Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08/03/2025, 05:58
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
Behavioral task
behavioral2
Sample
9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777.exe
-
Size
96KB
-
MD5
4e2b4feef752e92dd1c907e2a9337932
-
SHA1
ad0361dcba41bad03aa2b5ca53182d7f62c8025c
-
SHA256
9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777
-
SHA512
01a73a0f9721a0e8120fcf90ca3a3347cc19df036fb4716cdac33123cd11c442394b72b5307ea6d7f2c56ec60adaa726e1f953fe6deb39f0c6a32929f0939fe8
-
SSDEEP
1536:BQmEItOHsJUnWw2C4/M24M92LG7RZObZUUWaegPYAG:XEItMSBP4MOGClUUWae9
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoqjqhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iinhdmma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldahkaij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimpkcdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkonj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnqdhga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmhejhao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjleclph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agbbgqhh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcpimq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iiqldc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfbdci32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbdleol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mimpkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjjnhnbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hklhae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfieigio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dafoikjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcedad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haqnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dcdkef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efjmbaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fgocmc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homdhjai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efhqmadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhdmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ieofkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boifga32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ciagojda.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnmacpfj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hifbdnbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcpacf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijibng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igmbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbigmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qlfdac32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fepjea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbggif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcblan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emdeok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mflgih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qldhkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ghbljk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kambcbhb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfaalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdcpkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehpcehcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kocpbfei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpjkeoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ncpdbohb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oejcpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dblhmoio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgnjqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnmel32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmimcbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Momfan32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 4 IoCs
resource yara_rule behavioral1/files/0x000500000001a48e-459.dat family_bruteratel behavioral1/files/0x000400000001d9f0-2164.dat family_bruteratel behavioral1/files/0x000400000001d9f4-2172.dat family_bruteratel behavioral1/files/0x000400000001dc69-2646.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2752 Ecfnmh32.exe 2840 Eipgjaoi.exe 2592 Fpjofl32.exe 2616 Feggob32.exe 1260 Fibcoalf.exe 1664 Foolgh32.exe 2228 Fgfdie32.exe 2144 Fiepea32.exe 768 Flclam32.exe 2852 Fcmdnfad.exe 2936 Felajbpg.exe 544 Fleifl32.exe 2036 Fcpacf32.exe 2028 Fdqnkoep.exe 1320 Flhflleb.exe 2480 Fepjea32.exe 1544 Gdcjpncm.exe 684 Ggagmjbq.exe 2492 Gkmbmh32.exe 916 Gnkoid32.exe 1924 Gpjkeoha.exe 3032 Ggdcbi32.exe 2500 Gjbpne32.exe 1360 Gqlhkofn.exe 2452 Gdhdkn32.exe 1740 Gckdgjeb.exe 2540 Gkalhgfd.exe 348 Glchpp32.exe 1048 Gcmamj32.exe 1404 Gghmmilh.exe 1964 Gnbejb32.exe 3000 Godaakic.exe 776 Ggkibhjf.exe 2872 Ghlfjq32.exe 3004 Gmhbkohm.exe 352 Hofngkga.exe 1688 Hcajhi32.exe 2056 Hfpfdeon.exe 2216 Hmjoqo32.exe 1140 Hcdgmimg.exe 968 Hbggif32.exe 2132 Hdecea32.exe 1464 Hkolakkb.exe 1652 Hbidne32.exe 1576 Hfepod32.exe 688 Homdhjai.exe 2276 Homdhjai.exe 2800 Hieiqo32.exe 2688 Hghillnd.exe 1856 Haqnea32.exe 2272 Heliepmn.exe 2980 Ikfbbjdj.exe 2264 Ijibng32.exe 2340 Imgnjb32.exe 1976 Iacjjacb.exe 2844 Ieofkp32.exe 1540 Igmbgk32.exe 2196 Imjkpb32.exe 1936 Iaegpaao.exe 2220 Iphgln32.exe 988 Ifbphh32.exe 1916 Iiqldc32.exe 1484 Imlhebfc.exe 2372 Ipjdameg.exe -
Loads dropped DLL 64 IoCs
pid Process 2744 9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777.exe 2744 9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777.exe 2752 Ecfnmh32.exe 2752 Ecfnmh32.exe 2840 Eipgjaoi.exe 2840 Eipgjaoi.exe 2592 Fpjofl32.exe 2592 Fpjofl32.exe 2616 Feggob32.exe 2616 Feggob32.exe 1260 Fibcoalf.exe 1260 Fibcoalf.exe 1664 Foolgh32.exe 1664 Foolgh32.exe 2228 Fgfdie32.exe 2228 Fgfdie32.exe 2144 Fiepea32.exe 2144 Fiepea32.exe 768 Flclam32.exe 768 Flclam32.exe 2852 Fcmdnfad.exe 2852 Fcmdnfad.exe 2936 Felajbpg.exe 2936 Felajbpg.exe 544 Fleifl32.exe 544 Fleifl32.exe 2036 Fcpacf32.exe 2036 Fcpacf32.exe 2028 Fdqnkoep.exe 2028 Fdqnkoep.exe 1320 Flhflleb.exe 1320 Flhflleb.exe 2480 Fepjea32.exe 2480 Fepjea32.exe 1544 Gdcjpncm.exe 1544 Gdcjpncm.exe 684 Ggagmjbq.exe 684 Ggagmjbq.exe 2492 Gkmbmh32.exe 2492 Gkmbmh32.exe 916 Gnkoid32.exe 916 Gnkoid32.exe 1924 Gpjkeoha.exe 1924 Gpjkeoha.exe 3032 Ggdcbi32.exe 3032 Ggdcbi32.exe 2500 Gjbpne32.exe 2500 Gjbpne32.exe 1360 Gqlhkofn.exe 1360 Gqlhkofn.exe 2452 Gdhdkn32.exe 2452 Gdhdkn32.exe 1740 Gckdgjeb.exe 1740 Gckdgjeb.exe 2540 Gkalhgfd.exe 2540 Gkalhgfd.exe 348 Glchpp32.exe 348 Glchpp32.exe 1048 Gcmamj32.exe 1048 Gcmamj32.exe 1404 Gghmmilh.exe 1404 Gghmmilh.exe 1964 Gnbejb32.exe 1964 Gnbejb32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Glpepj32.exe Ghdiokbq.exe File created C:\Windows\SysWOW64\Iipejmko.exe Iaimipjl.exe File created C:\Windows\SysWOW64\Blbjlj32.dll Kbjbge32.exe File created C:\Windows\SysWOW64\Gdhdkn32.exe Gqlhkofn.exe File created C:\Windows\SysWOW64\Fogalkad.dll Ncfalqpm.exe File created C:\Windows\SysWOW64\Ojbbmnhc.exe Oiafee32.exe File opened for modification C:\Windows\SysWOW64\Paaddgkj.exe Ojglhm32.exe File created C:\Windows\SysWOW64\Ppmgfb32.exe Plbkfdba.exe File created C:\Windows\SysWOW64\Gajqbakc.exe Goldfelp.exe File created C:\Windows\SysWOW64\Glbaei32.exe Glbaei32.exe File created C:\Windows\SysWOW64\Leoebflm.dll Icifjk32.exe File created C:\Windows\SysWOW64\Iddlde32.dll Lkbmbl32.exe File created C:\Windows\SysWOW64\Gfbliabl.dll Nfigck32.exe File created C:\Windows\SysWOW64\Fliook32.exe Fmfocnjg.exe File created C:\Windows\SysWOW64\Ghbljk32.exe Gecpnp32.exe File opened for modification C:\Windows\SysWOW64\Goldfelp.exe Gpidki32.exe File created C:\Windows\SysWOW64\Kpgionie.exe Kmimcbja.exe File created C:\Windows\SysWOW64\Lmmfnb32.exe Libjncnc.exe File created C:\Windows\SysWOW64\Gahjmjal.dll Ibkmchbh.exe File created C:\Windows\SysWOW64\Iagcpm32.dll Mjqmig32.exe File created C:\Windows\SysWOW64\Oejcpf32.exe Oaogognm.exe File created C:\Windows\SysWOW64\Hbofmcij.exe Hbofmcij.exe File created C:\Windows\SysWOW64\Gpcafifg.dll Khjgel32.exe File opened for modification C:\Windows\SysWOW64\Gcmamj32.exe Glchpp32.exe File created C:\Windows\SysWOW64\Iacjjacb.exe Imgnjb32.exe File created C:\Windows\SysWOW64\Fdpcbceo.dll Mhcmedli.exe File created C:\Windows\SysWOW64\Mkfclo32.exe Mdmkoepk.exe File opened for modification C:\Windows\SysWOW64\Mflgih32.exe Mneohj32.exe File created C:\Windows\SysWOW64\Fmohco32.exe Fkqlgc32.exe File created C:\Windows\SysWOW64\Fhgifgnb.exe Fdkmeiei.exe File opened for modification C:\Windows\SysWOW64\Gqdgom32.exe Gnfkba32.exe File created C:\Windows\SysWOW64\Jkbaci32.exe Jhdegn32.exe File created C:\Windows\SysWOW64\Blfapfpg.exe Bhkeohhn.exe File created C:\Windows\SysWOW64\Qdfmchqk.dll Bnochnpm.exe File opened for modification C:\Windows\SysWOW64\Cogfqe32.exe Cmhjdiap.exe File created C:\Windows\SysWOW64\Cidddj32.exe Cehhdkjf.exe File created C:\Windows\SysWOW64\Kqacnpdp.dll Hgciff32.exe File created C:\Windows\SysWOW64\Jmdgipkk.exe Jnagmc32.exe File opened for modification C:\Windows\SysWOW64\Jfmkbebl.exe Jcnoejch.exe File created C:\Windows\SysWOW64\Ppddpd32.exe Paaddgkj.exe File created C:\Windows\SysWOW64\Pbgjgomc.exe Ppinkcnp.exe File created C:\Windows\SysWOW64\Anadojlo.exe Ajehnk32.exe File created C:\Windows\SysWOW64\Leghmkmk.dll Dekdikhc.exe File opened for modification C:\Windows\SysWOW64\Imbjcpnn.exe Ijcngenj.exe File created C:\Windows\SysWOW64\Hapbpm32.dll Jedehaea.exe File opened for modification C:\Windows\SysWOW64\Jjpdmi32.exe Jdflqo32.exe File opened for modification C:\Windows\SysWOW64\Khohkamc.exe Keqkofno.exe File created C:\Windows\SysWOW64\Ffbhcq32.dll Bkknac32.exe File created C:\Windows\SysWOW64\Ffadkgnl.dll Glnhjjml.exe File created C:\Windows\SysWOW64\Jjbpqjma.dll Glpepj32.exe File opened for modification C:\Windows\SysWOW64\Kbjbge32.exe Jplfkjbd.exe File created C:\Windows\SysWOW64\Enoopc32.dll Fiepea32.exe File opened for modification C:\Windows\SysWOW64\Fcmdnfad.exe Flclam32.exe File opened for modification C:\Windows\SysWOW64\Iiqldc32.exe Ifbphh32.exe File created C:\Windows\SysWOW64\Mqjefamk.exe Mhcmedli.exe File created C:\Windows\SysWOW64\Apjlggne.dll Nmcopebh.exe File created C:\Windows\SysWOW64\Piabdiep.exe Peefcjlg.exe File created C:\Windows\SysWOW64\Nedmma32.dll Ajehnk32.exe File created C:\Windows\SysWOW64\Najopl32.dll Hdecea32.exe File created C:\Windows\SysWOW64\Pacmhh32.dll Ldheebad.exe File opened for modification C:\Windows\SysWOW64\Mbnocipg.exe Mkdffoij.exe File created C:\Windows\SysWOW64\Mgmdapml.exe Mdogedmh.exe File created C:\Windows\SysWOW64\Eicpcm32.exe Ejaphpnp.exe File created C:\Windows\SysWOW64\Glklejoo.exe Fimoiopk.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6012 5896 WerFault.exe 579 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhdmph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojeobm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bacihmoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icncgf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbigmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agpeaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eikfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllqplnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keqkofno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioeclg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oejcpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gckdgjeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmjoqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgklc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glchpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klfjpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmhjdiap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejcmmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojlbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fggmldfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkmeiei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmfocnjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggdcbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncnmane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnkoid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfcodkcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgifgnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igceej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnbejb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imlhebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deondj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkqlgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbofmcij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nflchkii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkeohhn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emaijk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fijbco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcgmfgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mflgih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgocmc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcjog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkknac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cidddj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edlafebn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iinhdmma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikldqile.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbchni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdecea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Haqnea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njgpij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdflqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibkmchbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khohkamc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djlfma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glklejoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfnnajl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mkdffoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iibigbjj.dll" Agpeaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfmgba32.dll" Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aljcpg32.dll" Gjbpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aognbnkm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbjbge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcjeje32.dll" Khldkllj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eipgjaoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Makpje32.dll" Jacfidem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqnodo32.dll" Kpojkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ppddpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhkbmo32.dll" Deakjjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajflifmi.dll" Fmohco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekcqmj32.dll" Ieofkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bhcgiiek.dll" Qldhkc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dboeco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clffbc32.dll" Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekdjjm32.dll" Hoqjqhjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldgnklmi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecqgacgg.dll" Ifbphh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Llomfpag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jamgla32.dll" Lgpdglhn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgmdapml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkqlgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Keppajog.dll" Iclbpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikfbbjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lifjic32.dll" Ifdlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmffen32.dll" Njnmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfhdnn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gocbagqd.dll" Ejaphpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hfhfhbce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdnkdmec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdbepm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkalhgfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Picojhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aihgmjad.dll" Aphjjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckbpqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejcmmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edpijbip.dll" Fijbco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iakino32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jfeflj32.dll" Ifgicg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbhmhk32.dll" Jpajbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimpkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obbdml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oeaqig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbgjgomc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cogfqe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fccglehn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feggob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Klfjpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogmkng32.dll" Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dihmpinj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhohnoea.dll" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ghbljk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkjkle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hcajhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mneohj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjlggne.dll" Nmcopebh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onlahm32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2744 wrote to memory of 2752 2744 9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777.exe 31 PID 2744 wrote to memory of 2752 2744 9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777.exe 31 PID 2744 wrote to memory of 2752 2744 9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777.exe 31 PID 2744 wrote to memory of 2752 2744 9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777.exe 31 PID 2752 wrote to memory of 2840 2752 Ecfnmh32.exe 32 PID 2752 wrote to memory of 2840 2752 Ecfnmh32.exe 32 PID 2752 wrote to memory of 2840 2752 Ecfnmh32.exe 32 PID 2752 wrote to memory of 2840 2752 Ecfnmh32.exe 32 PID 2840 wrote to memory of 2592 2840 Eipgjaoi.exe 33 PID 2840 wrote to memory of 2592 2840 Eipgjaoi.exe 33 PID 2840 wrote to memory of 2592 2840 Eipgjaoi.exe 33 PID 2840 wrote to memory of 2592 2840 Eipgjaoi.exe 33 PID 2592 wrote to memory of 2616 2592 Fpjofl32.exe 34 PID 2592 wrote to memory of 2616 2592 Fpjofl32.exe 34 PID 2592 wrote to memory of 2616 2592 Fpjofl32.exe 34 PID 2592 wrote to memory of 2616 2592 Fpjofl32.exe 34 PID 2616 wrote to memory of 1260 2616 Feggob32.exe 35 PID 2616 wrote to memory of 1260 2616 Feggob32.exe 35 PID 2616 wrote to memory of 1260 2616 Feggob32.exe 35 PID 2616 wrote to memory of 1260 2616 Feggob32.exe 35 PID 1260 wrote to memory of 1664 1260 Fibcoalf.exe 36 PID 1260 wrote to memory of 1664 1260 Fibcoalf.exe 36 PID 1260 wrote to memory of 1664 1260 Fibcoalf.exe 36 PID 1260 wrote to memory of 1664 1260 Fibcoalf.exe 36 PID 1664 wrote to memory of 2228 1664 Foolgh32.exe 37 PID 1664 wrote to memory of 2228 1664 Foolgh32.exe 37 PID 1664 wrote to memory of 2228 1664 Foolgh32.exe 37 PID 1664 wrote to memory of 2228 1664 Foolgh32.exe 37 PID 2228 wrote to memory of 2144 2228 Fgfdie32.exe 38 PID 2228 wrote to memory of 2144 2228 Fgfdie32.exe 38 PID 2228 wrote to memory of 2144 2228 Fgfdie32.exe 38 PID 2228 wrote to memory of 2144 2228 Fgfdie32.exe 38 PID 2144 wrote to memory of 768 2144 Fiepea32.exe 39 PID 2144 wrote to memory of 768 2144 Fiepea32.exe 39 PID 2144 wrote to memory of 768 2144 Fiepea32.exe 39 PID 2144 wrote to memory of 768 2144 Fiepea32.exe 39 PID 768 wrote to memory of 2852 768 Flclam32.exe 40 PID 768 wrote to memory of 2852 768 Flclam32.exe 40 PID 768 wrote to memory of 2852 768 Flclam32.exe 40 PID 768 wrote to memory of 2852 768 Flclam32.exe 40 PID 2852 wrote to memory of 2936 2852 Fcmdnfad.exe 41 PID 2852 wrote to memory of 2936 2852 Fcmdnfad.exe 41 PID 2852 wrote to memory of 2936 2852 Fcmdnfad.exe 41 PID 2852 wrote to memory of 2936 2852 Fcmdnfad.exe 41 PID 2936 wrote to memory of 544 2936 Felajbpg.exe 42 PID 2936 wrote to memory of 544 2936 Felajbpg.exe 42 PID 2936 wrote to memory of 544 2936 Felajbpg.exe 42 PID 2936 wrote to memory of 544 2936 Felajbpg.exe 42 PID 544 wrote to memory of 2036 544 Fleifl32.exe 43 PID 544 wrote to memory of 2036 544 Fleifl32.exe 43 PID 544 wrote to memory of 2036 544 Fleifl32.exe 43 PID 544 wrote to memory of 2036 544 Fleifl32.exe 43 PID 2036 wrote to memory of 2028 2036 Fcpacf32.exe 44 PID 2036 wrote to memory of 2028 2036 Fcpacf32.exe 44 PID 2036 wrote to memory of 2028 2036 Fcpacf32.exe 44 PID 2036 wrote to memory of 2028 2036 Fcpacf32.exe 44 PID 2028 wrote to memory of 1320 2028 Fdqnkoep.exe 45 PID 2028 wrote to memory of 1320 2028 Fdqnkoep.exe 45 PID 2028 wrote to memory of 1320 2028 Fdqnkoep.exe 45 PID 2028 wrote to memory of 1320 2028 Fdqnkoep.exe 45 PID 1320 wrote to memory of 2480 1320 Flhflleb.exe 46 PID 1320 wrote to memory of 2480 1320 Flhflleb.exe 46 PID 1320 wrote to memory of 2480 1320 Flhflleb.exe 46 PID 1320 wrote to memory of 2480 1320 Flhflleb.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777.exe"C:\Users\Admin\AppData\Local\Temp\9d04c2efb8a57ce3d87032572826ee736647e3c8d78c68b3b89615a534a17777.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Ecfnmh32.exeC:\Windows\system32\Ecfnmh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Windows\SysWOW64\Fpjofl32.exeC:\Windows\system32\Fpjofl32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Foolgh32.exeC:\Windows\system32\Foolgh32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\Fgfdie32.exeC:\Windows\system32\Fgfdie32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\Flclam32.exeC:\Windows\system32\Flclam32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Windows\SysWOW64\Fcmdnfad.exeC:\Windows\system32\Fcmdnfad.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Felajbpg.exeC:\Windows\system32\Felajbpg.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Fleifl32.exeC:\Windows\system32\Fleifl32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:544 -
C:\Windows\SysWOW64\Fcpacf32.exeC:\Windows\system32\Fcpacf32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Windows\SysWOW64\Fdqnkoep.exeC:\Windows\system32\Fdqnkoep.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\Fepjea32.exeC:\Windows\system32\Fepjea32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2480 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1544 -
C:\Windows\SysWOW64\Ggagmjbq.exeC:\Windows\system32\Ggagmjbq.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:684 -
C:\Windows\SysWOW64\Gkmbmh32.exeC:\Windows\system32\Gkmbmh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2492 -
C:\Windows\SysWOW64\Gnkoid32.exeC:\Windows\system32\Gnkoid32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:916 -
C:\Windows\SysWOW64\Gpjkeoha.exeC:\Windows\system32\Gpjkeoha.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1924 -
C:\Windows\SysWOW64\Ggdcbi32.exeC:\Windows\system32\Ggdcbi32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2500 -
C:\Windows\SysWOW64\Gqlhkofn.exeC:\Windows\system32\Gqlhkofn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Gdhdkn32.exeC:\Windows\system32\Gdhdkn32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Gckdgjeb.exeC:\Windows\system32\Gckdgjeb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1740 -
C:\Windows\SysWOW64\Gkalhgfd.exeC:\Windows\system32\Gkalhgfd.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Glchpp32.exeC:\Windows\system32\Glchpp32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:348 -
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1404 -
C:\Windows\SysWOW64\Gnbejb32.exeC:\Windows\system32\Gnbejb32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Godaakic.exeC:\Windows\system32\Godaakic.exe33⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Ggkibhjf.exeC:\Windows\system32\Ggkibhjf.exe34⤵
- Executes dropped EXE
PID:776 -
C:\Windows\SysWOW64\Ghlfjq32.exeC:\Windows\system32\Ghlfjq32.exe35⤵
- Executes dropped EXE
PID:2872 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe36⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Hofngkga.exeC:\Windows\system32\Hofngkga.exe37⤵
- Executes dropped EXE
PID:352 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe39⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Hmjoqo32.exeC:\Windows\system32\Hmjoqo32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe41⤵
- Executes dropped EXE
PID:1140 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2132 -
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe44⤵
- Executes dropped EXE
PID:1464 -
C:\Windows\SysWOW64\Hbidne32.exeC:\Windows\system32\Hbidne32.exe45⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe46⤵
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe47⤵
- Executes dropped EXE
PID:688 -
C:\Windows\SysWOW64\Homdhjai.exeC:\Windows\system32\Homdhjai.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe49⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Hghillnd.exeC:\Windows\system32\Hghillnd.exe50⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Heliepmn.exeC:\Windows\system32\Heliepmn.exe52⤵
- Executes dropped EXE
PID:2272 -
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe53⤵
- Executes dropped EXE
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe56⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Ieofkp32.exeC:\Windows\system32\Ieofkp32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2844 -
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1540 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe59⤵
- Executes dropped EXE
PID:2196 -
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe60⤵
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Iphgln32.exeC:\Windows\system32\Iphgln32.exe61⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe62⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:988 -
C:\Windows\SysWOW64\Iiqldc32.exeC:\Windows\system32\Iiqldc32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1916 -
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1484 -
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe66⤵
- Modifies registry class
PID:1052 -
C:\Windows\SysWOW64\Ijphofem.exeC:\Windows\system32\Ijphofem.exe67⤵PID:1772
-
C:\Windows\SysWOW64\Imodkadq.exeC:\Windows\system32\Imodkadq.exe68⤵PID:2772
-
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe69⤵PID:2532
-
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe70⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2920 -
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe71⤵
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe72⤵PID:528
-
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe73⤵PID:2896
-
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe74⤵PID:2612
-
C:\Windows\SysWOW64\Jfieigio.exeC:\Windows\system32\Jfieigio.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:996 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe76⤵PID:2112
-
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe77⤵PID:1188
-
C:\Windows\SysWOW64\Jpajbl32.exeC:\Windows\system32\Jpajbl32.exe78⤵
- Modifies registry class
PID:1640 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe79⤵PID:756
-
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe80⤵
- Modifies registry class
PID:1648 -
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe81⤵PID:2244
-
C:\Windows\SysWOW64\Jhmofo32.exeC:\Windows\system32\Jhmofo32.exe82⤵PID:1580
-
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe83⤵PID:2128
-
C:\Windows\SysWOW64\Joggci32.exeC:\Windows\system32\Joggci32.exe84⤵PID:2712
-
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe85⤵PID:2588
-
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe86⤵PID:2908
-
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2912 -
C:\Windows\SysWOW64\Jlkglm32.exeC:\Windows\system32\Jlkglm32.exe88⤵PID:2876
-
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe89⤵PID:2160
-
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe90⤵PID:1704
-
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe91⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2300 -
C:\Windows\SysWOW64\Jjpdmi32.exeC:\Windows\system32\Jjpdmi32.exe92⤵PID:1192
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe93⤵PID:1600
-
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe94⤵PID:1572
-
C:\Windows\SysWOW64\Jdhifooi.exeC:\Windows\system32\Jdhifooi.exe95⤵PID:3024
-
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe96⤵
- Drops file in System32 directory
PID:560 -
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe97⤵PID:2064
-
C:\Windows\SysWOW64\Jieaofmp.exeC:\Windows\system32\Jieaofmp.exe98⤵PID:2140
-
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe99⤵
- Modifies registry class
PID:2720 -
C:\Windows\SysWOW64\Kbmfgk32.exeC:\Windows\system32\Kbmfgk32.exe100⤵PID:1784
-
C:\Windows\SysWOW64\Kigndekn.exeC:\Windows\system32\Kigndekn.exe101⤵PID:2420
-
C:\Windows\SysWOW64\Klfjpa32.exeC:\Windows\system32\Klfjpa32.exe102⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Kpafapbk.exeC:\Windows\system32\Kpafapbk.exe103⤵PID:1932
-
C:\Windows\SysWOW64\Kbpbmkan.exeC:\Windows\system32\Kbpbmkan.exe104⤵PID:3060
-
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Kijkje32.exeC:\Windows\system32\Kijkje32.exe106⤵PID:2608
-
C:\Windows\SysWOW64\Kpdcfoph.exeC:\Windows\system32\Kpdcfoph.exe107⤵PID:1124
-
C:\Windows\SysWOW64\Kofcbl32.exeC:\Windows\system32\Kofcbl32.exe108⤵PID:2968
-
C:\Windows\SysWOW64\Keqkofno.exeC:\Windows\system32\Keqkofno.exe109⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1444 -
C:\Windows\SysWOW64\Khohkamc.exeC:\Windows\system32\Khohkamc.exe110⤵
- System Location Discovery: System Language Discovery
PID:1584 -
C:\Windows\SysWOW64\Kpfplo32.exeC:\Windows\system32\Kpfplo32.exe111⤵PID:2784
-
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe112⤵PID:2516
-
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe113⤵PID:2284
-
C:\Windows\SysWOW64\Khadpa32.exeC:\Windows\system32\Khadpa32.exe114⤵PID:1980
-
C:\Windows\SysWOW64\Klmqapci.exeC:\Windows\system32\Klmqapci.exe115⤵PID:2716
-
C:\Windows\SysWOW64\Kcginj32.exeC:\Windows\system32\Kcginj32.exe116⤵PID:2084
-
C:\Windows\SysWOW64\Kajiigba.exeC:\Windows\system32\Kajiigba.exe117⤵PID:648
-
C:\Windows\SysWOW64\Ldheebad.exeC:\Windows\system32\Ldheebad.exe118⤵
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Llomfpag.exeC:\Windows\system32\Llomfpag.exe119⤵
- Modifies registry class
PID:2232 -
C:\Windows\SysWOW64\Lkbmbl32.exeC:\Windows\system32\Lkbmbl32.exe120⤵
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Lonibk32.exeC:\Windows\system32\Lonibk32.exe121⤵PID:1112
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-