Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
17/01/2025, 15:53
Behavioral task
behavioral1
Sample
58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4.exe
Resource
win7-20240903-en
windows7-x64
12 signatures
120 seconds
General
-
Target
58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4.exe
-
Size
93KB
-
MD5
d769b38343281925a32ac694ed2f0f66
-
SHA1
6b0cd00dbdea29e3749f12a020d2e5b02e6ecb4b
-
SHA256
58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4
-
SHA512
b26f5b67960d4004dd7ddba01417d0db98384dfcfab7475124a9c2a9a45de76c2942a77a720128c8fa0fc3586289240e894b5aa57bc99f88ba624542a20c005f
-
SSDEEP
1536:5Pw64rNnBq5E5J/XdGZUg1DaYfMZRWuLsV+1x:6JUqiUggYfc0DV+1x
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnopldgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdiogq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcjhmcok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hahlhkhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifffkncm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjmeiq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cileqlmg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgebdipp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opnpimdf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maefamlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchbgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqbecp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbpenco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjmbqhif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cljodo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnkion32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnifja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmqpam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpbpkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjpkqonj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncfoch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lonpma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Heealhla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hlgimqhf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iafnjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gligjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ooclji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgcab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lqejbiim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhonngce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfncpcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofcqcp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpbglhjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmhdpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foafdoag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oajlkojn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbleeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmmebm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Olpilg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekjjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebcmdlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jagnlkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qnebjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmdgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbnbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilnomp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lqipkhbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggfnopfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbigpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnflke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lneaqn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nenkqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmmeon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aohdmdoh.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2728 Fmhjni32.exe 2148 Fcbbjcif.exe 2792 Fiokbjgn.exe 2620 Fpicodoj.exe 2652 Fcdopc32.exe 1212 Ffcllo32.exe 2080 Gehhmkko.exe 1264 Glbqje32.exe 2784 Gblifo32.exe 1880 Gejebk32.exe 2936 Gppipc32.exe 760 Gbnflo32.exe 1296 Glgjednf.exe 2156 Gbqbaofc.exe 2428 Gdboig32.exe 2152 Gligjd32.exe 444 Hafock32.exe 2004 Hddlof32.exe 1680 Hjndlqal.exe 2160 Hmmphlpp.exe 1204 Hahlhkhi.exe 740 Hhbdee32.exe 532 Hicqmmfc.exe 2000 Hajinjff.exe 1804 Hbleeb32.exe 2840 Hjcmgp32.exe 1572 Hldjnhce.exe 2868 Hfjnla32.exe 2748 Hmcfhkjg.exe 2644 Hoebpc32.exe 1976 Heokmmgb.exe 2228 Ihmgiiff.exe 2676 Ilicig32.exe 2968 Iaelanmg.exe 1656 Iimcclni.exe 1640 Ioilkblq.exe 3068 Ilnmdgkj.exe 1548 Ikpmpc32.exe 2952 Idiaii32.exe 2108 Ionefb32.exe 844 Ippbnjni.exe 876 Ihfjognl.exe 2276 Ihfjognl.exe 1220 Ipbocjlg.exe 1092 Idmkdh32.exe 1372 Jkgcab32.exe 864 Jliohkak.exe 2524 Jdpgjhbm.exe 300 Jeadap32.exe 2836 Jnhlbn32.exe 2740 Jlklnjoh.exe 2744 Joihjfnl.exe 1904 Jgqpkc32.exe 2068 Jjomgo32.exe 2488 Jolepe32.exe 2916 Jcgapdeb.exe 2920 Jajala32.exe 2400 Jhdihkcj.exe 1096 Jkbfdfbm.exe 2860 Jcjnfdbp.exe 1660 Jblnaq32.exe 624 Jdkjnl32.exe 828 Jhffnk32.exe 1900 Kopokehd.exe -
Loads dropped DLL 64 IoCs
pid Process 2672 58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4.exe 2672 58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4.exe 2728 Fmhjni32.exe 2728 Fmhjni32.exe 2148 Fcbbjcif.exe 2148 Fcbbjcif.exe 2792 Fiokbjgn.exe 2792 Fiokbjgn.exe 2620 Fpicodoj.exe 2620 Fpicodoj.exe 2652 Fcdopc32.exe 2652 Fcdopc32.exe 1212 Ffcllo32.exe 1212 Ffcllo32.exe 2080 Gehhmkko.exe 2080 Gehhmkko.exe 1264 Glbqje32.exe 1264 Glbqje32.exe 2784 Gblifo32.exe 2784 Gblifo32.exe 1880 Gejebk32.exe 1880 Gejebk32.exe 2936 Gppipc32.exe 2936 Gppipc32.exe 760 Gbnflo32.exe 760 Gbnflo32.exe 1296 Glgjednf.exe 1296 Glgjednf.exe 2156 Gbqbaofc.exe 2156 Gbqbaofc.exe 2428 Gdboig32.exe 2428 Gdboig32.exe 2152 Gligjd32.exe 2152 Gligjd32.exe 444 Hafock32.exe 444 Hafock32.exe 2004 Hddlof32.exe 2004 Hddlof32.exe 1680 Hjndlqal.exe 1680 Hjndlqal.exe 2160 Hmmphlpp.exe 2160 Hmmphlpp.exe 1204 Hahlhkhi.exe 1204 Hahlhkhi.exe 740 Hhbdee32.exe 740 Hhbdee32.exe 532 Hicqmmfc.exe 532 Hicqmmfc.exe 2000 Hajinjff.exe 2000 Hajinjff.exe 1804 Hbleeb32.exe 1804 Hbleeb32.exe 2840 Hjcmgp32.exe 2840 Hjcmgp32.exe 1572 Hldjnhce.exe 1572 Hldjnhce.exe 2868 Hfjnla32.exe 2868 Hfjnla32.exe 2748 Hmcfhkjg.exe 2748 Hmcfhkjg.exe 2644 Hoebpc32.exe 2644 Hoebpc32.exe 1976 Heokmmgb.exe 1976 Heokmmgb.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fmhjni32.exe 58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4.exe File opened for modification C:\Windows\SysWOW64\Hlccdboi.exe Hdlkcdog.exe File created C:\Windows\SysWOW64\Nonlfc32.dll Jgdfdbhk.exe File opened for modification C:\Windows\SysWOW64\Bkbaii32.exe Bckjhl32.exe File created C:\Windows\SysWOW64\Nplimbka.exe Ngealejo.exe File created C:\Windows\SysWOW64\Okppejbk.dll Nlnnnk32.exe File created C:\Windows\SysWOW64\Lgoboc32.exe Lcdfnehp.exe File created C:\Windows\SysWOW64\Cjakccop.exe Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\Mnbpjb32.exe Mkddnf32.exe File opened for modification C:\Windows\SysWOW64\Aggiigmn.exe Ackmih32.exe File opened for modification C:\Windows\SysWOW64\Bmhkmm32.exe Bimoloog.exe File created C:\Windows\SysWOW64\Ldfkhk32.dll Dmmmfc32.exe File created C:\Windows\SysWOW64\Oiffkkbk.exe Oekjjl32.exe File opened for modification C:\Windows\SysWOW64\Affdle32.exe Anolkh32.exe File opened for modification C:\Windows\SysWOW64\Acnjnh32.exe Aqonbm32.exe File created C:\Windows\SysWOW64\Idicbbpi.exe Iakgefqe.exe File created C:\Windows\SysWOW64\Jaoqqflp.exe Jmdepg32.exe File opened for modification C:\Windows\SysWOW64\Obmnna32.exe Opnbbe32.exe File opened for modification C:\Windows\SysWOW64\Mbhlek32.exe Mnmpdlac.exe File opened for modification C:\Windows\SysWOW64\Pmpbdm32.exe Pidfdofi.exe File created C:\Windows\SysWOW64\Ckmcef32.dll Qndkpmkm.exe File created C:\Windows\SysWOW64\Qqeagm32.dll Oionacqo.exe File created C:\Windows\SysWOW64\Affdle32.exe Anolkh32.exe File opened for modification C:\Windows\SysWOW64\Ilabmedg.exe Iibfajdc.exe File created C:\Windows\SysWOW64\Aebmjo32.dll Hidcef32.exe File created C:\Windows\SysWOW64\Qfekkflj.dll Iedfqeka.exe File opened for modification C:\Windows\SysWOW64\Pkljdj32.exe Pdbahpec.exe File opened for modification C:\Windows\SysWOW64\Ckolek32.exe Cllkin32.exe File created C:\Windows\SysWOW64\Kemjcm32.dll Cakqgeoi.exe File opened for modification C:\Windows\SysWOW64\Cpmjhk32.exe Chfbgn32.exe File created C:\Windows\SysWOW64\Lpnmgdli.exe Llbqfe32.exe File opened for modification C:\Windows\SysWOW64\Fpmbfbgo.exe Fnofjfhk.exe File opened for modification C:\Windows\SysWOW64\Mjhjdm32.exe Mgjnhaco.exe File created C:\Windows\SysWOW64\Jfbcinlm.dll Mfoiqe32.exe File created C:\Windows\SysWOW64\Nehomq32.exe Noogpfjh.exe File opened for modification C:\Windows\SysWOW64\Ohnaik32.exe Noemqe32.exe File created C:\Windows\SysWOW64\Eacpijip.dll Eniclh32.exe File created C:\Windows\SysWOW64\Jlhhndno.exe Jdaqmg32.exe File opened for modification C:\Windows\SysWOW64\Gdkgkcpq.exe Gblkoham.exe File opened for modification C:\Windows\SysWOW64\Lclicpkm.exe Lpnmgdli.exe File created C:\Windows\SysWOW64\Cddoqj32.dll Mmicfh32.exe File created C:\Windows\SysWOW64\Bnapob32.dll Aigmnqgm.exe File created C:\Windows\SysWOW64\Ambnnc32.dll Cepfgdnj.exe File opened for modification C:\Windows\SysWOW64\Kcdjoaee.exe Kkmand32.exe File created C:\Windows\SysWOW64\Hjqmnofi.dll Njpgpbpf.exe File opened for modification C:\Windows\SysWOW64\Gjojef32.exe Gfcnegnk.exe File created C:\Windows\SysWOW64\Ameaio32.dll Paknelgk.exe File created C:\Windows\SysWOW64\Qdlggg32.exe Qppkfhlc.exe File created C:\Windows\SysWOW64\Danpemej.exe Dnpciaef.exe File opened for modification C:\Windows\SysWOW64\Hpkompgg.exe Hmmbqegc.exe File created C:\Windows\SysWOW64\Iheegf32.dll Mkndhabp.exe File created C:\Windows\SysWOW64\Gbfkdo32.dll Ofadnq32.exe File created C:\Windows\SysWOW64\Odjbnhfc.dll Kbokgpgg.exe File opened for modification C:\Windows\SysWOW64\Ocohkh32.exe Ooclji32.exe File created C:\Windows\SysWOW64\Jdejhfig.exe Jagnlkjd.exe File created C:\Windows\SysWOW64\Nmejllia.exe Nenakoho.exe File opened for modification C:\Windows\SysWOW64\Clmdmm32.exe Cmjdaqgi.exe File created C:\Windows\SysWOW64\Pkjjaebl.dll Ffodjh32.exe File created C:\Windows\SysWOW64\Obokcqhk.exe Opqoge32.exe File created C:\Windows\SysWOW64\Pmiljc32.dll Cfhkhd32.exe File created C:\Windows\SysWOW64\Oaffbqaa.exe Oionacqo.exe File created C:\Windows\SysWOW64\Kkdonaop.dll Pkljdj32.exe File opened for modification C:\Windows\SysWOW64\Aeggbbci.exe Abhkfg32.exe File opened for modification C:\Windows\SysWOW64\Ckahkk32.exe Chcloo32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 9244 10192 WerFault.exe 1051 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpdgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjpkqonj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcghof32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedfqeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmamp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhplhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbdmeoob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfcja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbhcim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngkfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjhmcok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahgofi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmcoblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlefhcnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcibc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ippbnjni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgadda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jaoqqflp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opihgfop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmakmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oionacqo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnihdemo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihmpobck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbigpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmmagpef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmhjni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocjophem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phbgcnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knfndjdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkhhhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naalga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdihiook.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoebpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afgmodel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilnomp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Medeaaej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjqjjll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpcoib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmpgpond.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcjnfdbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dddimn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgpnmom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmipn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpcckck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbokgpgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oifdbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekfndmfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkgkoiqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbahpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcomce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmhdpnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnild32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kglehp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjpaop32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pilfpqaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pofkha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kqiaclhj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noogpfjh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cljodo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eniclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kdpfadlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gejebk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iampmmne.dll" Gppipc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpgcip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Camljoch.dll" Ookpodkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qndigd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbdgqimc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boogmgkl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bidlgdlk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fgadda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpgkadij.dll" Jpgjgboe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkodahqi.dll" Ohiffh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfkapb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Onffhdlh.dll" Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehmdgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Codfplej.dll" Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilicig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikpmpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbjdjjdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nagbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqnifg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmajfk32.dll" Ciihklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjoifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohidmoaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajhiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hedbmpnc.dll" Gceailog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfhmqhkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijnbcmkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpebmc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcdopc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmkehj32.dll" Lbemfbdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdhkfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cofnjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kcmcoblm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdpfadlm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oibmpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jgaiobjn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pciddedl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hebnlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aebmjo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jjdofm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ogiaif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilnomp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkfocaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knhhaaki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qdgpabaa.dll" Ohnaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eecomg32.dll" Ddnfop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbcqem32.dll" Efdhpjok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bqgmfkhg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfhkhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fagigd32.dll" Oklnff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecgdipbc.dll" Bjmbqhif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jikeeh32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2672 wrote to memory of 2728 2672 58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4.exe 30 PID 2672 wrote to memory of 2728 2672 58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4.exe 30 PID 2672 wrote to memory of 2728 2672 58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4.exe 30 PID 2672 wrote to memory of 2728 2672 58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4.exe 30 PID 2728 wrote to memory of 2148 2728 Fmhjni32.exe 31 PID 2728 wrote to memory of 2148 2728 Fmhjni32.exe 31 PID 2728 wrote to memory of 2148 2728 Fmhjni32.exe 31 PID 2728 wrote to memory of 2148 2728 Fmhjni32.exe 31 PID 2148 wrote to memory of 2792 2148 Fcbbjcif.exe 32 PID 2148 wrote to memory of 2792 2148 Fcbbjcif.exe 32 PID 2148 wrote to memory of 2792 2148 Fcbbjcif.exe 32 PID 2148 wrote to memory of 2792 2148 Fcbbjcif.exe 32 PID 2792 wrote to memory of 2620 2792 Fiokbjgn.exe 33 PID 2792 wrote to memory of 2620 2792 Fiokbjgn.exe 33 PID 2792 wrote to memory of 2620 2792 Fiokbjgn.exe 33 PID 2792 wrote to memory of 2620 2792 Fiokbjgn.exe 33 PID 2620 wrote to memory of 2652 2620 Fpicodoj.exe 34 PID 2620 wrote to memory of 2652 2620 Fpicodoj.exe 34 PID 2620 wrote to memory of 2652 2620 Fpicodoj.exe 34 PID 2620 wrote to memory of 2652 2620 Fpicodoj.exe 34 PID 2652 wrote to memory of 1212 2652 Fcdopc32.exe 35 PID 2652 wrote to memory of 1212 2652 Fcdopc32.exe 35 PID 2652 wrote to memory of 1212 2652 Fcdopc32.exe 35 PID 2652 wrote to memory of 1212 2652 Fcdopc32.exe 35 PID 1212 wrote to memory of 2080 1212 Ffcllo32.exe 36 PID 1212 wrote to memory of 2080 1212 Ffcllo32.exe 36 PID 1212 wrote to memory of 2080 1212 Ffcllo32.exe 36 PID 1212 wrote to memory of 2080 1212 Ffcllo32.exe 36 PID 2080 wrote to memory of 1264 2080 Gehhmkko.exe 37 PID 2080 wrote to memory of 1264 2080 Gehhmkko.exe 37 PID 2080 wrote to memory of 1264 2080 Gehhmkko.exe 37 PID 2080 wrote to memory of 1264 2080 Gehhmkko.exe 37 PID 1264 wrote to memory of 2784 1264 Glbqje32.exe 38 PID 1264 wrote to memory of 2784 1264 Glbqje32.exe 38 PID 1264 wrote to memory of 2784 1264 Glbqje32.exe 38 PID 1264 wrote to memory of 2784 1264 Glbqje32.exe 38 PID 2784 wrote to memory of 1880 2784 Gblifo32.exe 39 PID 2784 wrote to memory of 1880 2784 Gblifo32.exe 39 PID 2784 wrote to memory of 1880 2784 Gblifo32.exe 39 PID 2784 wrote to memory of 1880 2784 Gblifo32.exe 39 PID 1880 wrote to memory of 2936 1880 Gejebk32.exe 40 PID 1880 wrote to memory of 2936 1880 Gejebk32.exe 40 PID 1880 wrote to memory of 2936 1880 Gejebk32.exe 40 PID 1880 wrote to memory of 2936 1880 Gejebk32.exe 40 PID 2936 wrote to memory of 760 2936 Gppipc32.exe 41 PID 2936 wrote to memory of 760 2936 Gppipc32.exe 41 PID 2936 wrote to memory of 760 2936 Gppipc32.exe 41 PID 2936 wrote to memory of 760 2936 Gppipc32.exe 41 PID 760 wrote to memory of 1296 760 Gbnflo32.exe 42 PID 760 wrote to memory of 1296 760 Gbnflo32.exe 42 PID 760 wrote to memory of 1296 760 Gbnflo32.exe 42 PID 760 wrote to memory of 1296 760 Gbnflo32.exe 42 PID 1296 wrote to memory of 2156 1296 Glgjednf.exe 43 PID 1296 wrote to memory of 2156 1296 Glgjednf.exe 43 PID 1296 wrote to memory of 2156 1296 Glgjednf.exe 43 PID 1296 wrote to memory of 2156 1296 Glgjednf.exe 43 PID 2156 wrote to memory of 2428 2156 Gbqbaofc.exe 44 PID 2156 wrote to memory of 2428 2156 Gbqbaofc.exe 44 PID 2156 wrote to memory of 2428 2156 Gbqbaofc.exe 44 PID 2156 wrote to memory of 2428 2156 Gbqbaofc.exe 44 PID 2428 wrote to memory of 2152 2428 Gdboig32.exe 45 PID 2428 wrote to memory of 2152 2428 Gdboig32.exe 45 PID 2428 wrote to memory of 2152 2428 Gdboig32.exe 45 PID 2428 wrote to memory of 2152 2428 Gdboig32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4.exe"C:\Users\Admin\AppData\Local\Temp\58a3bd58fa95eef81392d20b88e7c15f7c70577c33fcb7d13b9c075345cb8ab4.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Fmhjni32.exeC:\Windows\system32\Fmhjni32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Fcbbjcif.exeC:\Windows\system32\Fcbbjcif.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Fiokbjgn.exeC:\Windows\system32\Fiokbjgn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Fpicodoj.exeC:\Windows\system32\Fpicodoj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\Fcdopc32.exeC:\Windows\system32\Fcdopc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Ffcllo32.exeC:\Windows\system32\Ffcllo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Windows\SysWOW64\Gehhmkko.exeC:\Windows\system32\Gehhmkko.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\Glbqje32.exeC:\Windows\system32\Glbqje32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1264 -
C:\Windows\SysWOW64\Gblifo32.exeC:\Windows\system32\Gblifo32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Windows\SysWOW64\Gejebk32.exeC:\Windows\system32\Gejebk32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\Gppipc32.exeC:\Windows\system32\Gppipc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Gbnflo32.exeC:\Windows\system32\Gbnflo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\Glgjednf.exeC:\Windows\system32\Glgjednf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Gbqbaofc.exeC:\Windows\system32\Gbqbaofc.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\Gdboig32.exeC:\Windows\system32\Gdboig32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Gligjd32.exeC:\Windows\system32\Gligjd32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2152 -
C:\Windows\SysWOW64\Hafock32.exeC:\Windows\system32\Hafock32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:444 -
C:\Windows\SysWOW64\Hddlof32.exeC:\Windows\system32\Hddlof32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Hjndlqal.exeC:\Windows\system32\Hjndlqal.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1680 -
C:\Windows\SysWOW64\Hmmphlpp.exeC:\Windows\system32\Hmmphlpp.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2160 -
C:\Windows\SysWOW64\Hahlhkhi.exeC:\Windows\system32\Hahlhkhi.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Hhbdee32.exeC:\Windows\system32\Hhbdee32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:740 -
C:\Windows\SysWOW64\Hicqmmfc.exeC:\Windows\system32\Hicqmmfc.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:532 -
C:\Windows\SysWOW64\Hajinjff.exeC:\Windows\system32\Hajinjff.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Hbleeb32.exeC:\Windows\system32\Hbleeb32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1804 -
C:\Windows\SysWOW64\Hjcmgp32.exeC:\Windows\system32\Hjcmgp32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Hldjnhce.exeC:\Windows\system32\Hldjnhce.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1572 -
C:\Windows\SysWOW64\Hfjnla32.exeC:\Windows\system32\Hfjnla32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Hmcfhkjg.exeC:\Windows\system32\Hmcfhkjg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Hoebpc32.exeC:\Windows\system32\Hoebpc32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Heokmmgb.exeC:\Windows\system32\Heokmmgb.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1976 -
C:\Windows\SysWOW64\Ihmgiiff.exeC:\Windows\system32\Ihmgiiff.exe33⤵
- Executes dropped EXE
PID:2228 -
C:\Windows\SysWOW64\Ilicig32.exeC:\Windows\system32\Ilicig32.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2676 -
C:\Windows\SysWOW64\Iaelanmg.exeC:\Windows\system32\Iaelanmg.exe35⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Iimcclni.exeC:\Windows\system32\Iimcclni.exe36⤵
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Ioilkblq.exeC:\Windows\system32\Ioilkblq.exe37⤵
- Executes dropped EXE
PID:1640 -
C:\Windows\SysWOW64\Ilnmdgkj.exeC:\Windows\system32\Ilnmdgkj.exe38⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Ikpmpc32.exeC:\Windows\system32\Ikpmpc32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:1548 -
C:\Windows\SysWOW64\Idiaii32.exeC:\Windows\system32\Idiaii32.exe40⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Ionefb32.exeC:\Windows\system32\Ionefb32.exe41⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Ippbnjni.exeC:\Windows\system32\Ippbnjni.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:844 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe43⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\Ihfjognl.exeC:\Windows\system32\Ihfjognl.exe44⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Ipbocjlg.exeC:\Windows\system32\Ipbocjlg.exe45⤵
- Executes dropped EXE
PID:1220 -
C:\Windows\SysWOW64\Idmkdh32.exeC:\Windows\system32\Idmkdh32.exe46⤵
- Executes dropped EXE
PID:1092 -
C:\Windows\SysWOW64\Jkgcab32.exeC:\Windows\system32\Jkgcab32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Jliohkak.exeC:\Windows\system32\Jliohkak.exe48⤵
- Executes dropped EXE
PID:864 -
C:\Windows\SysWOW64\Jdpgjhbm.exeC:\Windows\system32\Jdpgjhbm.exe49⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Jeadap32.exeC:\Windows\system32\Jeadap32.exe50⤵
- Executes dropped EXE
PID:300 -
C:\Windows\SysWOW64\Jnhlbn32.exeC:\Windows\system32\Jnhlbn32.exe51⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Jlklnjoh.exeC:\Windows\system32\Jlklnjoh.exe52⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Joihjfnl.exeC:\Windows\system32\Joihjfnl.exe53⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Jgqpkc32.exeC:\Windows\system32\Jgqpkc32.exe54⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Jjomgo32.exeC:\Windows\system32\Jjomgo32.exe55⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Jolepe32.exeC:\Windows\system32\Jolepe32.exe56⤵
- Executes dropped EXE
PID:2488 -
C:\Windows\SysWOW64\Jcgapdeb.exeC:\Windows\system32\Jcgapdeb.exe57⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Jajala32.exeC:\Windows\system32\Jajala32.exe58⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Jhdihkcj.exeC:\Windows\system32\Jhdihkcj.exe59⤵
- Executes dropped EXE
PID:2400 -
C:\Windows\SysWOW64\Jkbfdfbm.exeC:\Windows\system32\Jkbfdfbm.exe60⤵
- Executes dropped EXE
PID:1096 -
C:\Windows\SysWOW64\Jcjnfdbp.exeC:\Windows\system32\Jcjnfdbp.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Jblnaq32.exeC:\Windows\system32\Jblnaq32.exe62⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Jdkjnl32.exeC:\Windows\system32\Jdkjnl32.exe63⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Jhffnk32.exeC:\Windows\system32\Jhffnk32.exe64⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Kopokehd.exeC:\Windows\system32\Kopokehd.exe65⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Kbokgpgg.exeC:\Windows\system32\Kbokgpgg.exe66⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1124 -
C:\Windows\SysWOW64\Kdmgclfk.exeC:\Windows\system32\Kdmgclfk.exe67⤵PID:2372
-
C:\Windows\SysWOW64\Kkgopf32.exeC:\Windows\system32\Kkgopf32.exe68⤵PID:2140
-
C:\Windows\SysWOW64\Knekla32.exeC:\Windows\system32\Knekla32.exe69⤵PID:2056
-
C:\Windows\SysWOW64\Kqdhhm32.exeC:\Windows\system32\Kqdhhm32.exe70⤵PID:2612
-
C:\Windows\SysWOW64\Kdpcikdi.exeC:\Windows\system32\Kdpcikdi.exe71⤵PID:2640
-
C:\Windows\SysWOW64\Kkileele.exeC:\Windows\system32\Kkileele.exe72⤵PID:776
-
C:\Windows\SysWOW64\Knhhaaki.exeC:\Windows\system32\Knhhaaki.exe73⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Kdbpnk32.exeC:\Windows\system32\Kdbpnk32.exe74⤵PID:2648
-
C:\Windows\SysWOW64\Kgpmjf32.exeC:\Windows\system32\Kgpmjf32.exe75⤵PID:2924
-
C:\Windows\SysWOW64\Kjoifb32.exeC:\Windows\system32\Kjoifb32.exe76⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Kmmebm32.exeC:\Windows\system32\Kmmebm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1776 -
C:\Windows\SysWOW64\Kqiaclhj.exeC:\Windows\system32\Kqiaclhj.exe78⤵
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Kcgmoggn.exeC:\Windows\system32\Kcgmoggn.exe79⤵PID:2468
-
C:\Windows\SysWOW64\Kjaelaok.exeC:\Windows\system32\Kjaelaok.exe80⤵PID:708
-
C:\Windows\SysWOW64\Knmamp32.exeC:\Windows\system32\Knmamp32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1908 -
C:\Windows\SysWOW64\Kqknil32.exeC:\Windows\system32\Kqknil32.exe82⤵PID:1376
-
C:\Windows\SysWOW64\Lfhfab32.exeC:\Windows\system32\Lfhfab32.exe83⤵PID:596
-
C:\Windows\SysWOW64\Lifbmn32.exeC:\Windows\system32\Lifbmn32.exe84⤵PID:688
-
C:\Windows\SysWOW64\Lqmjnk32.exeC:\Windows\system32\Lqmjnk32.exe85⤵PID:2720
-
C:\Windows\SysWOW64\Lopkjhko.exeC:\Windows\system32\Lopkjhko.exe86⤵PID:1992
-
C:\Windows\SysWOW64\Lfjcfb32.exeC:\Windows\system32\Lfjcfb32.exe87⤵PID:2864
-
C:\Windows\SysWOW64\Lihobnap.exeC:\Windows\system32\Lihobnap.exe88⤵PID:2076
-
C:\Windows\SysWOW64\Lkgkoiqc.exeC:\Windows\system32\Lkgkoiqc.exe89⤵
- System Location Discovery: System Language Discovery
PID:2912 -
C:\Windows\SysWOW64\Lcncpfaf.exeC:\Windows\system32\Lcncpfaf.exe90⤵PID:2904
-
C:\Windows\SysWOW64\Lbackc32.exeC:\Windows\system32\Lbackc32.exe91⤵PID:492
-
C:\Windows\SysWOW64\Leopgo32.exeC:\Windows\system32\Leopgo32.exe92⤵PID:604
-
C:\Windows\SysWOW64\Lmfhil32.exeC:\Windows\system32\Lmfhil32.exe93⤵PID:1480
-
C:\Windows\SysWOW64\Lpedeg32.exeC:\Windows\system32\Lpedeg32.exe94⤵PID:664
-
C:\Windows\SysWOW64\Lbcpac32.exeC:\Windows\system32\Lbcpac32.exe95⤵PID:1668
-
C:\Windows\SysWOW64\Lfolaang.exeC:\Windows\system32\Lfolaang.exe96⤵PID:1648
-
C:\Windows\SysWOW64\Lgpiij32.exeC:\Windows\system32\Lgpiij32.exe97⤵PID:2484
-
C:\Windows\SysWOW64\Lpgajgeg.exeC:\Windows\system32\Lpgajgeg.exe98⤵PID:2660
-
C:\Windows\SysWOW64\Lbemfbdk.exeC:\Windows\system32\Lbemfbdk.exe99⤵
- Modifies registry class
PID:1604 -
C:\Windows\SysWOW64\Ledibnco.exeC:\Windows\system32\Ledibnco.exe100⤵PID:2188
-
C:\Windows\SysWOW64\Llnaoh32.exeC:\Windows\system32\Llnaoh32.exe101⤵PID:1576
-
C:\Windows\SysWOW64\Lnlnlc32.exeC:\Windows\system32\Lnlnlc32.exe102⤵PID:2788
-
C:\Windows\SysWOW64\Mbhjlbbh.exeC:\Windows\system32\Mbhjlbbh.exe103⤵PID:1268
-
C:\Windows\SysWOW64\Mcifdj32.exeC:\Windows\system32\Mcifdj32.exe104⤵PID:1820
-
C:\Windows\SysWOW64\Mgebdipp.exeC:\Windows\system32\Mgebdipp.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2448 -
C:\Windows\SysWOW64\Mnojacgm.exeC:\Windows\system32\Mnojacgm.exe106⤵PID:1048
-
C:\Windows\SysWOW64\Mmakmp32.exeC:\Windows\system32\Mmakmp32.exe107⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Mclcijfd.exeC:\Windows\system32\Mclcijfd.exe108⤵PID:1288
-
C:\Windows\SysWOW64\Mhgoji32.exeC:\Windows\system32\Mhgoji32.exe109⤵PID:1688
-
C:\Windows\SysWOW64\Mjekfd32.exeC:\Windows\system32\Mjekfd32.exe110⤵PID:1716
-
C:\Windows\SysWOW64\Mmdgbp32.exeC:\Windows\system32\Mmdgbp32.exe111⤵PID:2692
-
C:\Windows\SysWOW64\Mpbdnk32.exeC:\Windows\system32\Mpbdnk32.exe112⤵PID:2388
-
C:\Windows\SysWOW64\Mcnpojca.exeC:\Windows\system32\Mcnpojca.exe113⤵PID:1968
-
C:\Windows\SysWOW64\Mjhhld32.exeC:\Windows\system32\Mjhhld32.exe114⤵PID:2976
-
C:\Windows\SysWOW64\Mikhgqbi.exeC:\Windows\system32\Mikhgqbi.exe115⤵PID:1160
-
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe116⤵PID:1580
-
C:\Windows\SysWOW64\Mbcmpfhi.exeC:\Windows\system32\Mbcmpfhi.exe117⤵PID:1620
-
C:\Windows\SysWOW64\Mfoiqe32.exeC:\Windows\system32\Mfoiqe32.exe118⤵
- Drops file in System32 directory
PID:2192 -
C:\Windows\SysWOW64\Mimemp32.exeC:\Windows\system32\Mimemp32.exe119⤵PID:1796
-
C:\Windows\SysWOW64\Mlkail32.exeC:\Windows\system32\Mlkail32.exe120⤵PID:2616
-
C:\Windows\SysWOW64\Mdbiji32.exeC:\Windows\system32\Mdbiji32.exe121⤵PID:1784
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-