Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
95s -
max time network
26s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05/03/2025, 08:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9.exe
-
Size
1.3MB
-
MD5
b28533a56743d0fc98a849f72665c340
-
SHA1
543f262f599e1d24b0c73967f270467ecb9c1558
-
SHA256
ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9
-
SHA512
bf2bc977107ac17db0de09842f6d5347ef18e872a07433723fd9854b94eb991b76e54fd10c43d72f32e0203e65202a32576256ca32098f6dbd5ca6b5d58a2d1a
-
SSDEEP
12288:yrvbSwwL2bWGRdA6sQhPbWGRdA6sQxuEuZH8WF50+OJ3BHCXwpnsKvNA+X2:CjSwwL2vzecI50+YNpsKv25
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcmeqkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ibeloo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pldnge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinlck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eakkkdnm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokgqjaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jaahgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkbdbbop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bncboo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ccinnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckebbgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpedmhfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgpgae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbqkqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oeeeeehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dllnphkd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihmcelkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkafofde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifkecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dbihccpg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Penlon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmkdpafo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klapha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hojqjp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lielphqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccinnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhmqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjmbohhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmoqfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjomoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Makmnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmlblq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gbbnkfjq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfeonq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcdpld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ganfhpfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahfmjafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcpkldh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaaeegkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihmcelkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnhjok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkocgape.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnenfjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhqdgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cleaebna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmcmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omdbfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eonhbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfddcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbiggof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qokhjjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Peiliihm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Appikd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhcmld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdadie32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkgmkbih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inajql32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dfecim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iopgjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihmene32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moahdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfpndkel.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2028 Dfegjknm.exe 2172 Dfgdpj32.exe 2912 Egimdmmc.exe 2808 Fgcpkldh.exe 2860 Fondonbc.exe 2720 Fhfihd32.exe 2284 Gnenfjdh.exe 1032 Ghmohcbl.exe 1424 Gqidme32.exe 2604 Glpdbfek.exe 2996 Gjcekj32.exe 1272 Hfjfpkji.exe 1832 Hcqcoo32.exe 2192 Hojqjp32.exe 2276 Hjcajn32.exe 2060 Inajql32.exe 1540 Ibeloo32.exe 2272 Jbjejojn.exe 1888 Jifkmh32.exe 1768 Jhlgnd32.exe 1700 Jfadoaih.exe 972 Kkomepon.exe 2620 Kkajkoml.exe 2608 Kekkkm32.exe 1676 Leaallcb.exe 1176 Lhbjmg32.exe 2300 Lppkgi32.exe 2512 Lndlamke.exe 2696 Mgomoboc.exe 2732 Mjofanld.exe 2236 Mbmgkp32.exe 3024 Moahdd32.exe 852 Nnfeep32.exe 3028 Ncejcg32.exe 2292 Ngcbie32.exe 2536 Nfhpjaba.exe 2600 Omddmkhl.exe 2652 Onhnjclg.exe 456 Odgchjhl.exe 1160 Phelnhnb.exe 2032 Pmdalo32.exe 2576 Pdqfnhpa.exe 1600 Pedokpcm.exe 2036 Qhehmkqn.exe 2712 Amdmkb32.exe 2672 Apeflmjc.exe 3052 Agakog32.exe 2420 Aefhpc32.exe 1144 Bcmeogam.exe 2580 Babbpc32.exe 368 Bdbkaoce.exe 2532 Bhqdgm32.exe 896 Ckamihfm.exe 2812 Cnbfkccn.exe 3060 Cmgblphf.exe 3004 Cklpml32.exe 2764 Dnmhogjo.exe 1808 Dpmeij32.exe 2480 Djkodg32.exe 932 Eiplecnc.exe 2636 Elaego32.exe 1612 Emqaaabg.exe 2884 Eodknifb.exe 2404 Fbbcdh32.exe -
Loads dropped DLL 64 IoCs
pid Process 2412 ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9.exe 2412 ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9.exe 2028 Dfegjknm.exe 2028 Dfegjknm.exe 2172 Dfgdpj32.exe 2172 Dfgdpj32.exe 2912 Egimdmmc.exe 2912 Egimdmmc.exe 2808 Fgcpkldh.exe 2808 Fgcpkldh.exe 2860 Fondonbc.exe 2860 Fondonbc.exe 2720 Fhfihd32.exe 2720 Fhfihd32.exe 2284 Gnenfjdh.exe 2284 Gnenfjdh.exe 1032 Ghmohcbl.exe 1032 Ghmohcbl.exe 1424 Gqidme32.exe 1424 Gqidme32.exe 2604 Glpdbfek.exe 2604 Glpdbfek.exe 2996 Gjcekj32.exe 2996 Gjcekj32.exe 1272 Hfjfpkji.exe 1272 Hfjfpkji.exe 1832 Hcqcoo32.exe 1832 Hcqcoo32.exe 2192 Hojqjp32.exe 2192 Hojqjp32.exe 2276 Hjcajn32.exe 2276 Hjcajn32.exe 2060 Inajql32.exe 2060 Inajql32.exe 1540 Ibeloo32.exe 1540 Ibeloo32.exe 2272 Jbjejojn.exe 2272 Jbjejojn.exe 1888 Jifkmh32.exe 1888 Jifkmh32.exe 1768 Jhlgnd32.exe 1768 Jhlgnd32.exe 1700 Jfadoaih.exe 1700 Jfadoaih.exe 972 Kkomepon.exe 972 Kkomepon.exe 2620 Kkajkoml.exe 2620 Kkajkoml.exe 2608 Kekkkm32.exe 2608 Kekkkm32.exe 1676 Leaallcb.exe 1676 Leaallcb.exe 1176 Lhbjmg32.exe 1176 Lhbjmg32.exe 2300 Lppkgi32.exe 2300 Lppkgi32.exe 2512 Lndlamke.exe 2512 Lndlamke.exe 2696 Mgomoboc.exe 2696 Mgomoboc.exe 2732 Mjofanld.exe 2732 Mjofanld.exe 2236 Mbmgkp32.exe 2236 Mbmgkp32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hfjfpkji.exe Gjcekj32.exe File created C:\Windows\SysWOW64\Abcngkmp.exe Aeommfnf.exe File opened for modification C:\Windows\SysWOW64\Dmcidqlf.exe Dbihccpg.exe File created C:\Windows\SysWOW64\Jhjpekkf.exe Jmlfjn32.exe File opened for modification C:\Windows\SysWOW64\Qmomelml.exe Qahlpkhh.exe File created C:\Windows\SysWOW64\Plbbmjhf.exe Pcjmdd32.exe File created C:\Windows\SysWOW64\Qhbeqckl.dll Doflofbf.exe File created C:\Windows\SysWOW64\Gongob32.dll Japfphle.exe File created C:\Windows\SysWOW64\Ocnfeo32.dll Lbbmlbej.exe File created C:\Windows\SysWOW64\Ajgfdhmb.dll Peclcc32.exe File created C:\Windows\SysWOW64\Iopgjp32.exe Ibigeojp.exe File opened for modification C:\Windows\SysWOW64\Aiagck32.exe Qofjmnji.exe File opened for modification C:\Windows\SysWOW64\Ndaaclac.exe Napibq32.exe File opened for modification C:\Windows\SysWOW64\Bpmqom32.exe Apjdin32.exe File created C:\Windows\SysWOW64\Ajddik32.exe Aiagck32.exe File created C:\Windows\SysWOW64\Eagdimif.exe Efkfbp32.exe File opened for modification C:\Windows\SysWOW64\Oeeeeehe.exe Odbhofjh.exe File created C:\Windows\SysWOW64\Hmafge32.dll Ekicjlai.exe File opened for modification C:\Windows\SysWOW64\Clnmmlkm.exe Bimdka32.exe File created C:\Windows\SysWOW64\Njfbno32.exe Mloigc32.exe File created C:\Windows\SysWOW64\Leaallcb.exe Kekkkm32.exe File opened for modification C:\Windows\SysWOW64\Dmdkkm32.exe Dopkai32.exe File opened for modification C:\Windows\SysWOW64\Cleaebna.exe Coqaknog.exe File created C:\Windows\SysWOW64\Edbjljpm.exe Epdafl32.exe File created C:\Windows\SysWOW64\Kpkocpjj.exe Kbgnil32.exe File created C:\Windows\SysWOW64\Bnndce32.dll Ljdgqc32.exe File created C:\Windows\SysWOW64\Ibigeojp.exe Hioefjfb.exe File opened for modification C:\Windows\SysWOW64\Olhhmele.exe Opaggdfa.exe File opened for modification C:\Windows\SysWOW64\Amdmkb32.exe Qhehmkqn.exe File created C:\Windows\SysWOW64\Kogjib32.exe Jpbmhf32.exe File opened for modification C:\Windows\SysWOW64\Nkfaqkcq.exe Nomdfjpo.exe File opened for modification C:\Windows\SysWOW64\Jbjejojn.exe Ibeloo32.exe File created C:\Windows\SysWOW64\Poglgb32.dll Ndcqbdge.exe File created C:\Windows\SysWOW64\Lcjkbl32.exe Lceagmmn.exe File created C:\Windows\SysWOW64\Ajqmqmfm.dll Hqhiab32.exe File created C:\Windows\SysWOW64\Gpjhgkof.dll Jaahgd32.exe File opened for modification C:\Windows\SysWOW64\Aolihc32.exe Aahhoo32.exe File created C:\Windows\SysWOW64\Leqjcb32.exe Lhmijn32.exe File created C:\Windows\SysWOW64\Mfpjkiol.dll Cnoamj32.exe File created C:\Windows\SysWOW64\Lageje32.dll Gjcekj32.exe File opened for modification C:\Windows\SysWOW64\Mgomoboc.exe Lndlamke.exe File created C:\Windows\SysWOW64\Mkkmkf32.dll Nfnfjmgp.exe File created C:\Windows\SysWOW64\Cnmbollk.dll Alfflhpa.exe File created C:\Windows\SysWOW64\Bpchiebc.dll Qpnkjq32.exe File created C:\Windows\SysWOW64\Ejcjfgbk.exe Ejnqkh32.exe File opened for modification C:\Windows\SysWOW64\Pmdalo32.exe Phelnhnb.exe File opened for modification C:\Windows\SysWOW64\Ceeibbgn.exe Cagpldqg.exe File created C:\Windows\SysWOW64\Nkapdb32.dll Edbjljpm.exe File created C:\Windows\SysWOW64\Egimdmmc.exe Dfgdpj32.exe File created C:\Windows\SysWOW64\Iimqnd32.dll Eqklhh32.exe File created C:\Windows\SysWOW64\Ogjdndbf.dll Nmiakdll.exe File opened for modification C:\Windows\SysWOW64\Emqaaabg.exe Elaego32.exe File opened for modification C:\Windows\SysWOW64\Hkgmkbih.exe Hjhqaobe.exe File opened for modification C:\Windows\SysWOW64\Kkomepon.exe Jfadoaih.exe File created C:\Windows\SysWOW64\Cobkhe32.exe Cfjgopop.exe File created C:\Windows\SysWOW64\Gdfjjkfh.dll Mofnek32.exe File opened for modification C:\Windows\SysWOW64\Iegaha32.exe Hgpgae32.exe File created C:\Windows\SysWOW64\Liqnhl32.dll Bdpjjaiq.exe File opened for modification C:\Windows\SysWOW64\Pnbeacbd.exe Phacnm32.exe File opened for modification C:\Windows\SysWOW64\Bpdgolml.exe Bpajjmon.exe File created C:\Windows\SysWOW64\Lmfpjgkj.dll Mihngj32.exe File created C:\Windows\SysWOW64\Glhkoaij.dll Bcedbefd.exe File created C:\Windows\SysWOW64\Eekpknlf.exe Elbkbh32.exe File opened for modification C:\Windows\SysWOW64\Fhakkg32.exe Fgmaphdg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1072 3116 WerFault.exe 618 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjfpkji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakkkdnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jppedg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljogknmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efkfbp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdadie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fahfcjfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmeij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadpdg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcokaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bamdcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdpmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbqkqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klnpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmlpjhlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeommfnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Conmkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njcmeqkl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmacqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iohiafag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjkmhbek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lielphqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccamabgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfbno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljmmng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epkgkfmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jciaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgoknohj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioqhed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfgdpj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmeogam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccinnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpncbjqj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calgoken.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpjjaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omfoko32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpbiaiin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agakog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgffck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abejlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kahedf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apeflmjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniidj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmmjpoci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dllnphkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojijha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjiffd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceeibbgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhibenb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmdkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efolib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eggajb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbakfcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgdonkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leqjcb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncboo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elleai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahomlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmnccn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggicdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llefld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfkkhmjn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepakc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahhhgh32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahfmjafa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bffgbo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bffgbo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkakad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mhpeem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibigeojp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nodjei32.dll" Bcanlcgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjkmhbek.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keicbcqp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpcapia.dll" Onhnjclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coaipi32.dll" Elaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emqaaabg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Homfboco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Linfpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndclpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gbglgcbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Diofenki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hjcajn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agakog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njhgfljc.dll" Babbpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngnlaehe.dll" Fmnakege.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogfagmck.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qolpolge.dll" Jimodo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Godjaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlilbhqp.dll" Hofmlf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjhbihid.dll" Odgchjhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mpjgag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bnkbcmaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcdmekne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ppepdplg.dll" Genkhidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcmdlgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnmhogjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iimqnd32.dll" Eqklhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehpeibla.dll" Mpmpeiqg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Haldgbkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olhhmele.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fknlmggc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lhmijn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogiegc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naeppnfb.dll" Hgpgae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Alnoepam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehphdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phacnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lageje32.dll" Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpoghg32.dll" Glhhgahg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikiedq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifmgljnf.dll" Ahfmjafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omddmkhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejpkho32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qmehii32.dll" Jhboidoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ahhhgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Camlpldf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Elmoqlmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gafelnkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gcebfqbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfegjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdicckk.dll" Cdpdpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfcmbjlm.dll" Npbpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gniidaih.dll" Alnoepam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lnhmqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adldll32.dll" Diqabd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjhjcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojhjnlna.dll" Ggjhfpqf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2412 wrote to memory of 2028 2412 ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9.exe 29 PID 2412 wrote to memory of 2028 2412 ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9.exe 29 PID 2412 wrote to memory of 2028 2412 ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9.exe 29 PID 2412 wrote to memory of 2028 2412 ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9.exe 29 PID 2028 wrote to memory of 2172 2028 Dfegjknm.exe 30 PID 2028 wrote to memory of 2172 2028 Dfegjknm.exe 30 PID 2028 wrote to memory of 2172 2028 Dfegjknm.exe 30 PID 2028 wrote to memory of 2172 2028 Dfegjknm.exe 30 PID 2172 wrote to memory of 2912 2172 Dfgdpj32.exe 31 PID 2172 wrote to memory of 2912 2172 Dfgdpj32.exe 31 PID 2172 wrote to memory of 2912 2172 Dfgdpj32.exe 31 PID 2172 wrote to memory of 2912 2172 Dfgdpj32.exe 31 PID 2912 wrote to memory of 2808 2912 Egimdmmc.exe 32 PID 2912 wrote to memory of 2808 2912 Egimdmmc.exe 32 PID 2912 wrote to memory of 2808 2912 Egimdmmc.exe 32 PID 2912 wrote to memory of 2808 2912 Egimdmmc.exe 32 PID 2808 wrote to memory of 2860 2808 Fgcpkldh.exe 33 PID 2808 wrote to memory of 2860 2808 Fgcpkldh.exe 33 PID 2808 wrote to memory of 2860 2808 Fgcpkldh.exe 33 PID 2808 wrote to memory of 2860 2808 Fgcpkldh.exe 33 PID 2860 wrote to memory of 2720 2860 Fondonbc.exe 34 PID 2860 wrote to memory of 2720 2860 Fondonbc.exe 34 PID 2860 wrote to memory of 2720 2860 Fondonbc.exe 34 PID 2860 wrote to memory of 2720 2860 Fondonbc.exe 34 PID 2720 wrote to memory of 2284 2720 Fhfihd32.exe 35 PID 2720 wrote to memory of 2284 2720 Fhfihd32.exe 35 PID 2720 wrote to memory of 2284 2720 Fhfihd32.exe 35 PID 2720 wrote to memory of 2284 2720 Fhfihd32.exe 35 PID 2284 wrote to memory of 1032 2284 Gnenfjdh.exe 36 PID 2284 wrote to memory of 1032 2284 Gnenfjdh.exe 36 PID 2284 wrote to memory of 1032 2284 Gnenfjdh.exe 36 PID 2284 wrote to memory of 1032 2284 Gnenfjdh.exe 36 PID 1032 wrote to memory of 1424 1032 Ghmohcbl.exe 37 PID 1032 wrote to memory of 1424 1032 Ghmohcbl.exe 37 PID 1032 wrote to memory of 1424 1032 Ghmohcbl.exe 37 PID 1032 wrote to memory of 1424 1032 Ghmohcbl.exe 37 PID 1424 wrote to memory of 2604 1424 Gqidme32.exe 38 PID 1424 wrote to memory of 2604 1424 Gqidme32.exe 38 PID 1424 wrote to memory of 2604 1424 Gqidme32.exe 38 PID 1424 wrote to memory of 2604 1424 Gqidme32.exe 38 PID 2604 wrote to memory of 2996 2604 Glpdbfek.exe 39 PID 2604 wrote to memory of 2996 2604 Glpdbfek.exe 39 PID 2604 wrote to memory of 2996 2604 Glpdbfek.exe 39 PID 2604 wrote to memory of 2996 2604 Glpdbfek.exe 39 PID 2996 wrote to memory of 1272 2996 Gjcekj32.exe 40 PID 2996 wrote to memory of 1272 2996 Gjcekj32.exe 40 PID 2996 wrote to memory of 1272 2996 Gjcekj32.exe 40 PID 2996 wrote to memory of 1272 2996 Gjcekj32.exe 40 PID 1272 wrote to memory of 1832 1272 Hfjfpkji.exe 41 PID 1272 wrote to memory of 1832 1272 Hfjfpkji.exe 41 PID 1272 wrote to memory of 1832 1272 Hfjfpkji.exe 41 PID 1272 wrote to memory of 1832 1272 Hfjfpkji.exe 41 PID 1832 wrote to memory of 2192 1832 Hcqcoo32.exe 42 PID 1832 wrote to memory of 2192 1832 Hcqcoo32.exe 42 PID 1832 wrote to memory of 2192 1832 Hcqcoo32.exe 42 PID 1832 wrote to memory of 2192 1832 Hcqcoo32.exe 42 PID 2192 wrote to memory of 2276 2192 Hojqjp32.exe 43 PID 2192 wrote to memory of 2276 2192 Hojqjp32.exe 43 PID 2192 wrote to memory of 2276 2192 Hojqjp32.exe 43 PID 2192 wrote to memory of 2276 2192 Hojqjp32.exe 43 PID 2276 wrote to memory of 2060 2276 Hjcajn32.exe 44 PID 2276 wrote to memory of 2060 2276 Hjcajn32.exe 44 PID 2276 wrote to memory of 2060 2276 Hjcajn32.exe 44 PID 2276 wrote to memory of 2060 2276 Hjcajn32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9.exe"C:\Users\Admin\AppData\Local\Temp\ba3d934789f46117ed1a21b1e81d4b01aedc5df4072e081960a7bbe7bd98c8c9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\SysWOW64\Dfegjknm.exeC:\Windows\system32\Dfegjknm.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Dfgdpj32.exeC:\Windows\system32\Dfgdpj32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Windows\SysWOW64\Egimdmmc.exeC:\Windows\system32\Egimdmmc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Fgcpkldh.exeC:\Windows\system32\Fgcpkldh.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\SysWOW64\Fondonbc.exeC:\Windows\system32\Fondonbc.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Fhfihd32.exeC:\Windows\system32\Fhfihd32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Gnenfjdh.exeC:\Windows\system32\Gnenfjdh.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\Ghmohcbl.exeC:\Windows\system32\Ghmohcbl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\Gqidme32.exeC:\Windows\system32\Gqidme32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Glpdbfek.exeC:\Windows\system32\Glpdbfek.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Gjcekj32.exeC:\Windows\system32\Gjcekj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2996 -
C:\Windows\SysWOW64\Hfjfpkji.exeC:\Windows\system32\Hfjfpkji.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Hcqcoo32.exeC:\Windows\system32\Hcqcoo32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Hojqjp32.exeC:\Windows\system32\Hojqjp32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Hjcajn32.exeC:\Windows\system32\Hjcajn32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Inajql32.exeC:\Windows\system32\Inajql32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2060 -
C:\Windows\SysWOW64\Ibeloo32.exeC:\Windows\system32\Ibeloo32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1540 -
C:\Windows\SysWOW64\Jbjejojn.exeC:\Windows\system32\Jbjejojn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2272 -
C:\Windows\SysWOW64\Jifkmh32.exeC:\Windows\system32\Jifkmh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Jhlgnd32.exeC:\Windows\system32\Jhlgnd32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1768 -
C:\Windows\SysWOW64\Jfadoaih.exeC:\Windows\system32\Jfadoaih.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1700 -
C:\Windows\SysWOW64\Kkomepon.exeC:\Windows\system32\Kkomepon.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:972 -
C:\Windows\SysWOW64\Kkajkoml.exeC:\Windows\system32\Kkajkoml.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Kekkkm32.exeC:\Windows\system32\Kekkkm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Leaallcb.exeC:\Windows\system32\Leaallcb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Lhbjmg32.exeC:\Windows\system32\Lhbjmg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1176 -
C:\Windows\SysWOW64\Lppkgi32.exeC:\Windows\system32\Lppkgi32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2300 -
C:\Windows\SysWOW64\Lndlamke.exeC:\Windows\system32\Lndlamke.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2512 -
C:\Windows\SysWOW64\Mgomoboc.exeC:\Windows\system32\Mgomoboc.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2696 -
C:\Windows\SysWOW64\Mjofanld.exeC:\Windows\system32\Mjofanld.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2732 -
C:\Windows\SysWOW64\Mbmgkp32.exeC:\Windows\system32\Mbmgkp32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2236 -
C:\Windows\SysWOW64\Moahdd32.exeC:\Windows\system32\Moahdd32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Nnfeep32.exeC:\Windows\system32\Nnfeep32.exe34⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Ncejcg32.exeC:\Windows\system32\Ncejcg32.exe35⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Ngcbie32.exeC:\Windows\system32\Ngcbie32.exe36⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Nfhpjaba.exeC:\Windows\system32\Nfhpjaba.exe37⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Omddmkhl.exeC:\Windows\system32\Omddmkhl.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Onhnjclg.exeC:\Windows\system32\Onhnjclg.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2652 -
C:\Windows\SysWOW64\Odgchjhl.exeC:\Windows\system32\Odgchjhl.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:456 -
C:\Windows\SysWOW64\Phelnhnb.exeC:\Windows\system32\Phelnhnb.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1160 -
C:\Windows\SysWOW64\Pmdalo32.exeC:\Windows\system32\Pmdalo32.exe42⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Pdqfnhpa.exeC:\Windows\system32\Pdqfnhpa.exe43⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Pedokpcm.exeC:\Windows\system32\Pedokpcm.exe44⤵
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Qhehmkqn.exeC:\Windows\system32\Qhehmkqn.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2036 -
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe46⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Apeflmjc.exeC:\Windows\system32\Apeflmjc.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Agakog32.exeC:\Windows\system32\Agakog32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3052 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe49⤵
- Executes dropped EXE
PID:2420 -
C:\Windows\SysWOW64\Bcmeogam.exeC:\Windows\system32\Bcmeogam.exe50⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Windows\SysWOW64\Babbpc32.exeC:\Windows\system32\Babbpc32.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe52⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Bhqdgm32.exeC:\Windows\system32\Bhqdgm32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Ckamihfm.exeC:\Windows\system32\Ckamihfm.exe54⤵
- Executes dropped EXE
PID:896 -
C:\Windows\SysWOW64\Cnbfkccn.exeC:\Windows\system32\Cnbfkccn.exe55⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe56⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Cklpml32.exeC:\Windows\system32\Cklpml32.exe57⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Dnmhogjo.exeC:\Windows\system32\Dnmhogjo.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Dpmeij32.exeC:\Windows\system32\Dpmeij32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1808 -
C:\Windows\SysWOW64\Djkodg32.exeC:\Windows\system32\Djkodg32.exe60⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Eiplecnc.exeC:\Windows\system32\Eiplecnc.exe61⤵
- Executes dropped EXE
PID:932 -
C:\Windows\SysWOW64\Elaego32.exeC:\Windows\system32\Elaego32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Emqaaabg.exeC:\Windows\system32\Emqaaabg.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1612 -
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe64⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Fbbcdh32.exeC:\Windows\system32\Fbbcdh32.exe65⤵
- Executes dropped EXE
PID:2404 -
C:\Windows\SysWOW64\Foidii32.exeC:\Windows\system32\Foidii32.exe66⤵PID:2940
-
C:\Windows\SysWOW64\Fmnakege.exeC:\Windows\system32\Fmnakege.exe67⤵
- Modifies registry class
PID:2136 -
C:\Windows\SysWOW64\Fgffck32.exeC:\Windows\system32\Fgffck32.exe68⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\Fdjfmolo.exeC:\Windows\system32\Fdjfmolo.exe69⤵PID:3104
-
C:\Windows\SysWOW64\Gdmcbojl.exeC:\Windows\system32\Gdmcbojl.exe70⤵PID:3152
-
C:\Windows\SysWOW64\Glhhgahg.exeC:\Windows\system32\Glhhgahg.exe71⤵
- Modifies registry class
PID:3228 -
C:\Windows\SysWOW64\Gpfpmonn.exeC:\Windows\system32\Gpfpmonn.exe72⤵PID:3268
-
C:\Windows\SysWOW64\Gllabp32.exeC:\Windows\system32\Gllabp32.exe73⤵PID:3340
-
C:\Windows\SysWOW64\Gaiijgbi.exeC:\Windows\system32\Gaiijgbi.exe74⤵PID:3400
-
C:\Windows\SysWOW64\Gegbpe32.exeC:\Windows\system32\Gegbpe32.exe75⤵PID:3460
-
C:\Windows\SysWOW64\Hdloab32.exeC:\Windows\system32\Hdloab32.exe76⤵PID:3516
-
C:\Windows\SysWOW64\Happkf32.exeC:\Windows\system32\Happkf32.exe77⤵PID:3576
-
C:\Windows\SysWOW64\Hcdihn32.exeC:\Windows\system32\Hcdihn32.exe78⤵PID:3636
-
C:\Windows\SysWOW64\Hqhiab32.exeC:\Windows\system32\Hqhiab32.exe79⤵
- Drops file in System32 directory
PID:3696 -
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe80⤵
- Modifies registry class
PID:3740 -
C:\Windows\SysWOW64\Ioochn32.exeC:\Windows\system32\Ioochn32.exe81⤵PID:3820
-
C:\Windows\SysWOW64\Icmlnmgb.exeC:\Windows\system32\Icmlnmgb.exe82⤵PID:3876
-
C:\Windows\SysWOW64\Ingmoj32.exeC:\Windows\system32\Ingmoj32.exe83⤵PID:3932
-
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe84⤵
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Windows\SysWOW64\Jnlfjjpl.exeC:\Windows\system32\Jnlfjjpl.exe85⤵PID:4044
-
C:\Windows\SysWOW64\Jalolemm.exeC:\Windows\system32\Jalolemm.exe86⤵PID:2776
-
C:\Windows\SysWOW64\Jaolad32.exeC:\Windows\system32\Jaolad32.exe87⤵PID:308
-
C:\Windows\SysWOW64\Jaahgd32.exeC:\Windows\system32\Jaahgd32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:964 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe89⤵PID:2612
-
C:\Windows\SysWOW64\Jfpndkel.exeC:\Windows\system32\Jfpndkel.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2320 -
C:\Windows\SysWOW64\Kbgnil32.exeC:\Windows\system32\Kbgnil32.exe91⤵
- Drops file in System32 directory
PID:1664 -
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe92⤵PID:2740
-
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Kdmdlc32.exeC:\Windows\system32\Kdmdlc32.exe94⤵PID:828
-
C:\Windows\SysWOW64\Kaaeegkc.exeC:\Windows\system32\Kaaeegkc.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3128 -
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe96⤵PID:3172
-
C:\Windows\SysWOW64\Linfpi32.exeC:\Windows\system32\Linfpi32.exe97⤵
- Modifies registry class
PID:3224 -
C:\Windows\SysWOW64\Lknbjlnn.exeC:\Windows\system32\Lknbjlnn.exe98⤵PID:276
-
C:\Windows\SysWOW64\Lmolkg32.exeC:\Windows\system32\Lmolkg32.exe99⤵PID:3364
-
C:\Windows\SysWOW64\Lielphqc.exeC:\Windows\system32\Lielphqc.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3424 -
C:\Windows\SysWOW64\Mlfebcnd.exeC:\Windows\system32\Mlfebcnd.exe101⤵PID:3488
-
C:\Windows\SysWOW64\Mkkbcpbl.exeC:\Windows\system32\Mkkbcpbl.exe102⤵PID:908
-
C:\Windows\SysWOW64\Mknohpqj.exeC:\Windows\system32\Mknohpqj.exe103⤵PID:3536
-
C:\Windows\SysWOW64\Mpjgag32.exeC:\Windows\system32\Mpjgag32.exe104⤵
- Modifies registry class
PID:3644 -
C:\Windows\SysWOW64\Mpmdff32.exeC:\Windows\system32\Mpmdff32.exe105⤵PID:3688
-
C:\Windows\SysWOW64\Mnqdpj32.exeC:\Windows\system32\Mnqdpj32.exe106⤵PID:3772
-
C:\Windows\SysWOW64\Njgeel32.exeC:\Windows\system32\Njgeel32.exe107⤵PID:3868
-
C:\Windows\SysWOW64\Nfnfjmgp.exeC:\Windows\system32\Nfnfjmgp.exe108⤵
- Drops file in System32 directory
PID:3984 -
C:\Windows\SysWOW64\Nkbdbbop.exeC:\Windows\system32\Nkbdbbop.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4060 -
C:\Windows\SysWOW64\Ogiegc32.exeC:\Windows\system32\Ogiegc32.exe110⤵
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe111⤵PID:4092
-
C:\Windows\SysWOW64\Ofqonp32.exeC:\Windows\system32\Ofqonp32.exe112⤵PID:2832
-
C:\Windows\SysWOW64\Ofcldoef.exeC:\Windows\system32\Ofcldoef.exe113⤵PID:2848
-
C:\Windows\SysWOW64\Oahpahel.exeC:\Windows\system32\Oahpahel.exe114⤵PID:2936
-
C:\Windows\SysWOW64\Pmoqfi32.exeC:\Windows\system32\Pmoqfi32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Pldnge32.exeC:\Windows\system32\Pldnge32.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1180 -
C:\Windows\SysWOW64\Pihnqj32.exeC:\Windows\system32\Pihnqj32.exe117⤵PID:2640
-
C:\Windows\SysWOW64\Pikkfilp.exeC:\Windows\system32\Pikkfilp.exe118⤵PID:2336
-
C:\Windows\SysWOW64\Pddlggin.exeC:\Windows\system32\Pddlggin.exe119⤵PID:756
-
C:\Windows\SysWOW64\Qahlpkhh.exeC:\Windows\system32\Qahlpkhh.exe120⤵
- Drops file in System32 directory
PID:3200 -
C:\Windows\SysWOW64\Qmomelml.exeC:\Windows\system32\Qmomelml.exe121⤵PID:3468
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-