Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05/03/2025, 10:07
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043.exe
-
Size
1.2MB
-
MD5
af4928f5d558a0444838021d4f9a1e56
-
SHA1
1f353cac8f6179700f7bbe81d54d10db9796a0bb
-
SHA256
cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043
-
SHA512
a370d5a1bd2bdbae45308ff90d31569f8e034e7932d13c9c40ccd158140b9e28d6109fa0b37e6851a642ad2063fe07592ca2c62d4f9eff8abef2a63071ef3a58
-
SSDEEP
12288:8mZeQYlFiWZCXwpnsKvNA+XTvZHWuEo3oWiQ4cf:pYlFiWZpsKv2EvZHp3oWiQ4cf
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokjkbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kihpmnbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbqkeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Empomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gagmbkik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Paafmp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgahkngh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geqlnjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lgnjke32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdnncfoe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fogdap32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkdgecna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejnfe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffjagko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fegjgkla.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkmefaan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idohdhbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckmpicl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eepmlf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbfjkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qigebglj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpebidam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifbaapfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Immjnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Imacijjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Camnge32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fllaopcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdqkifmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbdkbjkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebialmjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enbogmnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khagijcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egcfdn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpebidam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Einlmkhp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iianmlfn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lglmefcg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Immjnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keango32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhbabif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bihgmdih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdinnqon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejcofica.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcblqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikagogco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgmaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lbgkfbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abnopj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdhhdqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Joblkegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njhbabif.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhcej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cdchneko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgadja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Geloanjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Goddjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iokfjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcmdjgbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Donojm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfqfpop.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mopdpg32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2804 Qigebglj.exe 2972 Qboikm32.exe 2116 Abdbflnf.exe 2596 Aebobgmi.exe 2060 Ahqkocmm.exe 1980 Aphcppmo.exe 1892 Abfoll32.exe 1964 Aipgifcp.exe 1152 Alodeacc.exe 492 Abhlak32.exe 1324 Aeghng32.exe 1484 Ahedjb32.exe 2436 Alaqjaaa.exe 2204 Aoomflpd.exe 1920 Aanibhoh.exe 1700 Adleoc32.exe 876 Andjgidl.exe 3016 Bpcfcddp.exe 2936 Bgmnpn32.exe 1608 Bngfmhbj.exe 1404 Bpebidam.exe 564 Bgokfnij.exe 2216 Bnicbh32.exe 2108 Bphooc32.exe 2088 Bdckobhd.exe 2928 Bgahkngh.exe 3064 Bomlppdb.exe 2344 Bgddam32.exe 2652 Bjbqmi32.exe 2780 Bplijcle.exe 1952 Bfiabjjm.exe 596 Clciod32.exe 2504 Ccmblnif.exe 828 Cdnncfoe.exe 2912 Codbqonk.exe 1916 Cdqkifmb.exe 2308 Cofofolh.exe 1284 Cbdkbjkl.exe 1084 Cdchneko.exe 2144 Cgadja32.exe 1592 Cnklgkap.exe 2820 Cqjhcfpc.exe 1696 Cchdpbog.exe 3104 Ckomqopi.exe 3156 Cmqihg32.exe 3212 Ddhaie32.exe 3268 Dgfmep32.exe 3316 Djdjalea.exe 3364 Dqobnf32.exe 3412 Dcmnja32.exe 3460 Dijfch32.exe 3516 Dqaode32.exe 3580 Dcokpa32.exe 3640 Dfngll32.exe 3692 Dilchhgg.exe 3756 Dkjpdcfj.exe 3816 Dcageqgm.exe 3876 Dfpcblfp.exe 3940 Dinpnged.exe 4000 Dkmljcdh.exe 4044 Dnkhfnck.exe 2260 Deeqch32.exe 2572 Dgcmod32.exe 1816 Epkepakn.exe -
Loads dropped DLL 64 IoCs
pid Process 2680 cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043.exe 2680 cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043.exe 2804 Qigebglj.exe 2804 Qigebglj.exe 2972 Qboikm32.exe 2972 Qboikm32.exe 2116 Abdbflnf.exe 2116 Abdbflnf.exe 2596 Aebobgmi.exe 2596 Aebobgmi.exe 2060 Ahqkocmm.exe 2060 Ahqkocmm.exe 1980 Aphcppmo.exe 1980 Aphcppmo.exe 1892 Abfoll32.exe 1892 Abfoll32.exe 1964 Aipgifcp.exe 1964 Aipgifcp.exe 1152 Alodeacc.exe 1152 Alodeacc.exe 492 Abhlak32.exe 492 Abhlak32.exe 1324 Aeghng32.exe 1324 Aeghng32.exe 1484 Ahedjb32.exe 1484 Ahedjb32.exe 2436 Alaqjaaa.exe 2436 Alaqjaaa.exe 2204 Aoomflpd.exe 2204 Aoomflpd.exe 1920 Aanibhoh.exe 1920 Aanibhoh.exe 1700 Adleoc32.exe 1700 Adleoc32.exe 876 Andjgidl.exe 876 Andjgidl.exe 3016 Bpcfcddp.exe 3016 Bpcfcddp.exe 2936 Bgmnpn32.exe 2936 Bgmnpn32.exe 1608 Bngfmhbj.exe 1608 Bngfmhbj.exe 1404 Bpebidam.exe 1404 Bpebidam.exe 564 Bgokfnij.exe 564 Bgokfnij.exe 2216 Bnicbh32.exe 2216 Bnicbh32.exe 2108 Bphooc32.exe 2108 Bphooc32.exe 2088 Bdckobhd.exe 2088 Bdckobhd.exe 2928 Bgahkngh.exe 2928 Bgahkngh.exe 3064 Bomlppdb.exe 3064 Bomlppdb.exe 2344 Bgddam32.exe 2344 Bgddam32.exe 2652 Bjbqmi32.exe 2652 Bjbqmi32.exe 2780 Bplijcle.exe 2780 Bplijcle.exe 1952 Bfiabjjm.exe 1952 Bfiabjjm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fpokjd32.exe Fhhbif32.exe File opened for modification C:\Windows\SysWOW64\Nckmpicl.exe Nladco32.exe File created C:\Windows\SysWOW64\Eknjoj32.dll Bogljj32.exe File opened for modification C:\Windows\SysWOW64\Dcageqgm.exe Dkjpdcfj.exe File opened for modification C:\Windows\SysWOW64\Bpebidam.exe Bngfmhbj.exe File opened for modification C:\Windows\SysWOW64\Lkbpke32.exe Llpoohik.exe File created C:\Windows\SysWOW64\Eoeadjbl.dll Nckmpicl.exe File opened for modification C:\Windows\SysWOW64\Ogdhik32.exe Odflmp32.exe File opened for modification C:\Windows\SysWOW64\Ahpddmia.exe Apilcoho.exe File opened for modification C:\Windows\SysWOW64\Bknmok32.exe Bimphc32.exe File created C:\Windows\SysWOW64\Dbadagln.exe Dochelmj.exe File opened for modification C:\Windows\SysWOW64\Pfqlkfoc.exe Pcbookpp.exe File created C:\Windows\SysWOW64\Cefllkej.dll Bknmok32.exe File opened for modification C:\Windows\SysWOW64\Joppeeif.exe Imacijjb.exe File created C:\Windows\SysWOW64\Emdhhdqb.exe Eiilge32.exe File created C:\Windows\SysWOW64\Iqfiii32.exe Imjmhkpj.exe File created C:\Windows\SysWOW64\Mdkiio32.dll Ngbpehpj.exe File created C:\Windows\SysWOW64\Mafick32.dll Nqpmimbe.exe File opened for modification C:\Windows\SysWOW64\Ogbldk32.exe Oddphp32.exe File created C:\Windows\SysWOW64\Qplbjk32.dll Paafmp32.exe File created C:\Windows\SysWOW64\Enkcccnb.dll Apilcoho.exe File created C:\Windows\SysWOW64\Epcddopf.exe Emdhhdqb.exe File created C:\Windows\SysWOW64\Mjpdkq32.dll Fllaopcg.exe File created C:\Windows\SysWOW64\Llolnffe.dll Bphooc32.exe File created C:\Windows\SysWOW64\Ogmnad32.dll Dqobnf32.exe File created C:\Windows\SysWOW64\Jkadjjcg.dll Geqlnjcf.exe File opened for modification C:\Windows\SysWOW64\Immjnj32.exe Iianmlfn.exe File opened for modification C:\Windows\SysWOW64\Padccpal.exe Pimkbbpi.exe File created C:\Windows\SysWOW64\Olahgd32.dll Dmmbge32.exe File created C:\Windows\SysWOW64\Ahadcefi.dll Epkepakn.exe File created C:\Windows\SysWOW64\Pbeainng.dll Ebfqfpop.exe File opened for modification C:\Windows\SysWOW64\Gncgbkki.exe Geloanjg.exe File opened for modification C:\Windows\SysWOW64\Kflafbak.exe Kcmdjgbh.exe File opened for modification C:\Windows\SysWOW64\Maldfbjn.exe Monhjgkj.exe File opened for modification C:\Windows\SysWOW64\Clkicbfa.exe Cjmmffgn.exe File created C:\Windows\SysWOW64\Ebcmfj32.exe Enhaeldn.exe File opened for modification C:\Windows\SysWOW64\Elaeeb32.exe Eegmhhie.exe File created C:\Windows\SysWOW64\Fogdap32.exe Flhhed32.exe File created C:\Windows\SysWOW64\Cncolfcl.exe Ckecpjdh.exe File created C:\Windows\SysWOW64\Qhalbm32.dll Dhiphb32.exe File created C:\Windows\SysWOW64\Jhpgpkho.dll Enhaeldn.exe File created C:\Windows\SysWOW64\Ggdekbgb.exe Gdfiofhn.exe File created C:\Windows\SysWOW64\Lbpihjem.dll Obcffefa.exe File opened for modification C:\Windows\SysWOW64\Aeokba32.exe Amhcad32.exe File created C:\Windows\SysWOW64\Einebddd.exe Eebibf32.exe File created C:\Windows\SysWOW64\Onndkg32.dll Fipbhd32.exe File created C:\Windows\SysWOW64\Bplijcle.exe Bjbqmi32.exe File created C:\Windows\SysWOW64\Ppfafphp.dll Kflafbak.exe File opened for modification C:\Windows\SysWOW64\Njalacon.exe Ngbpehpj.exe File created C:\Windows\SysWOW64\Glmmpgoa.dll Joblkegc.exe File created C:\Windows\SysWOW64\Jcgalk32.dll Laaabo32.exe File created C:\Windows\SysWOW64\Njalacon.exe Ngbpehpj.exe File created C:\Windows\SysWOW64\Cjgmmkof.dll Njalacon.exe File created C:\Windows\SysWOW64\Nfglfdeb.exe Ncipjieo.exe File created C:\Windows\SysWOW64\Ahngomkd.exe Aeokba32.exe File created C:\Windows\SysWOW64\Mbendkpn.dll Ajamfh32.exe File opened for modification C:\Windows\SysWOW64\Ejabqi32.exe Egcfdn32.exe File created C:\Windows\SysWOW64\Fojegeeg.dll Iqfiii32.exe File created C:\Windows\SysWOW64\Nfjildbp.exe Nckmpicl.exe File opened for modification C:\Windows\SysWOW64\Empomd32.exe Ejabqi32.exe File opened for modification C:\Windows\SysWOW64\Dgcmod32.exe Deeqch32.exe File opened for modification C:\Windows\SysWOW64\Ephdjeol.exe Einlmkhp.exe File created C:\Windows\SysWOW64\Klalgq32.dll Leegbnan.exe File created C:\Windows\SysWOW64\Okkkoj32.exe Omhkcnfg.exe -
Program crash 1 IoCs
pid pid_target Process 7768 7744 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfmep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldkdckff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miclhpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qboikm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aipgifcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meecaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqpmimbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkeoongd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejabqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeghng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgddam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efppqoil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iciopdca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngpcohbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhpad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piadma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iokfjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibibfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmooind.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhhehpbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnpdnho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjnignob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikagogco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imacijjb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lijiaabk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apilcoho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlfmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khagijcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckhpejbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqaode32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llkbcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihgmdih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfhgggim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qigebglj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkmljcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifgklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llpoohik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogbldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafhff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojeomee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnckki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdekbgb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkdgecna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmclmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maoalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojceef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blipno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbbinig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eepmlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eannmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kcmdjgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lilfgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekehomj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkqiek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpbna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dochelmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbogmnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fodgkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhkcnfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffjagko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnkhfnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbqjqehd.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Golcgomm.dll" Cnklgkap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hllgegfe.dll" Kppldhla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Honfqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aifjgdkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efoied32.dll" Appbcn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eidmboob.dll" Bihgmdih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cojeomee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ficfbkij.dll" Enpban32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kecjmodq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgnfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aphcppmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Njalacon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jenndm32.dll" Ojeakfnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dqfabdaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpkljm32.dll" Einebddd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibibfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ooggpiek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pklmdamd.dll" Bgddam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccmblnif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejabqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehbgahjb.dll" Ablbjj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cojeomee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfmlpf32.dll" Dfpcblfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Joppeeif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ajamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cdchneko.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpjaodmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ndafcmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enkcccnb.dll" Apilcoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epokjceb.dll" Bdckobhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfmkfcib.dll" Cchdpbog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifcmmf32.dll" Fejfmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mecglbfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fipbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fodgkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Okipkm32.dll" Gncgbkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njnokdaq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngbpehpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cncolfcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fegjgkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hagianlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pomebdea.dll" Kckhdg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cchdpbog.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdcmig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Faeihnam.dll" Hdefnjkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnkaj32.dll" Kpbhjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apnfno32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aphcppmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ncipjieo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oknhdjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ngeogk32.dll" Bdinnqon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahadcefi.dll" Epkepakn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lijiaabk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fikeom32.dll" Mhdpnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgnminke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oomjld32.dll" Emdhhdqb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ddhaie32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlboca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahedjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dkmljcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flhhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jbphgpfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjnjqb32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2680 wrote to memory of 2804 2680 cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043.exe 30 PID 2680 wrote to memory of 2804 2680 cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043.exe 30 PID 2680 wrote to memory of 2804 2680 cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043.exe 30 PID 2680 wrote to memory of 2804 2680 cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043.exe 30 PID 2804 wrote to memory of 2972 2804 Qigebglj.exe 31 PID 2804 wrote to memory of 2972 2804 Qigebglj.exe 31 PID 2804 wrote to memory of 2972 2804 Qigebglj.exe 31 PID 2804 wrote to memory of 2972 2804 Qigebglj.exe 31 PID 2972 wrote to memory of 2116 2972 Qboikm32.exe 32 PID 2972 wrote to memory of 2116 2972 Qboikm32.exe 32 PID 2972 wrote to memory of 2116 2972 Qboikm32.exe 32 PID 2972 wrote to memory of 2116 2972 Qboikm32.exe 32 PID 2116 wrote to memory of 2596 2116 Abdbflnf.exe 33 PID 2116 wrote to memory of 2596 2116 Abdbflnf.exe 33 PID 2116 wrote to memory of 2596 2116 Abdbflnf.exe 33 PID 2116 wrote to memory of 2596 2116 Abdbflnf.exe 33 PID 2596 wrote to memory of 2060 2596 Aebobgmi.exe 34 PID 2596 wrote to memory of 2060 2596 Aebobgmi.exe 34 PID 2596 wrote to memory of 2060 2596 Aebobgmi.exe 34 PID 2596 wrote to memory of 2060 2596 Aebobgmi.exe 34 PID 2060 wrote to memory of 1980 2060 Ahqkocmm.exe 35 PID 2060 wrote to memory of 1980 2060 Ahqkocmm.exe 35 PID 2060 wrote to memory of 1980 2060 Ahqkocmm.exe 35 PID 2060 wrote to memory of 1980 2060 Ahqkocmm.exe 35 PID 1980 wrote to memory of 1892 1980 Aphcppmo.exe 36 PID 1980 wrote to memory of 1892 1980 Aphcppmo.exe 36 PID 1980 wrote to memory of 1892 1980 Aphcppmo.exe 36 PID 1980 wrote to memory of 1892 1980 Aphcppmo.exe 36 PID 1892 wrote to memory of 1964 1892 Abfoll32.exe 37 PID 1892 wrote to memory of 1964 1892 Abfoll32.exe 37 PID 1892 wrote to memory of 1964 1892 Abfoll32.exe 37 PID 1892 wrote to memory of 1964 1892 Abfoll32.exe 37 PID 1964 wrote to memory of 1152 1964 Aipgifcp.exe 38 PID 1964 wrote to memory of 1152 1964 Aipgifcp.exe 38 PID 1964 wrote to memory of 1152 1964 Aipgifcp.exe 38 PID 1964 wrote to memory of 1152 1964 Aipgifcp.exe 38 PID 1152 wrote to memory of 492 1152 Alodeacc.exe 39 PID 1152 wrote to memory of 492 1152 Alodeacc.exe 39 PID 1152 wrote to memory of 492 1152 Alodeacc.exe 39 PID 1152 wrote to memory of 492 1152 Alodeacc.exe 39 PID 492 wrote to memory of 1324 492 Abhlak32.exe 40 PID 492 wrote to memory of 1324 492 Abhlak32.exe 40 PID 492 wrote to memory of 1324 492 Abhlak32.exe 40 PID 492 wrote to memory of 1324 492 Abhlak32.exe 40 PID 1324 wrote to memory of 1484 1324 Aeghng32.exe 41 PID 1324 wrote to memory of 1484 1324 Aeghng32.exe 41 PID 1324 wrote to memory of 1484 1324 Aeghng32.exe 41 PID 1324 wrote to memory of 1484 1324 Aeghng32.exe 41 PID 1484 wrote to memory of 2436 1484 Ahedjb32.exe 42 PID 1484 wrote to memory of 2436 1484 Ahedjb32.exe 42 PID 1484 wrote to memory of 2436 1484 Ahedjb32.exe 42 PID 1484 wrote to memory of 2436 1484 Ahedjb32.exe 42 PID 2436 wrote to memory of 2204 2436 Alaqjaaa.exe 43 PID 2436 wrote to memory of 2204 2436 Alaqjaaa.exe 43 PID 2436 wrote to memory of 2204 2436 Alaqjaaa.exe 43 PID 2436 wrote to memory of 2204 2436 Alaqjaaa.exe 43 PID 2204 wrote to memory of 1920 2204 Aoomflpd.exe 44 PID 2204 wrote to memory of 1920 2204 Aoomflpd.exe 44 PID 2204 wrote to memory of 1920 2204 Aoomflpd.exe 44 PID 2204 wrote to memory of 1920 2204 Aoomflpd.exe 44 PID 1920 wrote to memory of 1700 1920 Aanibhoh.exe 45 PID 1920 wrote to memory of 1700 1920 Aanibhoh.exe 45 PID 1920 wrote to memory of 1700 1920 Aanibhoh.exe 45 PID 1920 wrote to memory of 1700 1920 Aanibhoh.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043.exe"C:\Users\Admin\AppData\Local\Temp\cf275ca194dbeba90ab9746688025cdf83605e46c6a701b5999d638b195eb043.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\Aebobgmi.exeC:\Windows\system32\Aebobgmi.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Ahqkocmm.exeC:\Windows\system32\Ahqkocmm.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\Abfoll32.exeC:\Windows\system32\Abfoll32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\SysWOW64\Abhlak32.exeC:\Windows\system32\Abhlak32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Aeghng32.exeC:\Windows\system32\Aeghng32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1324 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Alaqjaaa.exeC:\Windows\system32\Alaqjaaa.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\Aanibhoh.exeC:\Windows\system32\Aanibhoh.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1700 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:876 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3016 -
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Bngfmhbj.exeC:\Windows\system32\Bngfmhbj.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1608 -
C:\Windows\SysWOW64\Bpebidam.exeC:\Windows\system32\Bpebidam.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Bgokfnij.exeC:\Windows\system32\Bgokfnij.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:564 -
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\Bphooc32.exeC:\Windows\system32\Bphooc32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Bgahkngh.exeC:\Windows\system32\Bgahkngh.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2928 -
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2652 -
C:\Windows\SysWOW64\Bplijcle.exeC:\Windows\system32\Bplijcle.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1952 -
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe33⤵
- Executes dropped EXE
PID:596 -
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe34⤵
- Executes dropped EXE
- Modifies registry class
PID:2504 -
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe36⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe38⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Cbdkbjkl.exeC:\Windows\system32\Cbdkbjkl.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1084 -
C:\Windows\SysWOW64\Cgadja32.exeC:\Windows\system32\Cgadja32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Cnklgkap.exeC:\Windows\system32\Cnklgkap.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe43⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Cchdpbog.exeC:\Windows\system32\Cchdpbog.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Ckomqopi.exeC:\Windows\system32\Ckomqopi.exe45⤵
- Executes dropped EXE
PID:3104 -
C:\Windows\SysWOW64\Cmqihg32.exeC:\Windows\system32\Cmqihg32.exe46⤵
- Executes dropped EXE
PID:3156 -
C:\Windows\SysWOW64\Ddhaie32.exeC:\Windows\system32\Ddhaie32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:3212 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3268 -
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe49⤵
- Executes dropped EXE
PID:3316 -
C:\Windows\SysWOW64\Dqobnf32.exeC:\Windows\system32\Dqobnf32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3364 -
C:\Windows\SysWOW64\Dcmnja32.exeC:\Windows\system32\Dcmnja32.exe51⤵
- Executes dropped EXE
PID:3412 -
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe52⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3516 -
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe54⤵
- Executes dropped EXE
PID:3580 -
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe55⤵
- Executes dropped EXE
PID:3640 -
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe56⤵
- Executes dropped EXE
PID:3692 -
C:\Windows\SysWOW64\Dkjpdcfj.exeC:\Windows\system32\Dkjpdcfj.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3756 -
C:\Windows\SysWOW64\Dcageqgm.exeC:\Windows\system32\Dcageqgm.exe58⤵
- Executes dropped EXE
PID:3816 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe59⤵
- Executes dropped EXE
- Modifies registry class
PID:3876 -
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe60⤵
- Executes dropped EXE
PID:3940 -
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4000 -
C:\Windows\SysWOW64\Dnkhfnck.exeC:\Windows\system32\Dnkhfnck.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe63⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2260 -
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe64⤵
- Executes dropped EXE
PID:2572 -
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Ebialmjb.exeC:\Windows\system32\Ebialmjb.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Eegmhhie.exeC:\Windows\system32\Eegmhhie.exe67⤵
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Elaeeb32.exeC:\Windows\system32\Elaeeb32.exe68⤵PID:404
-
C:\Windows\SysWOW64\Enpban32.exeC:\Windows\system32\Enpban32.exe69⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Eannmi32.exeC:\Windows\system32\Eannmi32.exe70⤵
- System Location Discovery: System Language Discovery
PID:3092 -
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe71⤵PID:3256
-
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe72⤵PID:3324
-
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3304 -
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe74⤵PID:3380
-
C:\Windows\SysWOW64\Ehkcpc32.exeC:\Windows\system32\Ehkcpc32.exe75⤵PID:3548
-
C:\Windows\SysWOW64\Endklmlq.exeC:\Windows\system32\Endklmlq.exe76⤵PID:2104
-
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe77⤵PID:3660
-
C:\Windows\SysWOW64\Ecadddjh.exeC:\Windows\system32\Ecadddjh.exe78⤵PID:3776
-
C:\Windows\SysWOW64\Efppqoil.exeC:\Windows\system32\Efppqoil.exe79⤵
- System Location Discovery: System Language Discovery
PID:3796 -
C:\Windows\SysWOW64\Einlmkhp.exeC:\Windows\system32\Einlmkhp.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3920 -
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe81⤵PID:3852
-
C:\Windows\SysWOW64\Ebfqfpop.exeC:\Windows\system32\Ebfqfpop.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4020 -
C:\Windows\SysWOW64\Fjnignob.exeC:\Windows\system32\Fjnignob.exe83⤵
- System Location Discovery: System Language Discovery
PID:3988 -
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe84⤵PID:4068
-
C:\Windows\SysWOW64\Fpjaodmj.exeC:\Windows\system32\Fpjaodmj.exe85⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Fbimkpmm.exeC:\Windows\system32\Fbimkpmm.exe86⤵PID:2748
-
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:348 -
C:\Windows\SysWOW64\Fmnahilc.exeC:\Windows\system32\Fmnahilc.exe88⤵PID:2184
-
C:\Windows\SysWOW64\Fopnpaba.exeC:\Windows\system32\Fopnpaba.exe89⤵PID:3112
-
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe90⤵PID:3148
-
C:\Windows\SysWOW64\Fejfmk32.exeC:\Windows\system32\Fejfmk32.exe91⤵
- Modifies registry class
PID:676 -
C:\Windows\SysWOW64\Fhhbif32.exeC:\Windows\system32\Fhhbif32.exe92⤵
- Drops file in System32 directory
PID:3228 -
C:\Windows\SysWOW64\Fpokjd32.exeC:\Windows\system32\Fpokjd32.exe93⤵PID:4112
-
C:\Windows\SysWOW64\Fbngfo32.exeC:\Windows\system32\Fbngfo32.exe94⤵PID:4172
-
C:\Windows\SysWOW64\Felcbk32.exeC:\Windows\system32\Felcbk32.exe95⤵PID:4224
-
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe96⤵PID:4276
-
C:\Windows\SysWOW64\Fodgkp32.exeC:\Windows\system32\Fodgkp32.exe97⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4336 -
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe98⤵PID:4396
-
C:\Windows\SysWOW64\Flhhed32.exeC:\Windows\system32\Flhhed32.exe99⤵
- Drops file in System32 directory
- Modifies registry class
PID:4464 -
C:\Windows\SysWOW64\Fogdap32.exeC:\Windows\system32\Fogdap32.exe100⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4520 -
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:4576 -
C:\Windows\SysWOW64\Gdcmig32.exeC:\Windows\system32\Gdcmig32.exe102⤵
- Modifies registry class
PID:4632 -
C:\Windows\SysWOW64\Gkmefaan.exeC:\Windows\system32\Gkmefaan.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4692 -
C:\Windows\SysWOW64\Gagmbkik.exeC:\Windows\system32\Gagmbkik.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:4756 -
C:\Windows\SysWOW64\Gdfiofhn.exeC:\Windows\system32\Gdfiofhn.exe105⤵
- Drops file in System32 directory
PID:4820 -
C:\Windows\SysWOW64\Ggdekbgb.exeC:\Windows\system32\Ggdekbgb.exe106⤵
- System Location Discovery: System Language Discovery
PID:4880 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe107⤵PID:4944
-
C:\Windows\SysWOW64\Gpmjcg32.exeC:\Windows\system32\Gpmjcg32.exe108⤵PID:4996
-
C:\Windows\SysWOW64\Ggfbpaeo.exeC:\Windows\system32\Ggfbpaeo.exe109⤵PID:5052
-
C:\Windows\SysWOW64\Gieommdc.exeC:\Windows\system32\Gieommdc.exe110⤵PID:5116
-
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe111⤵PID:3352
-
C:\Windows\SysWOW64\Gdjcjf32.exeC:\Windows\system32\Gdjcjf32.exe112⤵PID:2084
-
C:\Windows\SysWOW64\Geloanjg.exeC:\Windows\system32\Geloanjg.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:3388 -
C:\Windows\SysWOW64\Gncgbkki.exeC:\Windows\system32\Gncgbkki.exe114⤵
- Modifies registry class
PID:3624 -
C:\Windows\SysWOW64\Goddjc32.exeC:\Windows\system32\Goddjc32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3612 -
C:\Windows\SysWOW64\Ggklka32.exeC:\Windows\system32\Ggklka32.exe116⤵PID:1096
-
C:\Windows\SysWOW64\Hhmhcigh.exeC:\Windows\system32\Hhmhcigh.exe117⤵PID:3872
-
C:\Windows\SysWOW64\Hpcpdfhj.exeC:\Windows\system32\Hpcpdfhj.exe118⤵PID:3848
-
C:\Windows\SysWOW64\Hcblqb32.exeC:\Windows\system32\Hcblqb32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2072 -
C:\Windows\SysWOW64\Heqimm32.exeC:\Windows\system32\Heqimm32.exe120⤵PID:1568
-
C:\Windows\SysWOW64\Hljaigmo.exeC:\Windows\system32\Hljaigmo.exe121⤵PID:2244
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-