Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04/02/2025, 01:56
Behavioral task
behavioral1
Sample
88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
150 seconds
General
-
Target
88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe
-
Size
93KB
-
MD5
ee1a4bae90f5e359d46ae923fa9d23fe
-
SHA1
b211e3412293cc67fe9579925f22aed7ff5a2c80
-
SHA256
88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f
-
SHA512
74ec2fc0e545cfd53c3484d9b6a9e55c64b89550f5455ea7160f8f3552db67351bd2ef48d296b952f8af13c415f8b325f124c747864ba0a1d6839a7df6edfdf8
-
SSDEEP
1536:42n4gwpZYTD75OyLQLvDhwMpTvkAAodR1DaYfMZRWuLsV+1B:404gwpZs759MLvDhwMxkAXdRgYfc0DVc
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmdepg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmmbqegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jehlkhig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lkdjglfo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabaocfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqolji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhonjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njpgpbpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgdibkam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mdiefffn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goldfelp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ofhjopbg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhahanie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mneohj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncmglp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aognbnkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kajiigba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifgpnmom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khohkamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgjjad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fihfnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad 88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlmmfef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgffhkoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iikifegp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kokmmkcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ohhmcinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlfgcl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idgglb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bcmfmlen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iikifegp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epbpbnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkbgckgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifbdnbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaqbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhoklnkg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdhifooi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dppigchi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kablnadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcphnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpohakbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phklaacg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgblmk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pehcij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibhicbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkdmfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Najpll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qcachc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dokfme32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fnibcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Joidhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmgmpnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peefcjlg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmbndmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjpbign.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Caaggpdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijibng32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2124 Iiecgjba.exe 2316 Ioakoq32.exe 2128 Ioakoq32.exe 2952 Jlelhe32.exe 2812 Jkhldafl.exe 2724 Jhlmmfef.exe 2996 Jofejpmc.exe 2372 Jkmeoa32.exe 676 Jpjngh32.exe 2928 Jaijak32.exe 780 Jdhgnf32.exe 2908 Jnpkflne.exe 540 Kfkpknkq.exe 1852 Klehgh32.exe 2284 Kcopdb32.exe 544 Klhemhpk.exe 2340 Kcamjb32.exe 424 Kohnoc32.exe 2356 Kbgjkn32.exe 1300 Kfbfkmeh.exe 2548 Kllnhg32.exe 2240 Kokjdb32.exe 1932 Kfebambf.exe 1920 Lkakicam.exe 2496 Lblcfnhj.exe 1608 Ldjpbign.exe 892 Ljghjpfe.exe 2816 Lgkhdddo.exe 2328 Lqcmmjko.exe 1144 Ldoimh32.exe 3044 Ljkaeo32.exe 1440 Lfbbjpgd.exe 2732 Liqoflfh.exe 592 Mfdopp32.exe 2920 Micklk32.exe 2788 Mkaghg32.exe 988 Mpmcielb.exe 1620 Mejlalji.exe 264 Mmadbjkk.exe 2004 Mlfacfpc.exe 1820 Mbpipp32.exe 2668 Meoell32.exe 1072 Mjkndb32.exe 1712 Maefamlh.exe 1568 Mhonngce.exe 2480 Necogkbo.exe 272 Nhakcfab.exe 1684 Njpgpbpf.exe 1716 Najpll32.exe 1616 Nhdhif32.exe 632 Njbdea32.exe 2820 Nmqpam32.exe 2712 Nbniid32.exe 2736 Nfidjbdg.exe 2752 Nigafnck.exe 2564 Nmcmgm32.exe 708 Nlfmbibo.exe 2864 Nfkapb32.exe 2900 Nmejllia.exe 1644 Nlhjhi32.exe 824 Noffdd32.exe 1980 Nbbbdcgi.exe 2400 Neqnqofm.exe 1528 Ohojmjep.exe -
Loads dropped DLL 64 IoCs
pid Process 1196 88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe 1196 88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe 2124 Iiecgjba.exe 2124 Iiecgjba.exe 2316 Ioakoq32.exe 2316 Ioakoq32.exe 2128 Ioakoq32.exe 2128 Ioakoq32.exe 2952 Jlelhe32.exe 2952 Jlelhe32.exe 2812 Jkhldafl.exe 2812 Jkhldafl.exe 2724 Jhlmmfef.exe 2724 Jhlmmfef.exe 2996 Jofejpmc.exe 2996 Jofejpmc.exe 2372 Jkmeoa32.exe 2372 Jkmeoa32.exe 676 Jpjngh32.exe 676 Jpjngh32.exe 2928 Jaijak32.exe 2928 Jaijak32.exe 780 Jdhgnf32.exe 780 Jdhgnf32.exe 2908 Jnpkflne.exe 2908 Jnpkflne.exe 540 Kfkpknkq.exe 540 Kfkpknkq.exe 1852 Klehgh32.exe 1852 Klehgh32.exe 2284 Kcopdb32.exe 2284 Kcopdb32.exe 544 Klhemhpk.exe 544 Klhemhpk.exe 2340 Kcamjb32.exe 2340 Kcamjb32.exe 424 Kohnoc32.exe 424 Kohnoc32.exe 2356 Kbgjkn32.exe 2356 Kbgjkn32.exe 1300 Kfbfkmeh.exe 1300 Kfbfkmeh.exe 2548 Kllnhg32.exe 2548 Kllnhg32.exe 2240 Kokjdb32.exe 2240 Kokjdb32.exe 1932 Kfebambf.exe 1932 Kfebambf.exe 1920 Lkakicam.exe 1920 Lkakicam.exe 2496 Lblcfnhj.exe 2496 Lblcfnhj.exe 1608 Ldjpbign.exe 1608 Ldjpbign.exe 892 Ljghjpfe.exe 892 Ljghjpfe.exe 2816 Lgkhdddo.exe 2816 Lgkhdddo.exe 2328 Lqcmmjko.exe 2328 Lqcmmjko.exe 1144 Ldoimh32.exe 1144 Ldoimh32.exe 3044 Ljkaeo32.exe 3044 Ljkaeo32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lpdonf32.dll Kaajei32.exe File created C:\Windows\SysWOW64\Kmapmi32.dll Bkhhhd32.exe File created C:\Windows\SysWOW64\Gnphdceh.exe Ggfpgi32.exe File created C:\Windows\SysWOW64\Benmkbnn.dll Hieiqo32.exe File created C:\Windows\SysWOW64\Hembkl32.dll 88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe File created C:\Windows\SysWOW64\Elilld32.dll Ecnoijbd.exe File created C:\Windows\SysWOW64\Dimkiekk.dll Ljddjj32.exe File created C:\Windows\SysWOW64\Ckboie32.dll Qdaglmcb.exe File opened for modification C:\Windows\SysWOW64\Cpkmcldj.exe Ciaefa32.exe File created C:\Windows\SysWOW64\Iddlde32.dll Llomfpag.exe File created C:\Windows\SysWOW64\Apimlcdc.dll Ponklpcg.exe File created C:\Windows\SysWOW64\Lnhjhg32.dll Ajhddk32.exe File created C:\Windows\SysWOW64\Nedamakn.dll Cfckcoen.exe File opened for modification C:\Windows\SysWOW64\Pkjphcff.exe Phlclgfc.exe File created C:\Windows\SysWOW64\Lonibk32.exe Llomfpag.exe File created C:\Windows\SysWOW64\Fjlcglnk.dll Famope32.exe File opened for modification C:\Windows\SysWOW64\Knmdeioh.exe Kcgphp32.exe File created C:\Windows\SysWOW64\Bccmmf32.exe Bqeqqk32.exe File created C:\Windows\SysWOW64\Dlfqea32.dll Pioeoi32.exe File opened for modification C:\Windows\SysWOW64\Baefnmml.exe Bkknac32.exe File opened for modification C:\Windows\SysWOW64\Cfckcoen.exe Cbgobp32.exe File created C:\Windows\SysWOW64\Genddmep.dll Ohfqmi32.exe File created C:\Windows\SysWOW64\Jajjnjlc.dll Cicalakk.exe File created C:\Windows\SysWOW64\Demaoj32.exe Daaenlng.exe File opened for modification C:\Windows\SysWOW64\Qackpado.exe Qkibcg32.exe File opened for modification C:\Windows\SysWOW64\Fahhnn32.exe Eojlbb32.exe File opened for modification C:\Windows\SysWOW64\Jlphbbbg.exe Jialfgcc.exe File opened for modification C:\Windows\SysWOW64\Nmflee32.exe Njgpij32.exe File created C:\Windows\SysWOW64\Cdoime32.dll Famaimfe.exe File opened for modification C:\Windows\SysWOW64\Piqpkpml.exe Peedka32.exe File created C:\Windows\SysWOW64\Cnnppecd.dll Akiobk32.exe File created C:\Windows\SysWOW64\Bnfddp32.exe Bkhhhd32.exe File opened for modification C:\Windows\SysWOW64\Plmbkd32.exe Pioeoi32.exe File created C:\Windows\SysWOW64\Bhcool32.dll Dmmpolof.exe File created C:\Windows\SysWOW64\Gkepinpk.dll Jofejpmc.exe File opened for modification C:\Windows\SysWOW64\Illbhp32.exe Ieajkfmd.exe File created C:\Windows\SysWOW64\Iknafhjb.exe Iediin32.exe File created C:\Windows\SysWOW64\Llmmpcfe.exe Lnjldf32.exe File created C:\Windows\SysWOW64\Pfpibn32.exe Pdbmfb32.exe File created C:\Windows\SysWOW64\Kagflkia.dll Nbhhdnlh.exe File created C:\Windows\SysWOW64\Fiqhbk32.dll Alqnah32.exe File created C:\Windows\SysWOW64\Bieopm32.exe Bffbdadk.exe File opened for modification C:\Windows\SysWOW64\Opfbngfb.exe Ohojmjep.exe File opened for modification C:\Windows\SysWOW64\Bgdibkam.exe Befmfpbi.exe File opened for modification C:\Windows\SysWOW64\Eddeladm.exe Eogmcjef.exe File created C:\Windows\SysWOW64\Anjnnk32.exe Aognbnkm.exe File created C:\Windows\SysWOW64\Bimoloog.exe Bbbgod32.exe File created C:\Windows\SysWOW64\Cmfkfa32.exe Cnckjddd.exe File created C:\Windows\SysWOW64\Hjhmbnfb.dll Cnckjddd.exe File created C:\Windows\SysWOW64\Bjmeiq32.exe Bccmmf32.exe File created C:\Windows\SysWOW64\Bddlnn32.dll Klhemhpk.exe File created C:\Windows\SysWOW64\Pcghof32.exe Poklngnf.exe File created C:\Windows\SysWOW64\Ieponofk.exe Ibacbcgg.exe File created C:\Windows\SysWOW64\Iqpflded.dll Lbafdlod.exe File created C:\Windows\SysWOW64\Fabaocfl.exe Fkhibino.exe File created C:\Windows\SysWOW64\Cpgkadij.dll Jlkngc32.exe File created C:\Windows\SysWOW64\Kjaaeimj.dll Khohkamc.exe File opened for modification C:\Windows\SysWOW64\Hdpcokdo.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Cnckjddd.exe Bflbigdb.exe File opened for modification C:\Windows\SysWOW64\Ioohokoo.exe Ifgpnmom.exe File created C:\Windows\SysWOW64\Jjhgbd32.exe Jcnoejch.exe File created C:\Windows\SysWOW64\Moeinj32.dll Cbepdhgc.exe File created C:\Windows\SysWOW64\Gnmbpf32.dll Bhbkpgbf.exe File opened for modification C:\Windows\SysWOW64\Hkjkle32.exe Hhkopj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8128 9208 WerFault.exe 911 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcbabpcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmicfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofadnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffaaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adnpkjde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmeeepjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mciabmlo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncinap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Homdhjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeladm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaiol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmamj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iichjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobdgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjhabndo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaphjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmqapci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkjkle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbadjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inlkik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnmpdlac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhbkohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlkfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnchhllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iikkon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdadjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmneg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deakjjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpgfeao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkmeoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfacfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqbbagjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njpihk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhahanie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfnnajl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbmome32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfkpknkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpkibo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fncpef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqolji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlfma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Colpld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kllnhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjobffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmofdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fooembgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjngh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipeaco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqnqofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojglhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Noffdd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iphgln32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mkfclo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maefamlh.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgpgjepk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cnckjddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Komjgdhc.dll" Adlcfjgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcnoejch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlelhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epphbb32.dll" Kfebambf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eljnnl32.dll" Pmgbao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Padhdm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcbnpgkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgjjad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hpdjnn32.dll" Jmdgipkk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekfpmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmjoqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aciqcifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Inlkik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmjoqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifpcchai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edaalk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cmkfji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbmome32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hmmbqegc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kaompi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmmeon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifolhann.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdaglmcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmjhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omklkkpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qnghel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecqgacgg.dll" Igoomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmbhcoif.dll" Aognbnkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fakdcnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flnlpo32.dll" Jpbalb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dcllbhdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iomhdbkn.dll" Cfnoogbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifpcchai.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jaijak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idkhmgco.dll" Poklngnf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aijbfo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bofgii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbhnia32.dll" Bfioia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmnnpb32.dll" Flocfmnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnmdhn32.dll" Gnkoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afbqkf32.dll" Micklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlomqkmp.dll" Ipeaco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kccllg32.dll" Lhiakf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Maadfi32.dll" Ilcalnii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jabponba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nigafnck.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jialfgcc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmdeioh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjjaikoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hellqgnm.dll" Glbaei32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ppfomk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piqpkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqgono32.dll" Dogpdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gefcmp32.dll" Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lqapifjb.dll" Fijbco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffakjm32.dll" Khjgel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehdan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnlibhd.dll" Plolgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekfpmf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1196 wrote to memory of 2124 1196 88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe 30 PID 1196 wrote to memory of 2124 1196 88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe 30 PID 1196 wrote to memory of 2124 1196 88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe 30 PID 1196 wrote to memory of 2124 1196 88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe 30 PID 2124 wrote to memory of 2316 2124 Iiecgjba.exe 31 PID 2124 wrote to memory of 2316 2124 Iiecgjba.exe 31 PID 2124 wrote to memory of 2316 2124 Iiecgjba.exe 31 PID 2124 wrote to memory of 2316 2124 Iiecgjba.exe 31 PID 2316 wrote to memory of 2128 2316 Ioakoq32.exe 32 PID 2316 wrote to memory of 2128 2316 Ioakoq32.exe 32 PID 2316 wrote to memory of 2128 2316 Ioakoq32.exe 32 PID 2316 wrote to memory of 2128 2316 Ioakoq32.exe 32 PID 2128 wrote to memory of 2952 2128 Ioakoq32.exe 33 PID 2128 wrote to memory of 2952 2128 Ioakoq32.exe 33 PID 2128 wrote to memory of 2952 2128 Ioakoq32.exe 33 PID 2128 wrote to memory of 2952 2128 Ioakoq32.exe 33 PID 2952 wrote to memory of 2812 2952 Jlelhe32.exe 34 PID 2952 wrote to memory of 2812 2952 Jlelhe32.exe 34 PID 2952 wrote to memory of 2812 2952 Jlelhe32.exe 34 PID 2952 wrote to memory of 2812 2952 Jlelhe32.exe 34 PID 2812 wrote to memory of 2724 2812 Jkhldafl.exe 35 PID 2812 wrote to memory of 2724 2812 Jkhldafl.exe 35 PID 2812 wrote to memory of 2724 2812 Jkhldafl.exe 35 PID 2812 wrote to memory of 2724 2812 Jkhldafl.exe 35 PID 2724 wrote to memory of 2996 2724 Jhlmmfef.exe 36 PID 2724 wrote to memory of 2996 2724 Jhlmmfef.exe 36 PID 2724 wrote to memory of 2996 2724 Jhlmmfef.exe 36 PID 2724 wrote to memory of 2996 2724 Jhlmmfef.exe 36 PID 2996 wrote to memory of 2372 2996 Jofejpmc.exe 37 PID 2996 wrote to memory of 2372 2996 Jofejpmc.exe 37 PID 2996 wrote to memory of 2372 2996 Jofejpmc.exe 37 PID 2996 wrote to memory of 2372 2996 Jofejpmc.exe 37 PID 2372 wrote to memory of 676 2372 Jkmeoa32.exe 38 PID 2372 wrote to memory of 676 2372 Jkmeoa32.exe 38 PID 2372 wrote to memory of 676 2372 Jkmeoa32.exe 38 PID 2372 wrote to memory of 676 2372 Jkmeoa32.exe 38 PID 676 wrote to memory of 2928 676 Jpjngh32.exe 39 PID 676 wrote to memory of 2928 676 Jpjngh32.exe 39 PID 676 wrote to memory of 2928 676 Jpjngh32.exe 39 PID 676 wrote to memory of 2928 676 Jpjngh32.exe 39 PID 2928 wrote to memory of 780 2928 Jaijak32.exe 40 PID 2928 wrote to memory of 780 2928 Jaijak32.exe 40 PID 2928 wrote to memory of 780 2928 Jaijak32.exe 40 PID 2928 wrote to memory of 780 2928 Jaijak32.exe 40 PID 780 wrote to memory of 2908 780 Jdhgnf32.exe 41 PID 780 wrote to memory of 2908 780 Jdhgnf32.exe 41 PID 780 wrote to memory of 2908 780 Jdhgnf32.exe 41 PID 780 wrote to memory of 2908 780 Jdhgnf32.exe 41 PID 2908 wrote to memory of 540 2908 Jnpkflne.exe 42 PID 2908 wrote to memory of 540 2908 Jnpkflne.exe 42 PID 2908 wrote to memory of 540 2908 Jnpkflne.exe 42 PID 2908 wrote to memory of 540 2908 Jnpkflne.exe 42 PID 540 wrote to memory of 1852 540 Kfkpknkq.exe 43 PID 540 wrote to memory of 1852 540 Kfkpknkq.exe 43 PID 540 wrote to memory of 1852 540 Kfkpknkq.exe 43 PID 540 wrote to memory of 1852 540 Kfkpknkq.exe 43 PID 1852 wrote to memory of 2284 1852 Klehgh32.exe 44 PID 1852 wrote to memory of 2284 1852 Klehgh32.exe 44 PID 1852 wrote to memory of 2284 1852 Klehgh32.exe 44 PID 1852 wrote to memory of 2284 1852 Klehgh32.exe 44 PID 2284 wrote to memory of 544 2284 Kcopdb32.exe 45 PID 2284 wrote to memory of 544 2284 Kcopdb32.exe 45 PID 2284 wrote to memory of 544 2284 Kcopdb32.exe 45 PID 2284 wrote to memory of 544 2284 Kcopdb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe"C:\Users\Admin\AppData\Local\Temp\88decb883cb5cbfc9e91da603209dc33e0822b5ee8ea7b85070595519d3dd73f.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\Ioakoq32.exeC:\Windows\system32\Ioakoq32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Jkhldafl.exeC:\Windows\system32\Jkhldafl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Windows\SysWOW64\Jaijak32.exeC:\Windows\system32\Jaijak32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Jnpkflne.exeC:\Windows\system32\Jnpkflne.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Klehgh32.exeC:\Windows\system32\Klehgh32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:544 -
C:\Windows\SysWOW64\Kcamjb32.exeC:\Windows\system32\Kcamjb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:424 -
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Kfbfkmeh.exeC:\Windows\system32\Kfbfkmeh.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Kllnhg32.exeC:\Windows\system32\Kllnhg32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Lblcfnhj.exeC:\Windows\system32\Lblcfnhj.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2496 -
C:\Windows\SysWOW64\Ldjpbign.exeC:\Windows\system32\Ldjpbign.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Ljghjpfe.exeC:\Windows\system32\Ljghjpfe.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Lgkhdddo.exeC:\Windows\system32\Lgkhdddo.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Lqcmmjko.exeC:\Windows\system32\Lqcmmjko.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Ldoimh32.exeC:\Windows\system32\Ldoimh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1144 -
C:\Windows\SysWOW64\Ljkaeo32.exeC:\Windows\system32\Ljkaeo32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3044 -
C:\Windows\SysWOW64\Lfbbjpgd.exeC:\Windows\system32\Lfbbjpgd.exe33⤵
- Executes dropped EXE
PID:1440 -
C:\Windows\SysWOW64\Liqoflfh.exeC:\Windows\system32\Liqoflfh.exe34⤵
- Executes dropped EXE
PID:2732 -
C:\Windows\SysWOW64\Mfdopp32.exeC:\Windows\system32\Mfdopp32.exe35⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Micklk32.exeC:\Windows\system32\Micklk32.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2920 -
C:\Windows\SysWOW64\Mkaghg32.exeC:\Windows\system32\Mkaghg32.exe37⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Mpmcielb.exeC:\Windows\system32\Mpmcielb.exe38⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Mejlalji.exeC:\Windows\system32\Mejlalji.exe39⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Mmadbjkk.exeC:\Windows\system32\Mmadbjkk.exe40⤵
- Executes dropped EXE
PID:264 -
C:\Windows\SysWOW64\Mlfacfpc.exeC:\Windows\system32\Mlfacfpc.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2004 -
C:\Windows\SysWOW64\Mbpipp32.exeC:\Windows\system32\Mbpipp32.exe42⤵
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Meoell32.exeC:\Windows\system32\Meoell32.exe43⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Mjkndb32.exeC:\Windows\system32\Mjkndb32.exe44⤵
- Executes dropped EXE
PID:1072 -
C:\Windows\SysWOW64\Maefamlh.exeC:\Windows\system32\Maefamlh.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Mhonngce.exeC:\Windows\system32\Mhonngce.exe46⤵
- Executes dropped EXE
PID:1568 -
C:\Windows\SysWOW64\Necogkbo.exeC:\Windows\system32\Necogkbo.exe47⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Nhakcfab.exeC:\Windows\system32\Nhakcfab.exe48⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Njpgpbpf.exeC:\Windows\system32\Njpgpbpf.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Nhdhif32.exeC:\Windows\system32\Nhdhif32.exe51⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe52⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Nmqpam32.exeC:\Windows\system32\Nmqpam32.exe53⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Nbniid32.exeC:\Windows\system32\Nbniid32.exe54⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe55⤵
- Executes dropped EXE
PID:2736 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2752 -
C:\Windows\SysWOW64\Nmcmgm32.exeC:\Windows\system32\Nmcmgm32.exe57⤵
- Executes dropped EXE
PID:2564 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe58⤵
- Executes dropped EXE
PID:708 -
C:\Windows\SysWOW64\Nfkapb32.exeC:\Windows\system32\Nfkapb32.exe59⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe60⤵
- Executes dropped EXE
PID:2900 -
C:\Windows\SysWOW64\Nlhjhi32.exeC:\Windows\system32\Nlhjhi32.exe61⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Noffdd32.exeC:\Windows\system32\Noffdd32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:824 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe63⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2400 -
C:\Windows\SysWOW64\Ohojmjep.exeC:\Windows\system32\Ohojmjep.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1528 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe66⤵PID:2216
-
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe67⤵PID:1804
-
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe68⤵PID:2260
-
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe69⤵PID:2172
-
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe70⤵PID:2840
-
C:\Windows\SysWOW64\Odhhgkib.exeC:\Windows\system32\Odhhgkib.exe71⤵PID:3008
-
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe72⤵PID:2856
-
C:\Windows\SysWOW64\Oonldcih.exeC:\Windows\system32\Oonldcih.exe73⤵PID:2720
-
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe74⤵PID:656
-
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe75⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Ohfqmi32.exeC:\Windows\system32\Ohfqmi32.exe76⤵
- Drops file in System32 directory
PID:2112 -
C:\Windows\SysWOW64\Okdmjdol.exeC:\Windows\system32\Okdmjdol.exe77⤵PID:2776
-
C:\Windows\SysWOW64\Omcifpnp.exeC:\Windows\system32\Omcifpnp.exe78⤵PID:2516
-
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1972 -
C:\Windows\SysWOW64\Okgjodmi.exeC:\Windows\system32\Okgjodmi.exe80⤵PID:1704
-
C:\Windows\SysWOW64\Oaqbln32.exeC:\Windows\system32\Oaqbln32.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:612 -
C:\Windows\SysWOW64\Pdonhj32.exeC:\Windows\system32\Pdonhj32.exe82⤵PID:1956
-
C:\Windows\SysWOW64\Pcbncfjd.exeC:\Windows\system32\Pcbncfjd.exe83⤵PID:1808
-
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe84⤵PID:1720
-
C:\Windows\SysWOW64\Pilfpqaa.exeC:\Windows\system32\Pilfpqaa.exe85⤵PID:2792
-
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe86⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2700 -
C:\Windows\SysWOW64\Pcdkif32.exeC:\Windows\system32\Pcdkif32.exe88⤵PID:2452
-
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe89⤵
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Pincfpoo.exeC:\Windows\system32\Pincfpoo.exe90⤵PID:2688
-
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe91⤵PID:1092
-
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Pcghof32.exeC:\Windows\system32\Pcghof32.exe93⤵PID:2096
-
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe94⤵
- Drops file in System32 directory
PID:2644 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe95⤵
- Modifies registry class
PID:700 -
C:\Windows\SysWOW64\Plolgk32.exeC:\Windows\system32\Plolgk32.exe96⤵
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe97⤵PID:2628
-
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe98⤵PID:2944
-
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe99⤵PID:2440
-
C:\Windows\SysWOW64\Pjcmap32.exeC:\Windows\system32\Pjcmap32.exe100⤵PID:2960
-
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe101⤵PID:2272
-
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe102⤵PID:2888
-
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe103⤵PID:1992
-
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe104⤵PID:3040
-
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe105⤵PID:472
-
C:\Windows\SysWOW64\Qdojgmfe.exeC:\Windows\system32\Qdojgmfe.exe106⤵PID:2288
-
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe107⤵PID:1320
-
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe108⤵
- Drops file in System32 directory
PID:2028 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe109⤵PID:2304
-
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe110⤵
- Drops file in System32 directory
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Qhmcmk32.exeC:\Windows\system32\Qhmcmk32.exe111⤵PID:1688
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe112⤵PID:2132
-
C:\Windows\SysWOW64\Anjlebjc.exeC:\Windows\system32\Anjlebjc.exe113⤵PID:2180
-
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe114⤵PID:2572
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe115⤵PID:2100
-
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe116⤵PID:1744
-
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe117⤵PID:2084
-
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe118⤵PID:2276
-
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe119⤵PID:3068
-
C:\Windows\SysWOW64\Aciqcifh.exeC:\Windows\system32\Aciqcifh.exe120⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe121⤵PID:2176
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-