\Windows\SysWOW64\Dhdbhifj.exeC:\Windows\system32\Dhdbhifj.exe69⤵PID:4224
-
C:\Windows\SysWOW64\Dkcndeen.exeC:\Windows\system32\Dkcndeen.exe70⤵PID:1208
-
C:\Windows\SysWOW64\Ddkbmj32.exeC:\Windows\system32\Ddkbmj32.exe71⤵PID:1840
-
C:\Windows\SysWOW64\Doagjc32.exeC:\Windows\system32\Doagjc32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:624 -
C:\Windows\SysWOW64\Dbocfo32.exeC:\Windows\system32\Dbocfo32.exe73⤵
- System Location Discovery: System Language Discovery
PID:3228 -
C:\Windows\SysWOW64\Dglkoeio.exeC:\Windows\system32\Dglkoeio.exe74⤵PID:2648
-
C:\Windows\SysWOW64\Doccpcja.exeC:\Windows\system32\Doccpcja.exe75⤵PID:1380
-
C:\Windows\SysWOW64\Egohdegl.exeC:\Windows\system32\Egohdegl.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Ebdlangb.exeC:\Windows\system32\Ebdlangb.exe77⤵PID:4836
-
C:\Windows\SysWOW64\Egaejeej.exeC:\Windows\system32\Egaejeej.exe78⤵
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Windows\SysWOW64\Enkmfolf.exeC:\Windows\system32\Enkmfolf.exe79⤵
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Ehpadhll.exeC:\Windows\system32\Ehpadhll.exe80⤵PID:992
-
C:\Windows\SysWOW64\Eqlfhjig.exeC:\Windows\system32\Eqlfhjig.exe81⤵PID:4776
-
C:\Windows\SysWOW64\Egened32.exeC:\Windows\system32\Egened32.exe82⤵PID:3428
-
C:\Windows\SysWOW64\Ekajec32.exeC:\Windows\system32\Ekajec32.exe83⤵PID:3496
-
C:\Windows\SysWOW64\Edionhpn.exeC:\Windows\system32\Edionhpn.exe84⤵PID:1620
-
C:\Windows\SysWOW64\Fnbcgn32.exeC:\Windows\system32\Fnbcgn32.exe85⤵PID:2936
-
C:\Windows\SysWOW64\Foapaa32.exeC:\Windows\system32\Foapaa32.exe86⤵
- Modifies registry class
PID:404 -
C:\Windows\SysWOW64\Fqbliicp.exeC:\Windows\system32\Fqbliicp.exe87⤵PID:5088
-
C:\Windows\SysWOW64\Fijdjfdb.exeC:\Windows\system32\Fijdjfdb.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2116 -
C:\Windows\SysWOW64\Feqeog32.exeC:\Windows\system32\Feqeog32.exe89⤵
- Drops file in System32 directory
PID:3268 -
C:\Windows\SysWOW64\Fkjmlaac.exeC:\Windows\system32\Fkjmlaac.exe90⤵PID:1596
-
C:\Windows\SysWOW64\Fofilp32.exeC:\Windows\system32\Fofilp32.exe91⤵PID:5032
-
C:\Windows\SysWOW64\Fbdehlip.exeC:\Windows\system32\Fbdehlip.exe92⤵PID:1624
-
C:\Windows\SysWOW64\Fecadghc.exeC:\Windows\system32\Fecadghc.exe93⤵PID:2708
-
C:\Windows\SysWOW64\Fnkfmm32.exeC:\Windows\system32\Fnkfmm32.exe94⤵
- System Location Discovery: System Language Discovery
PID:464 -
C:\Windows\SysWOW64\Feenjgfq.exeC:\Windows\system32\Feenjgfq.exe95⤵PID:4840
-
C:\Windows\SysWOW64\Fiqjke32.exeC:\Windows\system32\Fiqjke32.exe96⤵PID:3124
-
C:\Windows\SysWOW64\Gokbgpeg.exeC:\Windows\system32\Gokbgpeg.exe97⤵PID:2424
-
C:\Windows\SysWOW64\Gegkpf32.exeC:\Windows\system32\Gegkpf32.exe98⤵PID:4232
-
C:\Windows\SysWOW64\Ggfglb32.exeC:\Windows\system32\Ggfglb32.exe99⤵PID:4368
-
C:\Windows\SysWOW64\Gpmomo32.exeC:\Windows\system32\Gpmomo32.exe100⤵
- Drops file in System32 directory
PID:1744 -
C:\Windows\SysWOW64\Gnpphljo.exeC:\Windows\system32\Gnpphljo.exe101⤵PID:4568
-
C:\Windows\SysWOW64\Giecfejd.exeC:\Windows\system32\Giecfejd.exe102⤵
- Modifies registry class
PID:2516 -
C:\Windows\SysWOW64\Gaqhjggp.exeC:\Windows\system32\Gaqhjggp.exe103⤵PID:4852
-
C:\Windows\SysWOW64\Gihpkd32.exeC:\Windows\system32\Gihpkd32.exe104⤵PID:3696
-
C:\Windows\SysWOW64\Gpaihooo.exeC:\Windows\system32\Gpaihooo.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4564 -
C:\Windows\SysWOW64\Gbpedjnb.exeC:\Windows\system32\Gbpedjnb.exe106⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Gijmad32.exeC:\Windows\system32\Gijmad32.exe107⤵
- Drops file in System32 directory
PID:3544 -
C:\Windows\SysWOW64\Gpdennml.exeC:\Windows\system32\Gpdennml.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Geanfelc.exeC:\Windows\system32\Geanfelc.exe109⤵PID:1384
-
C:\Windows\SysWOW64\Ghojbq32.exeC:\Windows\system32\Ghojbq32.exe110⤵PID:2716
-
C:\Windows\SysWOW64\Hpfbcn32.exeC:\Windows\system32\Hpfbcn32.exe111⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Hioflcbj.exeC:\Windows\system32\Hioflcbj.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:988 -
C:\Windows\SysWOW64\Hlmchoan.exeC:\Windows\system32\Hlmchoan.exe113⤵PID:4428
-
C:\Windows\SysWOW64\Hbgkei32.exeC:\Windows\system32\Hbgkei32.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5128 -
C:\Windows\SysWOW64\Heegad32.exeC:\Windows\system32\Heegad32.exe115⤵PID:5172
-
C:\Windows\SysWOW64\Hpkknmgd.exeC:\Windows\system32\Hpkknmgd.exe116⤵PID:5216
-
C:\Windows\SysWOW64\Hbihjifh.exeC:\Windows\system32\Hbihjifh.exe117⤵PID:5260
-
C:\Windows\SysWOW64\Hicpgc32.exeC:\Windows\system32\Hicpgc32.exe118⤵
- Modifies registry class
PID:5304 -
C:\Windows\SysWOW64\Hnphoj32.exeC:\Windows\system32\Hnphoj32.exe119⤵
- System Location Discovery: System Language Discovery
PID:5348 -
C:\Windows\SysWOW64\Hejqldci.exeC:\Windows\system32\Hejqldci.exe120⤵
- System Location Discovery: System Language Discovery
PID:5392 -
C:\Windows\SysWOW64\Hldiinke.exeC:\Windows\system32\Hldiinke.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:5436
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-