Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
18s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
16/09/2024, 15:59
Static task
static1
Behavioral task
behavioral1
Sample
0x000400000001dddd-2731.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
0x000400000001dddd-2731.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
0x000400000001dddd-2731.exe
Resource
win10v2004-20240910-en
Behavioral task
behavioral4
Sample
0x000400000001dddd-2731.exe
Resource
win11-20240802-en
General
-
Target
0x000400000001dddd-2731.exe
-
Size
49KB
-
MD5
fdbf14b69835909d933c4715c4323c3e
-
SHA1
108b40e3762057adf136a91dbcd9e90a891d4343
-
SHA256
35da42ec71bb429fc96357968eea8fa6cc8b13e94aa0f60aeba5ed60dd7219c9
-
SHA512
e812e6c98365264c1d2210ecc3bf2b7ce8782c56e59c504d846e584878de5c3d94008083358364653f192e0092f6bc15546de0bf3d89d2fd998d5f05a0a2c0fb
-
SSDEEP
768:ERuN3wdUZSF7khG4xkn1I69Mfl8OMGQMzvoNA8zU0mKI0SVfSqB/1H5v2Xdnh7:ERuN3wYHIROMGQ5wrV6A6l
Malware Config
Extracted
berbew
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljpqlqmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dihmae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaamhb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mfoqephq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibejfffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npfhjifm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eecgafkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gnenfjdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmdocf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akpkok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkbfmpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmabmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fepnhjdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fldbnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkajkoml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nicfnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poddphee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emfbgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bcopkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkmfpabp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaieai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndpmbjbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kppmpmal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mbhlgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohppjpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdjddf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjolpkhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbdokceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eioaillo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kknklg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdmfdgbj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgdmeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flbehbqm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kadhen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjmgbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hchpjddc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pedmbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjhofj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnekcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfdngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pddinn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpphipbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmkbfmpf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdeehe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klbdiokf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aoakfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hibebeqb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kldchgag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gnoocq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iekpdn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lednal32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjkbfpah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lckbkfbb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phgfko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhggdcgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefpfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghkbccdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nplkhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Denknngk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egdjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcajjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Biakbc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2288 Aioodg32.exe 2920 Ankhmncb.exe 2884 Aalaoipc.exe 3056 Agfikc32.exe 2728 Bjgbmoda.exe 2424 Bnekcm32.exe 2648 Bcackdio.exe 2336 Bfblmofp.exe 1492 Behinlkh.exe 3012 Cpmmkdkn.exe 3028 Ciebdj32.exe 1400 Cbnfmo32.exe 2452 Ceoooj32.exe 2396 Cmlqimph.exe 1856 Dkpabqoa.exe 540 Dmajdl32.exe 2148 Dgiomabc.exe 1540 Denknngk.exe 672 Dpdpkfga.exe 1180 Dlkqpg32.exe 2256 Eioaillo.exe 1724 Ekpmad32.exe 1004 Elpjkgip.exe 880 Eehndm32.exe 1340 Encchoml.exe 960 Fjlqcppm.exe 2916 Fgpalcog.exe 2952 Fqheei32.exe 2836 Fhcjilcb.exe 2664 Fbloba32.exe 2588 Fdmgdl32.exe 1656 Gfldno32.exe 2632 Gbcecpck.exe 316 Gkkilfjk.exe 2316 Gcgnphgf.exe 2508 Gqknjlfp.exe 2772 Gnoocq32.exe 2116 Gfjcgc32.exe 2612 Hcndag32.exe 1808 Hcpqfgol.exe 624 Hnjagdlj.exe 1764 Ilblkh32.exe 2340 Iekpdn32.exe 928 Ijghmd32.exe 740 Ipdaek32.exe 1496 Ifniaeqk.exe 684 Iimenapo.exe 2236 Iadnon32.exe 2764 Ibejfffo.exe 2796 Iklbhdga.exe 1688 Ipijpkei.exe 660 Jpndkj32.exe 3032 Jaopcbga.exe 1636 Jhihpl32.exe 2132 Jocalffk.exe 1792 Jaamhb32.exe 904 Jnhnmckc.exe 2516 Jdbfjm32.exe 768 Jnjjcbiq.exe 1324 Jhpopk32.exe 604 Kknklg32.exe 1100 Knmghb32.exe 1736 Kdgoelnk.exe 2936 Kjchmclb.exe -
Loads dropped DLL 64 IoCs
pid Process 2984 0x000400000001dddd-2731.exe 2984 0x000400000001dddd-2731.exe 2288 Aioodg32.exe 2288 Aioodg32.exe 2920 Ankhmncb.exe 2920 Ankhmncb.exe 2884 Aalaoipc.exe 2884 Aalaoipc.exe 3056 Agfikc32.exe 3056 Agfikc32.exe 2728 Bjgbmoda.exe 2728 Bjgbmoda.exe 2424 Bnekcm32.exe 2424 Bnekcm32.exe 2648 Bcackdio.exe 2648 Bcackdio.exe 2336 Bfblmofp.exe 2336 Bfblmofp.exe 1492 Behinlkh.exe 1492 Behinlkh.exe 3012 Cpmmkdkn.exe 3012 Cpmmkdkn.exe 3028 Ciebdj32.exe 3028 Ciebdj32.exe 1400 Cbnfmo32.exe 1400 Cbnfmo32.exe 2452 Ceoooj32.exe 2452 Ceoooj32.exe 2396 Cmlqimph.exe 2396 Cmlqimph.exe 1856 Dkpabqoa.exe 1856 Dkpabqoa.exe 540 Dmajdl32.exe 540 Dmajdl32.exe 2148 Dgiomabc.exe 2148 Dgiomabc.exe 1540 Denknngk.exe 1540 Denknngk.exe 672 Dpdpkfga.exe 672 Dpdpkfga.exe 1180 Dlkqpg32.exe 1180 Dlkqpg32.exe 2256 Eioaillo.exe 2256 Eioaillo.exe 1724 Ekpmad32.exe 1724 Ekpmad32.exe 1004 Elpjkgip.exe 1004 Elpjkgip.exe 880 Eehndm32.exe 880 Eehndm32.exe 1612 Epdljjjm.exe 1612 Epdljjjm.exe 960 Fjlqcppm.exe 960 Fjlqcppm.exe 2916 Fgpalcog.exe 2916 Fgpalcog.exe 2952 Fqheei32.exe 2952 Fqheei32.exe 2836 Fhcjilcb.exe 2836 Fhcjilcb.exe 2664 Fbloba32.exe 2664 Fbloba32.exe 2588 Fdmgdl32.exe 2588 Fdmgdl32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Mbqaie32.dll Dlkqpg32.exe File created C:\Windows\SysWOW64\Dcihdo32.exe Dgbgon32.exe File opened for modification C:\Windows\SysWOW64\Ggbljogc.exe Gafcahil.exe File created C:\Windows\SysWOW64\Ncnbqeoe.dll Kpeonkig.exe File created C:\Windows\SysWOW64\Abjcleqm.exe Akpkok32.exe File opened for modification C:\Windows\SysWOW64\Ijghmd32.exe Iekpdn32.exe File created C:\Windows\SysWOW64\Mcabpb32.dll Kgjelg32.exe File created C:\Windows\SysWOW64\Nhbqqlfe.exe Nmmlccfp.exe File created C:\Windows\SysWOW64\Bmegodpi.exe Bfkobj32.exe File created C:\Windows\SysWOW64\Cjkamk32.exe Ccaipaho.exe File created C:\Windows\SysWOW64\Eocieq32.exe Epnldd32.exe File opened for modification C:\Windows\SysWOW64\Ekppjmia.exe Eecgafkj.exe File created C:\Windows\SysWOW64\Gmpoce32.dll Kekkkm32.exe File created C:\Windows\SysWOW64\Ankhmncb.exe Aioodg32.exe File created C:\Windows\SysWOW64\Bccjlodh.dll Nidmhd32.exe File created C:\Windows\SysWOW64\Hqpahkmj.exe Gghloe32.exe File opened for modification C:\Windows\SysWOW64\Mflgkd32.exe Mpaoojjb.exe File opened for modification C:\Windows\SysWOW64\Nlmiojla.exe Nbddfe32.exe File opened for modification C:\Windows\SysWOW64\Fcegdnna.exe Fmholgpj.exe File opened for modification C:\Windows\SysWOW64\Ciebdj32.exe Cpmmkdkn.exe File created C:\Windows\SysWOW64\Oddmokoo.exe Ojlife32.exe File created C:\Windows\SysWOW64\Hbndfacf.dll Jplinckj.exe File opened for modification C:\Windows\SysWOW64\Boqgep32.exe Bmbkid32.exe File opened for modification C:\Windows\SysWOW64\Jljgni32.exe Jgmofbpk.exe File created C:\Windows\SysWOW64\Alfjlh32.dll Fpkdca32.exe File created C:\Windows\SysWOW64\Fpmggm32.dll Jhikhefb.exe File opened for modification C:\Windows\SysWOW64\Ehgmiq32.exe Emailhfb.exe File created C:\Windows\SysWOW64\Oljagk32.dll Jdplmflg.exe File created C:\Windows\SysWOW64\Pmfcgnll.dll Eioaillo.exe File opened for modification C:\Windows\SysWOW64\Hcndag32.exe Gfjcgc32.exe File opened for modification C:\Windows\SysWOW64\Fkmfpabp.exe Fepnhjdh.exe File opened for modification C:\Windows\SysWOW64\Gbigao32.exe Gkoodd32.exe File created C:\Windows\SysWOW64\Hiehbl32.exe Hchpjddc.exe File created C:\Windows\SysWOW64\Pddinn32.exe Pkkeeikj.exe File opened for modification C:\Windows\SysWOW64\Mfoqephq.exe Llgllj32.exe File opened for modification C:\Windows\SysWOW64\Jaopcbga.exe Jpndkj32.exe File created C:\Windows\SysWOW64\Nebjnc32.dll Jaamhb32.exe File opened for modification C:\Windows\SysWOW64\Bbfibj32.exe Bebiifka.exe File created C:\Windows\SysWOW64\Ondnfndp.dll Lflklaoc.exe File created C:\Windows\SysWOW64\Ebmjoebl.dll Nbddfe32.exe File opened for modification C:\Windows\SysWOW64\Phklcn32.exe Pbnckg32.exe File opened for modification C:\Windows\SysWOW64\Fgpalcog.exe Fjlqcppm.exe File opened for modification C:\Windows\SysWOW64\Ilblkh32.exe Hnjagdlj.exe File created C:\Windows\SysWOW64\Poinkg32.exe Pddinn32.exe File created C:\Windows\SysWOW64\Ijfieo32.dll Knmghb32.exe File created C:\Windows\SysWOW64\Jflobh32.dll Phgfko32.exe File created C:\Windows\SysWOW64\Gblkpcdh.dll Lggdfk32.exe File created C:\Windows\SysWOW64\Lncjhd32.exe Ldkeoo32.exe File opened for modification C:\Windows\SysWOW64\Obfdgiji.exe Okolfkjg.exe File opened for modification C:\Windows\SysWOW64\Npngng32.exe Njaoeq32.exe File opened for modification C:\Windows\SysWOW64\Fqheei32.exe Fgpalcog.exe File created C:\Windows\SysWOW64\Eckqbibe.dll Bebiifka.exe File created C:\Windows\SysWOW64\Lekfhb32.dll Bcackdio.exe File opened for modification C:\Windows\SysWOW64\Mchjjc32.exe Mfdjpo32.exe File created C:\Windows\SysWOW64\Boqgep32.exe Bmbkid32.exe File created C:\Windows\SysWOW64\Gimmcm32.dll Fgjmfa32.exe File created C:\Windows\SysWOW64\Himkgf32.exe Hoegoqng.exe File opened for modification C:\Windows\SysWOW64\Mmpobi32.exe Mffgfo32.exe File opened for modification C:\Windows\SysWOW64\Mlejkl32.exe Mekanbol.exe File created C:\Windows\SysWOW64\Jdmfdgbj.exe Jigagocd.exe File created C:\Windows\SysWOW64\Mpdhjg32.dll Lkkckdhm.exe File opened for modification C:\Windows\SysWOW64\Mfijfdca.exe Mdhnnl32.exe File opened for modification C:\Windows\SysWOW64\Kdeehe32.exe Jdplmflg.exe File created C:\Windows\SysWOW64\Laknfmgd.exe Lkafib32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5084 4260 WerFault.exe 431 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpgedepn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpkdca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faonqiod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glpdbfek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lggdfk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mchjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpmmkdkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcgnphgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljgni32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikohg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qchmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dogbolep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnambeed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hchpjddc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnbic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfblmofp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipijpkei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghkbccdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kekkkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfldno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfkobj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngcbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niaihojk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohnemidj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmmlccfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlmddi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgpalcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfcadq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qicoleno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npdkdjhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfoqephq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nifjnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbddfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiqegb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdeehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkoodd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oicbma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elpjkgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkkilfjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohppjpkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoooj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhpopk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkkckdhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhcdhmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ceoagcld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goekpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjfpokk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bokcom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcaiggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0x000400000001dddd-2731.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fofekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibebeqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egdjfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoaliln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laknfmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfcdfiob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okolfkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhhblgim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klimcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnoocq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhpigk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjieace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbloba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmghb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpdpkfga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbooen32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndpmbjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eehndm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqfmdp32.dll" Gfgpgmql.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icnnfilc.dll" Eecgafkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnomkloi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 0x000400000001dddd-2731.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaamhb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgehpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmabmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjkamk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhqfie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qicoleno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpjgbfb.dll" Dihmae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Emceag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpbiempj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgocca32.dll" Mekanbol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eplood32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ibmmkaik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Idepdhia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiphmf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqknjlfp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibejfffo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fehldloe.dll" Aqljdclg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbopcm32.dll" Epnldd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lafaaq32.dll" Lkhcdhmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjpknjgd.dll" Elpjkgip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjfoqe32.dll" Fofekp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhbekoih.dll" Ldchdjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ccdnipal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mogggdjk.dll" Iadnon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hldndp32.dll" Jigagocd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Acplpjpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gafcahil.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbodpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhihpl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdpcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kngcbpjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfjcgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Midqiaih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdpcep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bfkobj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hgaoec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olioeoeo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmbkid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fmholgpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgjcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adoqmqgb.dll" Iklbhdga.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgjelg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnambeed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajolkncp.dll" Dhggdcgh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dabicikf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibmmkaik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdilkpbo.dll" Kkajkoml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjgbmoda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgiomabc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qkcbpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bjdnmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eocieq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhcjilcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilblkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Plodbd32.dll" Dflnkjhe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gnoaliln.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1880 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1880 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe 1880 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2288 2984 0x000400000001dddd-2731.exe 30 PID 2984 wrote to memory of 2288 2984 0x000400000001dddd-2731.exe 30 PID 2984 wrote to memory of 2288 2984 0x000400000001dddd-2731.exe 30 PID 2984 wrote to memory of 2288 2984 0x000400000001dddd-2731.exe 30 PID 2288 wrote to memory of 2920 2288 Aioodg32.exe 31 PID 2288 wrote to memory of 2920 2288 Aioodg32.exe 31 PID 2288 wrote to memory of 2920 2288 Aioodg32.exe 31 PID 2288 wrote to memory of 2920 2288 Aioodg32.exe 31 PID 2920 wrote to memory of 2884 2920 Ankhmncb.exe 32 PID 2920 wrote to memory of 2884 2920 Ankhmncb.exe 32 PID 2920 wrote to memory of 2884 2920 Ankhmncb.exe 32 PID 2920 wrote to memory of 2884 2920 Ankhmncb.exe 32 PID 2884 wrote to memory of 3056 2884 Aalaoipc.exe 33 PID 2884 wrote to memory of 3056 2884 Aalaoipc.exe 33 PID 2884 wrote to memory of 3056 2884 Aalaoipc.exe 33 PID 2884 wrote to memory of 3056 2884 Aalaoipc.exe 33 PID 3056 wrote to memory of 2728 3056 Agfikc32.exe 34 PID 3056 wrote to memory of 2728 3056 Agfikc32.exe 34 PID 3056 wrote to memory of 2728 3056 Agfikc32.exe 34 PID 3056 wrote to memory of 2728 3056 Agfikc32.exe 34 PID 2728 wrote to memory of 2424 2728 Bjgbmoda.exe 35 PID 2728 wrote to memory of 2424 2728 Bjgbmoda.exe 35 PID 2728 wrote to memory of 2424 2728 Bjgbmoda.exe 35 PID 2728 wrote to memory of 2424 2728 Bjgbmoda.exe 35 PID 2424 wrote to memory of 2648 2424 Bnekcm32.exe 36 PID 2424 wrote to memory of 2648 2424 Bnekcm32.exe 36 PID 2424 wrote to memory of 2648 2424 Bnekcm32.exe 36 PID 2424 wrote to memory of 2648 2424 Bnekcm32.exe 36 PID 2648 wrote to memory of 2336 2648 Bcackdio.exe 37 PID 2648 wrote to memory of 2336 2648 Bcackdio.exe 37 PID 2648 wrote to memory of 2336 2648 Bcackdio.exe 37 PID 2648 wrote to memory of 2336 2648 Bcackdio.exe 37 PID 2336 wrote to memory of 1492 2336 Bfblmofp.exe 38 PID 2336 wrote to memory of 1492 2336 Bfblmofp.exe 38 PID 2336 wrote to memory of 1492 2336 Bfblmofp.exe 38 PID 2336 wrote to memory of 1492 2336 Bfblmofp.exe 38 PID 1492 wrote to memory of 3012 1492 Behinlkh.exe 39 PID 1492 wrote to memory of 3012 1492 Behinlkh.exe 39 PID 1492 wrote to memory of 3012 1492 Behinlkh.exe 39 PID 1492 wrote to memory of 3012 1492 Behinlkh.exe 39 PID 3012 wrote to memory of 3028 3012 Cpmmkdkn.exe 40 PID 3012 wrote to memory of 3028 3012 Cpmmkdkn.exe 40 PID 3012 wrote to memory of 3028 3012 Cpmmkdkn.exe 40 PID 3012 wrote to memory of 3028 3012 Cpmmkdkn.exe 40 PID 3028 wrote to memory of 1400 3028 Ciebdj32.exe 41 PID 3028 wrote to memory of 1400 3028 Ciebdj32.exe 41 PID 3028 wrote to memory of 1400 3028 Ciebdj32.exe 41 PID 3028 wrote to memory of 1400 3028 Ciebdj32.exe 41 PID 1400 wrote to memory of 2452 1400 Cbnfmo32.exe 42 PID 1400 wrote to memory of 2452 1400 Cbnfmo32.exe 42 PID 1400 wrote to memory of 2452 1400 Cbnfmo32.exe 42 PID 1400 wrote to memory of 2452 1400 Cbnfmo32.exe 42 PID 2452 wrote to memory of 2396 2452 Ceoooj32.exe 43 PID 2452 wrote to memory of 2396 2452 Ceoooj32.exe 43 PID 2452 wrote to memory of 2396 2452 Ceoooj32.exe 43 PID 2452 wrote to memory of 2396 2452 Ceoooj32.exe 43 PID 2396 wrote to memory of 1856 2396 Cmlqimph.exe 44 PID 2396 wrote to memory of 1856 2396 Cmlqimph.exe 44 PID 2396 wrote to memory of 1856 2396 Cmlqimph.exe 44 PID 2396 wrote to memory of 1856 2396 Cmlqimph.exe 44 PID 1856 wrote to memory of 540 1856 Dkpabqoa.exe 45 PID 1856 wrote to memory of 540 1856 Dkpabqoa.exe 45 PID 1856 wrote to memory of 540 1856 Dkpabqoa.exe 45 PID 1856 wrote to memory of 540 1856 Dkpabqoa.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\0x000400000001dddd-2731.exe"C:\Users\Admin\AppData\Local\Temp\0x000400000001dddd-2731.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Aioodg32.exeC:\Windows\system32\Aioodg32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Ankhmncb.exeC:\Windows\system32\Ankhmncb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Aalaoipc.exeC:\Windows\system32\Aalaoipc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Agfikc32.exeC:\Windows\system32\Agfikc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Bjgbmoda.exeC:\Windows\system32\Bjgbmoda.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Bnekcm32.exeC:\Windows\system32\Bnekcm32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\Bcackdio.exeC:\Windows\system32\Bcackdio.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\SysWOW64\Bfblmofp.exeC:\Windows\system32\Bfblmofp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Behinlkh.exeC:\Windows\system32\Behinlkh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\Cpmmkdkn.exeC:\Windows\system32\Cpmmkdkn.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Ciebdj32.exeC:\Windows\system32\Ciebdj32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Cbnfmo32.exeC:\Windows\system32\Cbnfmo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Windows\SysWOW64\Cmlqimph.exeC:\Windows\system32\Cmlqimph.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\SysWOW64\Dkpabqoa.exeC:\Windows\system32\Dkpabqoa.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Dmajdl32.exeC:\Windows\system32\Dmajdl32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:540 -
C:\Windows\SysWOW64\Dgiomabc.exeC:\Windows\system32\Dgiomabc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Denknngk.exeC:\Windows\system32\Denknngk.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1540 -
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Dlkqpg32.exeC:\Windows\system32\Dlkqpg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1180 -
C:\Windows\SysWOW64\Eioaillo.exeC:\Windows\system32\Eioaillo.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Ekpmad32.exeC:\Windows\system32\Ekpmad32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Elpjkgip.exeC:\Windows\system32\Elpjkgip.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Eehndm32.exeC:\Windows\system32\Eehndm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Encchoml.exeC:\Windows\system32\Encchoml.exe26⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Epdljjjm.exeC:\Windows\system32\Epdljjjm.exe27⤵
- Loads dropped DLL
PID:1612 -
C:\Windows\SysWOW64\Fjlqcppm.exeC:\Windows\system32\Fjlqcppm.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:960 -
C:\Windows\SysWOW64\Fgpalcog.exeC:\Windows\system32\Fgpalcog.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Fqheei32.exeC:\Windows\system32\Fqheei32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952 -
C:\Windows\SysWOW64\Fhcjilcb.exeC:\Windows\system32\Fhcjilcb.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2836 -
C:\Windows\SysWOW64\Fbloba32.exeC:\Windows\system32\Fbloba32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2664 -
C:\Windows\SysWOW64\Fdmgdl32.exeC:\Windows\system32\Fdmgdl32.exe33⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Gfldno32.exeC:\Windows\system32\Gfldno32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Gbcecpck.exeC:\Windows\system32\Gbcecpck.exe35⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Gkkilfjk.exeC:\Windows\system32\Gkkilfjk.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:316 -
C:\Windows\SysWOW64\Gcgnphgf.exeC:\Windows\system32\Gcgnphgf.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2316 -
C:\Windows\SysWOW64\Gqknjlfp.exeC:\Windows\system32\Gqknjlfp.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Gnoocq32.exeC:\Windows\system32\Gnoocq32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2772 -
C:\Windows\SysWOW64\Gfjcgc32.exeC:\Windows\system32\Gfjcgc32.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2116 -
C:\Windows\SysWOW64\Hcndag32.exeC:\Windows\system32\Hcndag32.exe41⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Hcpqfgol.exeC:\Windows\system32\Hcpqfgol.exe42⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Hnjagdlj.exeC:\Windows\system32\Hnjagdlj.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:624 -
C:\Windows\SysWOW64\Ilblkh32.exeC:\Windows\system32\Ilblkh32.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:1764 -
C:\Windows\SysWOW64\Iekpdn32.exeC:\Windows\system32\Iekpdn32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2340 -
C:\Windows\SysWOW64\Ijghmd32.exeC:\Windows\system32\Ijghmd32.exe46⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Ipdaek32.exeC:\Windows\system32\Ipdaek32.exe47⤵
- Executes dropped EXE
PID:740 -
C:\Windows\SysWOW64\Ifniaeqk.exeC:\Windows\system32\Ifniaeqk.exe48⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Iimenapo.exeC:\Windows\system32\Iimenapo.exe49⤵
- Executes dropped EXE
PID:684 -
C:\Windows\SysWOW64\Iadnon32.exeC:\Windows\system32\Iadnon32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Ibejfffo.exeC:\Windows\system32\Ibejfffo.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2764 -
C:\Windows\SysWOW64\Iklbhdga.exeC:\Windows\system32\Iklbhdga.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2796 -
C:\Windows\SysWOW64\Ipijpkei.exeC:\Windows\system32\Ipijpkei.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1688 -
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:660 -
C:\Windows\SysWOW64\Jaopcbga.exeC:\Windows\system32\Jaopcbga.exe55⤵
- Executes dropped EXE
PID:3032 -
C:\Windows\SysWOW64\Jhihpl32.exeC:\Windows\system32\Jhihpl32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Jocalffk.exeC:\Windows\system32\Jocalffk.exe57⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Jaamhb32.exeC:\Windows\system32\Jaamhb32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1792 -
C:\Windows\SysWOW64\Jnhnmckc.exeC:\Windows\system32\Jnhnmckc.exe59⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Jdbfjm32.exeC:\Windows\system32\Jdbfjm32.exe60⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe61⤵
- Executes dropped EXE
PID:768 -
C:\Windows\SysWOW64\Jhpopk32.exeC:\Windows\system32\Jhpopk32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324 -
C:\Windows\SysWOW64\Kknklg32.exeC:\Windows\system32\Kknklg32.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Knmghb32.exeC:\Windows\system32\Knmghb32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1100 -
C:\Windows\SysWOW64\Kdgoelnk.exeC:\Windows\system32\Kdgoelnk.exe65⤵
- Executes dropped EXE
PID:1736 -
C:\Windows\SysWOW64\Kjchmclb.exeC:\Windows\system32\Kjchmclb.exe66⤵
- Executes dropped EXE
PID:2936 -
C:\Windows\SysWOW64\Klbdiokf.exeC:\Windows\system32\Klbdiokf.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2972 -
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe68⤵PID:2616
-
C:\Windows\SysWOW64\Kppmpmal.exeC:\Windows\system32\Kppmpmal.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1920 -
C:\Windows\SysWOW64\Kgjelg32.exeC:\Windows\system32\Kgjelg32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2152 -
C:\Windows\SysWOW64\Kpbiempj.exeC:\Windows\system32\Kpbiempj.exe71⤵
- Modifies registry class
PID:1060 -
C:\Windows\SysWOW64\Kcqfahom.exeC:\Windows\system32\Kcqfahom.exe72⤵PID:2472
-
C:\Windows\SysWOW64\Khmnio32.exeC:\Windows\system32\Khmnio32.exe73⤵PID:2372
-
C:\Windows\SysWOW64\Kogffida.exeC:\Windows\system32\Kogffida.exe74⤵PID:1804
-
C:\Windows\SysWOW64\Lbfcbdce.exeC:\Windows\system32\Lbfcbdce.exe75⤵PID:1356
-
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe76⤵PID:1500
-
C:\Windows\SysWOW64\Lfckhc32.exeC:\Windows\system32\Lfckhc32.exe77⤵PID:692
-
C:\Windows\SysWOW64\Lgehpk32.exeC:\Windows\system32\Lgehpk32.exe78⤵
- Modifies registry class
PID:2100 -
C:\Windows\SysWOW64\Lqmliqfj.exeC:\Windows\system32\Lqmliqfj.exe79⤵PID:2776
-
C:\Windows\SysWOW64\Lggdfk32.exeC:\Windows\system32\Lggdfk32.exe80⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1924 -
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe81⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Ldkeoo32.exeC:\Windows\system32\Ldkeoo32.exe82⤵
- Drops file in System32 directory
PID:3016 -
C:\Windows\SysWOW64\Lncjhd32.exeC:\Windows\system32\Lncjhd32.exe83⤵PID:2904
-
C:\Windows\SysWOW64\Lcpbpk32.exeC:\Windows\system32\Lcpbpk32.exe84⤵PID:2084
-
C:\Windows\SysWOW64\Mgnkfjho.exeC:\Windows\system32\Mgnkfjho.exe85⤵PID:1864
-
C:\Windows\SysWOW64\Mjmgbe32.exeC:\Windows\system32\Mjmgbe32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2176 -
C:\Windows\SysWOW64\Mpipkl32.exeC:\Windows\system32\Mpipkl32.exe87⤵PID:2468
-
C:\Windows\SysWOW64\Mbhlgg32.exeC:\Windows\system32\Mbhlgg32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2036 -
C:\Windows\SysWOW64\Mmmpdp32.exeC:\Windows\system32\Mmmpdp32.exe89⤵PID:536
-
C:\Windows\SysWOW64\Mcghajkq.exeC:\Windows\system32\Mcghajkq.exe90⤵PID:1680
-
C:\Windows\SysWOW64\Midqiaih.exeC:\Windows\system32\Midqiaih.exe91⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Mlbmem32.exeC:\Windows\system32\Mlbmem32.exe92⤵PID:2156
-
C:\Windows\SysWOW64\Mekanbol.exeC:\Windows\system32\Mekanbol.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:2184 -
C:\Windows\SysWOW64\Mlejkl32.exeC:\Windows\system32\Mlejkl32.exe94⤵PID:2592
-
C:\Windows\SysWOW64\Mbobgfnf.exeC:\Windows\system32\Mbobgfnf.exe95⤵PID:2464
-
C:\Windows\SysWOW64\Memncbmj.exeC:\Windows\system32\Memncbmj.exe96⤵PID:2368
-
C:\Windows\SysWOW64\Nlgfqldf.exeC:\Windows\system32\Nlgfqldf.exe97⤵PID:2408
-
C:\Windows\SysWOW64\Nbaomf32.exeC:\Windows\system32\Nbaomf32.exe98⤵PID:796
-
C:\Windows\SysWOW64\Ncbkenba.exeC:\Windows\system32\Ncbkenba.exe99⤵PID:2568
-
C:\Windows\SysWOW64\Nebgoa32.exeC:\Windows\system32\Nebgoa32.exe100⤵PID:2828
-
C:\Windows\SysWOW64\Nfcdfiob.exeC:\Windows\system32\Nfcdfiob.exe101⤵
- System Location Discovery: System Language Discovery
PID:2948 -
C:\Windows\SysWOW64\Nmmlccfp.exeC:\Windows\system32\Nmmlccfp.exe102⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Windows\SysWOW64\Nhbqqlfe.exeC:\Windows\system32\Nhbqqlfe.exe103⤵PID:2172
-
C:\Windows\SysWOW64\Nidmhd32.exeC:\Windows\system32\Nidmhd32.exe104⤵
- Drops file in System32 directory
PID:2436 -
C:\Windows\SysWOW64\Nakeib32.exeC:\Windows\system32\Nakeib32.exe105⤵PID:1956
-
C:\Windows\SysWOW64\Nblaajbd.exeC:\Windows\system32\Nblaajbd.exe106⤵PID:2500
-
C:\Windows\SysWOW64\Nifjnd32.exeC:\Windows\system32\Nifjnd32.exe107⤵
- System Location Discovery: System Language Discovery
PID:564 -
C:\Windows\SysWOW64\Oppbjn32.exeC:\Windows\system32\Oppbjn32.exe108⤵PID:2924
-
C:\Windows\SysWOW64\Omdbdb32.exeC:\Windows\system32\Omdbdb32.exe109⤵PID:2944
-
C:\Windows\SysWOW64\Ooeolkff.exeC:\Windows\system32\Ooeolkff.exe110⤵PID:2072
-
C:\Windows\SysWOW64\Olioeoeo.exeC:\Windows\system32\Olioeoeo.exe111⤵
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Oafhmf32.exeC:\Windows\system32\Oafhmf32.exe112⤵PID:1836
-
C:\Windows\SysWOW64\Ohppjpkc.exeC:\Windows\system32\Ohppjpkc.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Okolfkjg.exeC:\Windows\system32\Okolfkjg.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2180 -
C:\Windows\SysWOW64\Obfdgiji.exeC:\Windows\system32\Obfdgiji.exe115⤵PID:2212
-
C:\Windows\SysWOW64\Okailkhd.exeC:\Windows\system32\Okailkhd.exe116⤵PID:2120
-
C:\Windows\SysWOW64\Oheieo32.exeC:\Windows\system32\Oheieo32.exe117⤵PID:1896
-
C:\Windows\SysWOW64\Pmabmf32.exeC:\Windows\system32\Pmabmf32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:520 -
C:\Windows\SysWOW64\Phgfko32.exeC:\Windows\system32\Phgfko32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:940 -
C:\Windows\SysWOW64\Pmdocf32.exeC:\Windows\system32\Pmdocf32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2480 -
C:\Windows\SysWOW64\Pcagkmaj.exeC:\Windows\system32\Pcagkmaj.exe121⤵PID:1988
-
C:\Windows\SysWOW64\Pikohg32.exeC:\Windows\system32\Pikohg32.exe122⤵
- System Location Discovery: System Language Discovery
PID:1096
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-