Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
88s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 00:43
Behavioral task
behavioral1
Sample
0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
120 seconds
General
-
Target
0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb.exe
-
Size
337KB
-
MD5
d1b527c61481df9b5d9dd9cb3337dd64
-
SHA1
19f9a0ffcc30a7cd3cd886e536691cc3966d876c
-
SHA256
0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb
-
SHA512
073634b6c8bf1d1f2501eec537b8be3b2b2f3216c09a0fd565bc903771c255e3b0be3666d748c83a668c1f40258f019d25517da4e25042e0da06659db0eb56d6
-
SSDEEP
3072:bJrhCYYovc0yTUpMiBQBgYfc0DV+1BIyLK5jZWlfXXqyYwi8x4Yfc0n:L+irQB1+fIyG5jZkCwi8R
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hngngo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdgane32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkcgapjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmdnme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njmejaqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecmjid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djoeki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghmnmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qeihfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdpblo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ickoimie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kolhdbjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogmkne32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iadphghe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Maejpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aaogbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkkckdhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iamjghnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hbpbck32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knjdimdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfbckagm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pidaba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qncfphff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmoppefc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opbopn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajoebigm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajghgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cngfqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jihdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppipdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipcbidn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcghajkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dflnkjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fimclh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjofanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oiiilm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikjlmjmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjneoeeh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heamno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnmihgkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijmin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdgane32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lejppj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akejdp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhpejbf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgiobadq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckchcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmbjjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akbgdkgm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flphccbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkndiabh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fholmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ephdjeol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpgecq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joebccpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mcghajkq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhmchljg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhbdmeoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gddbfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkjnenbp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jflgph32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqjdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leaallcb.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2776 Qmenhe32.exe 2796 Afmbak32.exe 2772 Abdbflnf.exe 2688 Abfoll32.exe 2008 Aompambg.exe 2596 Aoomflpd.exe 2916 Akfnkmei.exe 2936 Bkhjamcf.exe 2032 Cnklgkap.exe 2140 Dcmnja32.exe 1148 Decdmi32.exe 2460 Egfjdchi.exe 1620 Ecmjid32.exe 2148 Ephdjeol.exe 2352 Fpjaodmj.exe 2400 Fodgkp32.exe 1724 Fkkhpadq.exe 1476 Ggdekbgb.exe 852 Ggfbpaeo.exe 940 Gdjcjf32.exe 2580 Gcppkbia.exe 1684 Hljaigmo.exe 2324 Imhqbkbm.exe 2240 Iqhfnifq.exe 2876 Ijqjgo32.exe 2220 Jihdnk32.exe 1668 Jnemfa32.exe 2668 Jkkjeeke.exe 2852 Jecnnk32.exe 1060 Kgdgpfnf.exe 2964 Kamlhl32.exe 2508 Keoabo32.exe 1448 Kfnnlboi.exe 1116 Kbenacdm.exe 2500 Ldhgnk32.exe 2980 Lpaehl32.exe 1560 Laaabo32.exe 2388 Mlmoilni.exe 2064 Miapbpmb.exe 2120 Miclhpjp.exe 1160 Mclqqeaq.exe 1952 Mhhiiloh.exe 1460 Meljbqna.exe 1708 Moenkf32.exe 1940 Ngpcohbm.exe 2056 Nddcimag.exe 108 Nlohmonb.exe 1932 Nladco32.exe 2744 Njeelc32.exe 2512 Nobndj32.exe 1268 Okinik32.exe 2548 Ohmoco32.exe 2340 Ofaolcmh.exe 2112 Onldqejb.exe 2456 Ogdhik32.exe 2260 Okbapi32.exe 2960 Pcnfdl32.exe 2372 Pmfjmake.exe 2188 Pjjkfe32.exe 760 Pfqlkfoc.exe 2812 Ppipdl32.exe 1800 Plpqim32.exe 948 Pidaba32.exe 2360 Qaofgc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2868 0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb.exe 2868 0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb.exe 2776 Qmenhe32.exe 2776 Qmenhe32.exe 2796 Afmbak32.exe 2796 Afmbak32.exe 2772 Abdbflnf.exe 2772 Abdbflnf.exe 2688 Abfoll32.exe 2688 Abfoll32.exe 2008 Aompambg.exe 2008 Aompambg.exe 2596 Aoomflpd.exe 2596 Aoomflpd.exe 2916 Akfnkmei.exe 2916 Akfnkmei.exe 2936 Bkhjamcf.exe 2936 Bkhjamcf.exe 2032 Cnklgkap.exe 2032 Cnklgkap.exe 2140 Dcmnja32.exe 2140 Dcmnja32.exe 1148 Decdmi32.exe 1148 Decdmi32.exe 2460 Egfjdchi.exe 2460 Egfjdchi.exe 1620 Ecmjid32.exe 1620 Ecmjid32.exe 2148 Ephdjeol.exe 2148 Ephdjeol.exe 2352 Fpjaodmj.exe 2352 Fpjaodmj.exe 2400 Fodgkp32.exe 2400 Fodgkp32.exe 1724 Fkkhpadq.exe 1724 Fkkhpadq.exe 1476 Ggdekbgb.exe 1476 Ggdekbgb.exe 852 Ggfbpaeo.exe 852 Ggfbpaeo.exe 940 Gdjcjf32.exe 940 Gdjcjf32.exe 2580 Gcppkbia.exe 2580 Gcppkbia.exe 1684 Hljaigmo.exe 1684 Hljaigmo.exe 2324 Imhqbkbm.exe 2324 Imhqbkbm.exe 2240 Iqhfnifq.exe 2240 Iqhfnifq.exe 2876 Ijqjgo32.exe 2876 Ijqjgo32.exe 2220 Jihdnk32.exe 2220 Jihdnk32.exe 1668 Jnemfa32.exe 1668 Jnemfa32.exe 2668 Jkkjeeke.exe 2668 Jkkjeeke.exe 2852 Jecnnk32.exe 2852 Jecnnk32.exe 1060 Kgdgpfnf.exe 1060 Kgdgpfnf.exe 2964 Kamlhl32.exe 2964 Kamlhl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Knjdimdh.exe Keappgmg.exe File created C:\Windows\SysWOW64\Fdaephpc.exe Ecbhfeip.exe File created C:\Windows\SysWOW64\Aknnil32.exe Aogmdk32.exe File opened for modification C:\Windows\SysWOW64\Jddqgdii.exe Jhmpbc32.exe File created C:\Windows\SysWOW64\Egchmfnd.exe Ejohdbok.exe File created C:\Windows\SysWOW64\Kibmchmc.dll Peiaij32.exe File created C:\Windows\SysWOW64\Aikbjbjh.dll Maabcc32.exe File created C:\Windows\SysWOW64\Oikgjlgb.dll Dlifcqfl.exe File opened for modification C:\Windows\SysWOW64\Bapejd32.exe Bhgaan32.exe File opened for modification C:\Windows\SysWOW64\Nbegonmd.exe Nogjbbma.exe File opened for modification C:\Windows\SysWOW64\Djoeki32.exe Dnhefh32.exe File created C:\Windows\SysWOW64\Lnfbic32.dll Pmqffonj.exe File created C:\Windows\SysWOW64\Pdgmbedh.dll Bknfeege.exe File created C:\Windows\SysWOW64\Clmoli32.dll Ehinpnpm.exe File opened for modification C:\Windows\SysWOW64\Ibeeeijg.exe Igoagpja.exe File created C:\Windows\SysWOW64\Iociomhg.dll Fpncbjqj.exe File created C:\Windows\SysWOW64\Ophppo32.dll Ahpddmia.exe File created C:\Windows\SysWOW64\Oibiaa32.dll Idkcjk32.exe File opened for modification C:\Windows\SysWOW64\Nloedjin.exe Nmjicn32.exe File created C:\Windows\SysWOW64\Egkfbg32.dll Ghaeaaki.exe File created C:\Windows\SysWOW64\Dhlmpmai.dll Kamlhl32.exe File opened for modification C:\Windows\SysWOW64\Dochelmj.exe Dfkclf32.exe File opened for modification C:\Windows\SysWOW64\Gbhcpmkm.exe Gmkjgfmf.exe File created C:\Windows\SysWOW64\Mgdlgpke.dll Opcaiggo.exe File opened for modification C:\Windows\SysWOW64\Cdkkcp32.exe Boobki32.exe File created C:\Windows\SysWOW64\Ogbidjgd.dll Cejfckie.exe File created C:\Windows\SysWOW64\Ibeeeijg.exe Igoagpja.exe File created C:\Windows\SysWOW64\Cbjnqh32.exe Cfcmlg32.exe File created C:\Windows\SysWOW64\Fhhofe32.dll Dpmgao32.exe File created C:\Windows\SysWOW64\Fbqhnqen.exe Fdmgdl32.exe File created C:\Windows\SysWOW64\Qhbdmeoe.exe Peakkj32.exe File created C:\Windows\SysWOW64\Kheaoj32.exe Kkaaee32.exe File created C:\Windows\SysWOW64\Dlifcqfl.exe Dflnkjhe.exe File created C:\Windows\SysWOW64\Kgjgepqm.exe Kifgllbc.exe File created C:\Windows\SysWOW64\Qmhfaj32.dll Cjbpoeoj.exe File created C:\Windows\SysWOW64\Qooohcdo.dll Hkppcmjk.exe File opened for modification C:\Windows\SysWOW64\Gphlgk32.exe Gjkcod32.exe File created C:\Windows\SysWOW64\Hehlbbnf.dll Ekdglcmh.exe File created C:\Windows\SysWOW64\Edicfeme.dll Gfdcbmbn.exe File created C:\Windows\SysWOW64\Anijicnf.dll Chmlfj32.exe File created C:\Windows\SysWOW64\Einebddd.exe Epeajo32.exe File opened for modification C:\Windows\SysWOW64\Nadoiccn.exe Maabcc32.exe File created C:\Windows\SysWOW64\Odaqikaa.exe Ofnppgbh.exe File opened for modification C:\Windows\SysWOW64\Kamlhl32.exe Kgdgpfnf.exe File created C:\Windows\SysWOW64\Pibgfjdh.exe Pgnnhbpm.exe File created C:\Windows\SysWOW64\Ajclkk32.dll Cocbbk32.exe File opened for modification C:\Windows\SysWOW64\Ghaeaaki.exe Gohqhl32.exe File opened for modification C:\Windows\SysWOW64\Plpqim32.exe Ppipdl32.exe File created C:\Windows\SysWOW64\Fdnlcakk.exe Fhglop32.exe File created C:\Windows\SysWOW64\Kafano32.dll Icoepohq.exe File opened for modification C:\Windows\SysWOW64\Gnenfjdh.exe Faonqiod.exe File created C:\Windows\SysWOW64\Hqpahkmj.exe Gfgpgmql.exe File created C:\Windows\SysWOW64\Onmgeb32.exe Ohcohh32.exe File created C:\Windows\SysWOW64\Kphbmp32.exe Jlkigbef.exe File created C:\Windows\SysWOW64\Leooph32.dll Nflidmic.exe File opened for modification C:\Windows\SysWOW64\Cihedpcg.exe Ckchcc32.exe File opened for modification C:\Windows\SysWOW64\Lijepc32.exe Lpapgnpb.exe File opened for modification C:\Windows\SysWOW64\Fcingdbh.exe Fcgaae32.exe File opened for modification C:\Windows\SysWOW64\Llkgpmck.exe Khmnio32.exe File opened for modification C:\Windows\SysWOW64\Jadlgjjq.exe Jjjdjp32.exe File created C:\Windows\SysWOW64\Dlicoiod.dll Qeglqpaj.exe File opened for modification C:\Windows\SysWOW64\Cjkcedgp.exe Cofohkgi.exe File created C:\Windows\SysWOW64\Iliehb32.dll Chkpakla.exe File created C:\Windows\SysWOW64\Jlamnm32.dll Fdaephpc.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4148 1348 WerFault.exe 833 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmkne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmajdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkaaee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofbikf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppmkilbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklpml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abdbflnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odanqb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jifhdphd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpjfjalp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgpklb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pahjgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogene32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhalngad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaaoqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkigfdjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfqaph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgmiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkafib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mojaceln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgfghodj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cenmfbml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kphbmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqkjmcmq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bphdpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elbkbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfqlkfoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikfklni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpengf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpcdfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mogcelgm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cedbmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknnil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcahjqfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knjdimdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idghhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qghgigkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdipfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqfeom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpmjpba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkefcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmbak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidaba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipcbidn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lofkoamf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffpkob32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbbegl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cngfqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbenlof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kamlhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iabhdefo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbhagiem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcoanb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jngkdj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iadphghe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdnihiad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdnlcakk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiofdmkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olehbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkigbef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Behnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjeoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmoppefc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hahljg32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bobleeef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdcjgnbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pgnnhbpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lglpbp32.dll" Pciiccbm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fnejdiep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjhopjqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldlghhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnjklkdh.dll" Pjchjcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kabgha32.dll" Dochelmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccgahe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilhb32.dll" Clfhml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bphdpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idkcjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khqahnpk.dll" Dflnkjhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgfghodj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Decdmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Egeecf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnicddki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckhpejbf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbjnqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hclhjpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lomidgkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbjoki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkhdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eaodhk32.dll" Fholmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nddcimag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dccbefif.dll" Gfgpgmql.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dedkbb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mglpjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohcohh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jecnnk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pelnniga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fefhnhpc.dll" Fimclh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnmhogjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfplmh32.dll" Hdolga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hnljkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abdbflnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lofkoamf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bikfklni.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ggpmkgab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hggeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hggeeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elbkbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfcmlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Djghpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oolbcaij.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccecheeb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kkckblgq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dajabd32.dll" Eehndm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kheaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elpldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffmcdhob.dll" Lmhdph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aafnpkii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegphc32.dll" Aoihaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mogene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqijmkfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kkigfdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nmpkal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcagbppl.dll" Kononm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmodmbk.dll" Knjdimdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjbcik32.dll" Kqqdjceh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Noplmlok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eeeanm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfflfp32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2776 2868 0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb.exe 30 PID 2868 wrote to memory of 2776 2868 0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb.exe 30 PID 2868 wrote to memory of 2776 2868 0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb.exe 30 PID 2868 wrote to memory of 2776 2868 0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb.exe 30 PID 2776 wrote to memory of 2796 2776 Qmenhe32.exe 31 PID 2776 wrote to memory of 2796 2776 Qmenhe32.exe 31 PID 2776 wrote to memory of 2796 2776 Qmenhe32.exe 31 PID 2776 wrote to memory of 2796 2776 Qmenhe32.exe 31 PID 2796 wrote to memory of 2772 2796 Afmbak32.exe 32 PID 2796 wrote to memory of 2772 2796 Afmbak32.exe 32 PID 2796 wrote to memory of 2772 2796 Afmbak32.exe 32 PID 2796 wrote to memory of 2772 2796 Afmbak32.exe 32 PID 2772 wrote to memory of 2688 2772 Abdbflnf.exe 33 PID 2772 wrote to memory of 2688 2772 Abdbflnf.exe 33 PID 2772 wrote to memory of 2688 2772 Abdbflnf.exe 33 PID 2772 wrote to memory of 2688 2772 Abdbflnf.exe 33 PID 2688 wrote to memory of 2008 2688 Abfoll32.exe 34 PID 2688 wrote to memory of 2008 2688 Abfoll32.exe 34 PID 2688 wrote to memory of 2008 2688 Abfoll32.exe 34 PID 2688 wrote to memory of 2008 2688 Abfoll32.exe 34 PID 2008 wrote to memory of 2596 2008 Aompambg.exe 35 PID 2008 wrote to memory of 2596 2008 Aompambg.exe 35 PID 2008 wrote to memory of 2596 2008 Aompambg.exe 35 PID 2008 wrote to memory of 2596 2008 Aompambg.exe 35 PID 2596 wrote to memory of 2916 2596 Aoomflpd.exe 36 PID 2596 wrote to memory of 2916 2596 Aoomflpd.exe 36 PID 2596 wrote to memory of 2916 2596 Aoomflpd.exe 36 PID 2596 wrote to memory of 2916 2596 Aoomflpd.exe 36 PID 2916 wrote to memory of 2936 2916 Akfnkmei.exe 37 PID 2916 wrote to memory of 2936 2916 Akfnkmei.exe 37 PID 2916 wrote to memory of 2936 2916 Akfnkmei.exe 37 PID 2916 wrote to memory of 2936 2916 Akfnkmei.exe 37 PID 2936 wrote to memory of 2032 2936 Bkhjamcf.exe 38 PID 2936 wrote to memory of 2032 2936 Bkhjamcf.exe 38 PID 2936 wrote to memory of 2032 2936 Bkhjamcf.exe 38 PID 2936 wrote to memory of 2032 2936 Bkhjamcf.exe 38 PID 2032 wrote to memory of 2140 2032 Cnklgkap.exe 39 PID 2032 wrote to memory of 2140 2032 Cnklgkap.exe 39 PID 2032 wrote to memory of 2140 2032 Cnklgkap.exe 39 PID 2032 wrote to memory of 2140 2032 Cnklgkap.exe 39 PID 2140 wrote to memory of 1148 2140 Dcmnja32.exe 40 PID 2140 wrote to memory of 1148 2140 Dcmnja32.exe 40 PID 2140 wrote to memory of 1148 2140 Dcmnja32.exe 40 PID 2140 wrote to memory of 1148 2140 Dcmnja32.exe 40 PID 1148 wrote to memory of 2460 1148 Decdmi32.exe 41 PID 1148 wrote to memory of 2460 1148 Decdmi32.exe 41 PID 1148 wrote to memory of 2460 1148 Decdmi32.exe 41 PID 1148 wrote to memory of 2460 1148 Decdmi32.exe 41 PID 2460 wrote to memory of 1620 2460 Egfjdchi.exe 42 PID 2460 wrote to memory of 1620 2460 Egfjdchi.exe 42 PID 2460 wrote to memory of 1620 2460 Egfjdchi.exe 42 PID 2460 wrote to memory of 1620 2460 Egfjdchi.exe 42 PID 1620 wrote to memory of 2148 1620 Ecmjid32.exe 43 PID 1620 wrote to memory of 2148 1620 Ecmjid32.exe 43 PID 1620 wrote to memory of 2148 1620 Ecmjid32.exe 43 PID 1620 wrote to memory of 2148 1620 Ecmjid32.exe 43 PID 2148 wrote to memory of 2352 2148 Ephdjeol.exe 44 PID 2148 wrote to memory of 2352 2148 Ephdjeol.exe 44 PID 2148 wrote to memory of 2352 2148 Ephdjeol.exe 44 PID 2148 wrote to memory of 2352 2148 Ephdjeol.exe 44 PID 2352 wrote to memory of 2400 2352 Fpjaodmj.exe 45 PID 2352 wrote to memory of 2400 2352 Fpjaodmj.exe 45 PID 2352 wrote to memory of 2400 2352 Fpjaodmj.exe 45 PID 2352 wrote to memory of 2400 2352 Fpjaodmj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb.exe"C:\Users\Admin\AppData\Local\Temp\0d0726f38deddf1b3661bd33970ea1ef0617454aaf1d740f06105580c3f720cb.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Qmenhe32.exeC:\Windows\system32\Qmenhe32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\Afmbak32.exeC:\Windows\system32\Afmbak32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Windows\SysWOW64\Aompambg.exeC:\Windows\system32\Aompambg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Cnklgkap.exeC:\Windows\system32\Cnklgkap.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1148 -
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Fpjaodmj.exeC:\Windows\system32\Fpjaodmj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Fkkhpadq.exeC:\Windows\system32\Fkkhpadq.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1476 -
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:852 -
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:940 -
C:\Windows\SysWOW64\Gcppkbia.exeC:\Windows\system32\Gcppkbia.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2580 -
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Imhqbkbm.exeC:\Windows\system32\Imhqbkbm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2324 -
C:\Windows\SysWOW64\Iqhfnifq.exeC:\Windows\system32\Iqhfnifq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Ijqjgo32.exeC:\Windows\system32\Ijqjgo32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2876 -
C:\Windows\SysWOW64\Jihdnk32.exeC:\Windows\system32\Jihdnk32.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2220 -
C:\Windows\SysWOW64\Jnemfa32.exeC:\Windows\system32\Jnemfa32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668 -
C:\Windows\SysWOW64\Jkkjeeke.exeC:\Windows\system32\Jkkjeeke.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668 -
C:\Windows\SysWOW64\Jecnnk32.exeC:\Windows\system32\Jecnnk32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Kgdgpfnf.exeC:\Windows\system32\Kgdgpfnf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1060 -
C:\Windows\SysWOW64\Kamlhl32.exeC:\Windows\system32\Kamlhl32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2964 -
C:\Windows\SysWOW64\Keoabo32.exeC:\Windows\system32\Keoabo32.exe33⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Kfnnlboi.exeC:\Windows\system32\Kfnnlboi.exe34⤵
- Executes dropped EXE
PID:1448 -
C:\Windows\SysWOW64\Kbenacdm.exeC:\Windows\system32\Kbenacdm.exe35⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\Ldhgnk32.exeC:\Windows\system32\Ldhgnk32.exe36⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Lpaehl32.exeC:\Windows\system32\Lpaehl32.exe37⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Laaabo32.exeC:\Windows\system32\Laaabo32.exe38⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Mlmoilni.exeC:\Windows\system32\Mlmoilni.exe39⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Miapbpmb.exeC:\Windows\system32\Miapbpmb.exe40⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Miclhpjp.exeC:\Windows\system32\Miclhpjp.exe41⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Mclqqeaq.exeC:\Windows\system32\Mclqqeaq.exe42⤵
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Mhhiiloh.exeC:\Windows\system32\Mhhiiloh.exe43⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Meljbqna.exeC:\Windows\system32\Meljbqna.exe44⤵
- Executes dropped EXE
PID:1460 -
C:\Windows\SysWOW64\Moenkf32.exeC:\Windows\system32\Moenkf32.exe45⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ngpcohbm.exeC:\Windows\system32\Ngpcohbm.exe46⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Nddcimag.exeC:\Windows\system32\Nddcimag.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2056 -
C:\Windows\SysWOW64\Nlohmonb.exeC:\Windows\system32\Nlohmonb.exe48⤵
- Executes dropped EXE
PID:108 -
C:\Windows\SysWOW64\Nladco32.exeC:\Windows\system32\Nladco32.exe49⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Njeelc32.exeC:\Windows\system32\Njeelc32.exe50⤵
- Executes dropped EXE
PID:2744 -
C:\Windows\SysWOW64\Nobndj32.exeC:\Windows\system32\Nobndj32.exe51⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Okinik32.exeC:\Windows\system32\Okinik32.exe52⤵
- Executes dropped EXE
PID:1268 -
C:\Windows\SysWOW64\Ohmoco32.exeC:\Windows\system32\Ohmoco32.exe53⤵
- Executes dropped EXE
PID:2548 -
C:\Windows\SysWOW64\Ofaolcmh.exeC:\Windows\system32\Ofaolcmh.exe54⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Onldqejb.exeC:\Windows\system32\Onldqejb.exe55⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ogdhik32.exeC:\Windows\system32\Ogdhik32.exe56⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Okbapi32.exeC:\Windows\system32\Okbapi32.exe57⤵
- Executes dropped EXE
PID:2260 -
C:\Windows\SysWOW64\Pcnfdl32.exeC:\Windows\system32\Pcnfdl32.exe58⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pmfjmake.exeC:\Windows\system32\Pmfjmake.exe59⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Pjjkfe32.exeC:\Windows\system32\Pjjkfe32.exe60⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Pfqlkfoc.exeC:\Windows\system32\Pfqlkfoc.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:760 -
C:\Windows\SysWOW64\Ppipdl32.exeC:\Windows\system32\Ppipdl32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2812 -
C:\Windows\SysWOW64\Plpqim32.exeC:\Windows\system32\Plpqim32.exe63⤵
- Executes dropped EXE
PID:1800 -
C:\Windows\SysWOW64\Pidaba32.exeC:\Windows\system32\Pidaba32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:948 -
C:\Windows\SysWOW64\Qaofgc32.exeC:\Windows\system32\Qaofgc32.exe65⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Qncfphff.exeC:\Windows\system32\Qncfphff.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1908 -
C:\Windows\SysWOW64\Qlggjlep.exeC:\Windows\system32\Qlggjlep.exe67⤵PID:1712
-
C:\Windows\SysWOW64\Anecfgdc.exeC:\Windows\system32\Anecfgdc.exe68⤵PID:1716
-
C:\Windows\SysWOW64\Ahpddmia.exeC:\Windows\system32\Ahpddmia.exe69⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Bikcbc32.exeC:\Windows\system32\Bikcbc32.exe70⤵PID:2664
-
C:\Windows\SysWOW64\Bimphc32.exeC:\Windows\system32\Bimphc32.exe71⤵PID:1016
-
C:\Windows\SysWOW64\Bakaaepk.exeC:\Windows\system32\Bakaaepk.exe72⤵PID:2000
-
C:\Windows\SysWOW64\Boobki32.exeC:\Windows\system32\Boobki32.exe73⤵
- Drops file in System32 directory
PID:2928 -
C:\Windows\SysWOW64\Cdkkcp32.exeC:\Windows\system32\Cdkkcp32.exe74⤵PID:2904
-
C:\Windows\SysWOW64\Ccqhdmbc.exeC:\Windows\system32\Ccqhdmbc.exe75⤵PID:624
-
C:\Windows\SysWOW64\Ckhpejbf.exeC:\Windows\system32\Ckhpejbf.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1092 -
C:\Windows\SysWOW64\Cdpdnpif.exeC:\Windows\system32\Cdpdnpif.exe77⤵PID:1080
-
C:\Windows\SysWOW64\Cpgecq32.exeC:\Windows\system32\Cpgecq32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3056 -
C:\Windows\SysWOW64\Cfcmlg32.exeC:\Windows\system32\Cfcmlg32.exe79⤵
- Drops file in System32 directory
- Modifies registry class
PID:2108 -
C:\Windows\SysWOW64\Cbjnqh32.exeC:\Windows\system32\Cbjnqh32.exe80⤵
- Modifies registry class
PID:1732 -
C:\Windows\SysWOW64\Dcjjkkji.exeC:\Windows\system32\Dcjjkkji.exe81⤵PID:1472
-
C:\Windows\SysWOW64\Dhgccbhp.exeC:\Windows\system32\Dhgccbhp.exe82⤵PID:1900
-
C:\Windows\SysWOW64\Dfkclf32.exeC:\Windows\system32\Dfkclf32.exe83⤵
- Drops file in System32 directory
PID:1876 -
C:\Windows\SysWOW64\Dochelmj.exeC:\Windows\system32\Dochelmj.exe84⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Dgnminke.exeC:\Windows\system32\Dgnminke.exe85⤵PID:2492
-
C:\Windows\SysWOW64\Dnhefh32.exeC:\Windows\system32\Dnhefh32.exe86⤵
- Drops file in System32 directory
PID:2684 -
C:\Windows\SysWOW64\Djoeki32.exeC:\Windows\system32\Djoeki32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2644 -
C:\Windows\SysWOW64\Dqinhcoc.exeC:\Windows\system32\Dqinhcoc.exe88⤵PID:3044
-
C:\Windows\SysWOW64\Efffpjmk.exeC:\Windows\system32\Efffpjmk.exe89⤵PID:700
-
C:\Windows\SysWOW64\Eqkjmcmq.exeC:\Windows\system32\Eqkjmcmq.exe90⤵
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Epqgopbi.exeC:\Windows\system32\Epqgopbi.exe91⤵PID:1632
-
C:\Windows\SysWOW64\Ejfllhao.exeC:\Windows\system32\Ejfllhao.exe92⤵PID:1748
-
C:\Windows\SysWOW64\Ecnpdnho.exeC:\Windows\system32\Ecnpdnho.exe93⤵PID:3012
-
C:\Windows\SysWOW64\Epeajo32.exeC:\Windows\system32\Epeajo32.exe94⤵
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Einebddd.exeC:\Windows\system32\Einebddd.exe95⤵PID:1700
-
C:\Windows\SysWOW64\Fpgnoo32.exeC:\Windows\system32\Fpgnoo32.exe96⤵PID:288
-
C:\Windows\SysWOW64\Fhbbcail.exeC:\Windows\system32\Fhbbcail.exe97⤵PID:2724
-
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe98⤵PID:1704
-
C:\Windows\SysWOW64\Fnogfk32.exeC:\Windows\system32\Fnogfk32.exe99⤵PID:524
-
C:\Windows\SysWOW64\Fhglop32.exeC:\Windows\system32\Fhglop32.exe100⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SysWOW64\Fdnlcakk.exeC:\Windows\system32\Fdnlcakk.exe101⤵
- System Location Discovery: System Language Discovery
PID:1348 -
C:\Windows\SysWOW64\Fikelhib.exeC:\Windows\system32\Fikelhib.exe102⤵PID:2756
-
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe103⤵PID:2968
-
C:\Windows\SysWOW64\Gllnnc32.exeC:\Windows\system32\Gllnnc32.exe104⤵PID:1492
-
C:\Windows\SysWOW64\Gmkjgfmf.exeC:\Windows\system32\Gmkjgfmf.exe105⤵
- Drops file in System32 directory
PID:1264 -
C:\Windows\SysWOW64\Gbhcpmkm.exeC:\Windows\system32\Gbhcpmkm.exe106⤵PID:2248
-
C:\Windows\SysWOW64\Gbjpem32.exeC:\Windows\system32\Gbjpem32.exe107⤵PID:2124
-
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe108⤵PID:1256
-
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe109⤵PID:1612
-
C:\Windows\SysWOW64\Hmfmkjdf.exeC:\Windows\system32\Hmfmkjdf.exe110⤵PID:2296
-
C:\Windows\SysWOW64\Hkjnenbp.exeC:\Windows\system32\Hkjnenbp.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1248 -
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe112⤵PID:2648
-
C:\Windows\SysWOW64\Hnkffi32.exeC:\Windows\system32\Hnkffi32.exe113⤵PID:2116
-
C:\Windows\SysWOW64\Hibgkjee.exeC:\Windows\system32\Hibgkjee.exe114⤵PID:2748
-
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe115⤵PID:1616
-
C:\Windows\SysWOW64\Hclhjpjc.exeC:\Windows\system32\Hclhjpjc.exe116⤵
- Modifies registry class
PID:2984 -
C:\Windows\SysWOW64\Icoepohq.exeC:\Windows\system32\Icoepohq.exe117⤵
- Drops file in System32 directory
PID:544 -
C:\Windows\SysWOW64\Ikjjda32.exeC:\Windows\system32\Ikjjda32.exe118⤵PID:2292
-
C:\Windows\SysWOW64\Iohbjpkb.exeC:\Windows\system32\Iohbjpkb.exe119⤵PID:916
-
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe120⤵PID:2564
-
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe121⤵
- System Location Discovery: System Language Discovery
PID:2420
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-