Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
21/09/2024, 14:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe
-
Size
91KB
-
MD5
ff8ad43f2b92cd6d8ae7fdacad717fc0
-
SHA1
3b107149e555d82d353c4b14b73ac0f7ebb173a8
-
SHA256
889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ff
-
SHA512
f8efa2f7e982457dcb069c851beceff30a86af38c37c4612d37f7c9c47f88471e8ccf1a979fcdae7f7ee1074f7e195c00a2bef2e56369eee6321646eb7a7c8da
-
SSDEEP
1536:0McVg5aIQBbpScR8fTTmrzvlbSnGeSF9X+kzEVfXqhS:bR5a1PSc/nlbkGeQ9ubfXr
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dboglhna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnpebj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amhcad32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adgein32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Albjnplq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpbkhabp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Moeeelhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aebobgmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Monhjgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amafgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lcohahpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omhkcnfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pimkbbpi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jgbjjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cncolfcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chbihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dqobnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhmldfdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gkbnap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iejkhlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bihgmdih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blkmdodf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dnjalhpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkbkpcpd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mojbaham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oaigib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Afqhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iomcpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjlmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lglmefcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mnhnfckm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqpdcc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Macjgadf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amafgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjmmffgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhiphb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfippfej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmpdmfff.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfhhflmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apilcoho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckhpejbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iipejmko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiofnm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbjdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldgnklmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjahakgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aiknnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hoqjqhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epqgopbi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpniokan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdobdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emgkhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Appbcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nccnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nldahn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afgnkilf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abdbflnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bimphc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifengpdh.exe -
Executes dropped EXE 64 IoCs
pid Process 2764 Hmmdin32.exe 2664 Hddmjk32.exe 2772 Hffibceh.exe 2532 Hjaeba32.exe 2140 Hgeelf32.exe 2908 Hoqjqhjf.exe 2628 Hmdkjmip.exe 2852 Iocgfhhc.exe 332 Ifmocb32.exe 540 Ikjhki32.exe 1404 Ibcphc32.exe 776 Igqhpj32.exe 448 Injqmdki.exe 2336 Iipejmko.exe 1100 Ijaaae32.exe 2064 Iegeonpc.exe 1628 Ikqnlh32.exe 1288 Inojhc32.exe 276 Iamfdo32.exe 1536 Jggoqimd.exe 2456 Jmdgipkk.exe 1240 Jcnoejch.exe 2252 Jjhgbd32.exe 1844 Jmfcop32.exe 2068 Jcqlkjae.exe 1708 Jjjdhc32.exe 2788 Jmipdo32.exe 2984 Jpgmpk32.exe 2700 Jcciqi32.exe 2552 Jpjifjdg.exe 1300 Jbhebfck.exe 960 Jlqjkk32.exe 444 Kbjbge32.exe 576 Kambcbhb.exe 2864 Kjeglh32.exe 2916 Kekkiq32.exe 292 Khjgel32.exe 1744 Kjhcag32.exe 2156 Kenhopmf.exe 2360 Khldkllj.exe 2172 Kmimcbja.exe 1856 Kdbepm32.exe 928 Kkmmlgik.exe 1740 Kpieengb.exe 2256 Kbhbai32.exe 2404 Lmmfnb32.exe 2884 Ldgnklmi.exe 1580 Lidgcclp.exe 2760 Lmpcca32.exe 2792 Lghgmg32.exe 2692 Lifcib32.exe 1496 Lpqlemaj.exe 2144 Lcohahpn.exe 1032 Lemdncoa.exe 2912 Lhlqjone.exe 2888 Ladebd32.exe 2012 Ldbaopdj.exe 2832 Lljipmdl.exe 2212 Lnkege32.exe 2196 Mdendpbg.exe 1936 Mojbaham.exe 1652 Mainndaq.exe 620 Mdgkjopd.exe 1388 Mjdcbf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2216 889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe 2216 889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe 2764 Hmmdin32.exe 2764 Hmmdin32.exe 2664 Hddmjk32.exe 2664 Hddmjk32.exe 2772 Hffibceh.exe 2772 Hffibceh.exe 2532 Hjaeba32.exe 2532 Hjaeba32.exe 2140 Hgeelf32.exe 2140 Hgeelf32.exe 2908 Hoqjqhjf.exe 2908 Hoqjqhjf.exe 2628 Hmdkjmip.exe 2628 Hmdkjmip.exe 2852 Iocgfhhc.exe 2852 Iocgfhhc.exe 332 Ifmocb32.exe 332 Ifmocb32.exe 540 Ikjhki32.exe 540 Ikjhki32.exe 1404 Ibcphc32.exe 1404 Ibcphc32.exe 776 Igqhpj32.exe 776 Igqhpj32.exe 448 Injqmdki.exe 448 Injqmdki.exe 2336 Iipejmko.exe 2336 Iipejmko.exe 1100 Ijaaae32.exe 1100 Ijaaae32.exe 2064 Iegeonpc.exe 2064 Iegeonpc.exe 1628 Ikqnlh32.exe 1628 Ikqnlh32.exe 1288 Inojhc32.exe 1288 Inojhc32.exe 276 Iamfdo32.exe 276 Iamfdo32.exe 1536 Jggoqimd.exe 1536 Jggoqimd.exe 2456 Jmdgipkk.exe 2456 Jmdgipkk.exe 1240 Jcnoejch.exe 1240 Jcnoejch.exe 2252 Jjhgbd32.exe 2252 Jjhgbd32.exe 1844 Jmfcop32.exe 1844 Jmfcop32.exe 2068 Jcqlkjae.exe 2068 Jcqlkjae.exe 1708 Jjjdhc32.exe 1708 Jjjdhc32.exe 2788 Jmipdo32.exe 2788 Jmipdo32.exe 2984 Jpgmpk32.exe 2984 Jpgmpk32.exe 2700 Jcciqi32.exe 2700 Jcciqi32.exe 2552 Jpjifjdg.exe 2552 Jpjifjdg.exe 1300 Jbhebfck.exe 1300 Jbhebfck.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Jbhebfck.exe Jpjifjdg.exe File created C:\Windows\SysWOW64\Kambcbhb.exe Kbjbge32.exe File created C:\Windows\SysWOW64\Kekkiq32.exe Kjeglh32.exe File created C:\Windows\SysWOW64\Kjmihjfj.dll Iqhfnifq.exe File created C:\Windows\SysWOW64\Cpdhna32.exe Cnflae32.exe File opened for modification C:\Windows\SysWOW64\Deeqch32.exe Dfbqgldn.exe File created C:\Windows\SysWOW64\Najeid32.dll Kiofnm32.exe File created C:\Windows\SysWOW64\Eeebeabe.dll Lfippfej.exe File opened for modification C:\Windows\SysWOW64\Bakaaepk.exe Boleejag.exe File created C:\Windows\SysWOW64\Qadkkc32.dll Lajkbp32.exe File opened for modification C:\Windows\SysWOW64\Ncipjieo.exe Npkdnnfk.exe File created C:\Windows\SysWOW64\Hnpgloog.exe Hkbkpcpd.exe File created C:\Windows\SysWOW64\Hnjnifmm.dll Mlieoqgg.exe File opened for modification C:\Windows\SysWOW64\Dfbqgldn.exe Dnkhfnck.exe File created C:\Windows\SysWOW64\Gdbgmkqd.dll Mokkegmm.exe File created C:\Windows\SysWOW64\Hkagib32.dll Okbapi32.exe File created C:\Windows\SysWOW64\Hhchpk32.dll Pcnfdl32.exe File opened for modification C:\Windows\SysWOW64\Einlmkhp.exe Efppqoil.exe File created C:\Windows\SysWOW64\Hbnpbm32.exe Hkdgecna.exe File opened for modification C:\Windows\SysWOW64\Qifnhaho.exe Qekbgbpf.exe File opened for modification C:\Windows\SysWOW64\Camnge32.exe Boobki32.exe File created C:\Windows\SysWOW64\Hmmdin32.exe 889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe File created C:\Windows\SysWOW64\Gdcmig32.exe Geqlnjcf.exe File created C:\Windows\SysWOW64\Maflig32.dll Jkfpjf32.exe File created C:\Windows\SysWOW64\Nggipg32.exe Nopaoj32.exe File created C:\Windows\SysWOW64\Inalmqgb.dll Qekbgbpf.exe File created C:\Windows\SysWOW64\Kjpceebh.exe Kiofnm32.exe File created C:\Windows\SysWOW64\Obcffefa.exe Oodjjign.exe File created C:\Windows\SysWOW64\Addhcn32.exe Apilcoho.exe File created C:\Windows\SysWOW64\Dijfch32.exe Dghjkpck.exe File created C:\Windows\SysWOW64\Fihbcdgp.dll Gpogiglp.exe File created C:\Windows\SysWOW64\Lidgcclp.exe Ldgnklmi.exe File opened for modification C:\Windows\SysWOW64\Pebbcdkn.exe Pbdfgilj.exe File created C:\Windows\SysWOW64\Pdhpdq32.exe Peeoidik.exe File created C:\Windows\SysWOW64\Ogomoj32.dll Booiep32.exe File created C:\Windows\SysWOW64\Kjkoop32.dll Cdkkcp32.exe File opened for modification C:\Windows\SysWOW64\Ndggib32.exe Ncfjajma.exe File opened for modification C:\Windows\SysWOW64\Miocmq32.exe Lgpfpe32.exe File created C:\Windows\SysWOW64\Boobki32.exe Bggjjlnb.exe File created C:\Windows\SysWOW64\Mjpdkq32.dll Egpena32.exe File opened for modification C:\Windows\SysWOW64\Lghgmg32.exe Lmpcca32.exe File opened for modification C:\Windows\SysWOW64\Omphocck.exe Ojblbgdg.exe File created C:\Windows\SysWOW64\Objmgd32.exe Ojceef32.exe File opened for modification C:\Windows\SysWOW64\Jcqlkjae.exe Jmfcop32.exe File opened for modification C:\Windows\SysWOW64\Imjmhkpj.exe Ijlaloaf.exe File created C:\Windows\SysWOW64\Ifcmmf32.dll Fejfmk32.exe File created C:\Windows\SysWOW64\Beogaenl.exe Bbqkeioh.exe File created C:\Windows\SysWOW64\Keigbd32.dll Hqochjnk.exe File created C:\Windows\SysWOW64\Noohlkpc.exe Nghpjn32.exe File opened for modification C:\Windows\SysWOW64\Gagmbkik.exe Goiafp32.exe File created C:\Windows\SysWOW64\Lkifkdjm.exe Lbbnjgik.exe File created C:\Windows\SysWOW64\Ncgfge32.dll Leegbnan.exe File created C:\Windows\SysWOW64\Bggjjlnb.exe Bdinnqon.exe File created C:\Windows\SysWOW64\Bbbgdf32.dll Bomlppdb.exe File opened for modification C:\Windows\SysWOW64\Monhjgkj.exe Miapbpmb.exe File created C:\Windows\SysWOW64\Ldgnklmi.exe Lmmfnb32.exe File created C:\Windows\SysWOW64\Ioiidfon.exe Imjmhkpj.exe File created C:\Windows\SysWOW64\Omhkcnfg.exe Ohmoco32.exe File opened for modification C:\Windows\SysWOW64\Dbdagg32.exe Djmiejji.exe File opened for modification C:\Windows\SysWOW64\Enhaeldn.exe Elieipej.exe File created C:\Windows\SysWOW64\Ldpnoj32.exe Laaabo32.exe File created C:\Windows\SysWOW64\Kbhbai32.exe Kpieengb.exe File created C:\Windows\SysWOW64\Ldbaopdj.exe Ladebd32.exe File created C:\Windows\SysWOW64\Ibddbplp.dll Ochcem32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 5940 5760 WerFault.exe 563 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paafmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gagmbkik.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npkdnnfk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgnfji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odflmp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnckki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fodgkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bedhgj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbogmnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhaanh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idmlniea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njchfc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohmoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdendpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bafhff32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Doqkpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clkicbfa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpnkopeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blgcio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhhbif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqennbbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfinam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okinik32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhdcojaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnhnfckm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clciod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Codbqonk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijfch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdkkcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiknnf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpgmpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngeljh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efhcej32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Decdmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioiidfon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lehdhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lglmefcg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Objmgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjeglh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nccnlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bomlppdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kimjhnnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknkeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjmmffgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpbhjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Leegbnan.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbdagg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiilge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inojhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igkhjdde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iipejmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdedde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piadma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckmpkpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbkjap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhhiiloh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empomd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepjoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahedjb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fmnahilc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djgaeaao.dll" Iomcpe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldmaijdc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epcddopf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kekkiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmgqao32.dll" Lijiaabk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icfbkded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojblbgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifengpdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppegfpa.dll" Bggjjlnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmmdin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpokjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gagmbkik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Onjgkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pneanl32.dll" Qbafalph.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebeabe.dll" Lfippfej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Beogaenl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dqobnf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eannmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfnkaj32.dll" Kpbhjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nobndj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfpmbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qadkkc32.dll" Lajkbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Necdin32.dll" Coladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Obhpad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aljjjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aokckm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Felkabah.dll" Fhhbif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaiqnakp.dll" Hkdgecna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chbihc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpmned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncgbkki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nphghn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apnfno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmidlmcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Boleejag.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Diaalggp.dll" Dqinhcoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcmfjeap.dll" Efffpjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ilpcfn32.dll" Ecgjdong.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjembh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbbomjnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blniinac.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dgqion32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efhcej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebialmjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Befaceaa.dll" Imacijjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhibakgh.dll" Cnflae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ejabqi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mdojnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Knblkc32.dll" Nbqjqehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hddmjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ikqnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oehcbd32.dll" Mdgkjopd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abdbflnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kbnlnmnm.dll" Lkifkdjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbamip32.dll" Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Embbek32.dll" Ckkcep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hjjbejog.dll" Emgkhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Injqmdki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhjoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jihdnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nklopg32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2764 2216 889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe 30 PID 2216 wrote to memory of 2764 2216 889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe 30 PID 2216 wrote to memory of 2764 2216 889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe 30 PID 2216 wrote to memory of 2764 2216 889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe 30 PID 2764 wrote to memory of 2664 2764 Hmmdin32.exe 31 PID 2764 wrote to memory of 2664 2764 Hmmdin32.exe 31 PID 2764 wrote to memory of 2664 2764 Hmmdin32.exe 31 PID 2764 wrote to memory of 2664 2764 Hmmdin32.exe 31 PID 2664 wrote to memory of 2772 2664 Hddmjk32.exe 32 PID 2664 wrote to memory of 2772 2664 Hddmjk32.exe 32 PID 2664 wrote to memory of 2772 2664 Hddmjk32.exe 32 PID 2664 wrote to memory of 2772 2664 Hddmjk32.exe 32 PID 2772 wrote to memory of 2532 2772 Hffibceh.exe 33 PID 2772 wrote to memory of 2532 2772 Hffibceh.exe 33 PID 2772 wrote to memory of 2532 2772 Hffibceh.exe 33 PID 2772 wrote to memory of 2532 2772 Hffibceh.exe 33 PID 2532 wrote to memory of 2140 2532 Hjaeba32.exe 34 PID 2532 wrote to memory of 2140 2532 Hjaeba32.exe 34 PID 2532 wrote to memory of 2140 2532 Hjaeba32.exe 34 PID 2532 wrote to memory of 2140 2532 Hjaeba32.exe 34 PID 2140 wrote to memory of 2908 2140 Hgeelf32.exe 35 PID 2140 wrote to memory of 2908 2140 Hgeelf32.exe 35 PID 2140 wrote to memory of 2908 2140 Hgeelf32.exe 35 PID 2140 wrote to memory of 2908 2140 Hgeelf32.exe 35 PID 2908 wrote to memory of 2628 2908 Hoqjqhjf.exe 36 PID 2908 wrote to memory of 2628 2908 Hoqjqhjf.exe 36 PID 2908 wrote to memory of 2628 2908 Hoqjqhjf.exe 36 PID 2908 wrote to memory of 2628 2908 Hoqjqhjf.exe 36 PID 2628 wrote to memory of 2852 2628 Hmdkjmip.exe 37 PID 2628 wrote to memory of 2852 2628 Hmdkjmip.exe 37 PID 2628 wrote to memory of 2852 2628 Hmdkjmip.exe 37 PID 2628 wrote to memory of 2852 2628 Hmdkjmip.exe 37 PID 2852 wrote to memory of 332 2852 Iocgfhhc.exe 38 PID 2852 wrote to memory of 332 2852 Iocgfhhc.exe 38 PID 2852 wrote to memory of 332 2852 Iocgfhhc.exe 38 PID 2852 wrote to memory of 332 2852 Iocgfhhc.exe 38 PID 332 wrote to memory of 540 332 Ifmocb32.exe 39 PID 332 wrote to memory of 540 332 Ifmocb32.exe 39 PID 332 wrote to memory of 540 332 Ifmocb32.exe 39 PID 332 wrote to memory of 540 332 Ifmocb32.exe 39 PID 540 wrote to memory of 1404 540 Ikjhki32.exe 40 PID 540 wrote to memory of 1404 540 Ikjhki32.exe 40 PID 540 wrote to memory of 1404 540 Ikjhki32.exe 40 PID 540 wrote to memory of 1404 540 Ikjhki32.exe 40 PID 1404 wrote to memory of 776 1404 Ibcphc32.exe 41 PID 1404 wrote to memory of 776 1404 Ibcphc32.exe 41 PID 1404 wrote to memory of 776 1404 Ibcphc32.exe 41 PID 1404 wrote to memory of 776 1404 Ibcphc32.exe 41 PID 776 wrote to memory of 448 776 Igqhpj32.exe 42 PID 776 wrote to memory of 448 776 Igqhpj32.exe 42 PID 776 wrote to memory of 448 776 Igqhpj32.exe 42 PID 776 wrote to memory of 448 776 Igqhpj32.exe 42 PID 448 wrote to memory of 2336 448 Injqmdki.exe 43 PID 448 wrote to memory of 2336 448 Injqmdki.exe 43 PID 448 wrote to memory of 2336 448 Injqmdki.exe 43 PID 448 wrote to memory of 2336 448 Injqmdki.exe 43 PID 2336 wrote to memory of 1100 2336 Iipejmko.exe 44 PID 2336 wrote to memory of 1100 2336 Iipejmko.exe 44 PID 2336 wrote to memory of 1100 2336 Iipejmko.exe 44 PID 2336 wrote to memory of 1100 2336 Iipejmko.exe 44 PID 1100 wrote to memory of 2064 1100 Ijaaae32.exe 45 PID 1100 wrote to memory of 2064 1100 Ijaaae32.exe 45 PID 1100 wrote to memory of 2064 1100 Ijaaae32.exe 45 PID 1100 wrote to memory of 2064 1100 Ijaaae32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe"C:\Users\Admin\AppData\Local\Temp\889d88a144ecf3c60b3e1d94218ca334ead445488c72189112ea2262723ed0ffN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Hmmdin32.exeC:\Windows\system32\Hmmdin32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Hddmjk32.exeC:\Windows\system32\Hddmjk32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\SysWOW64\Hffibceh.exeC:\Windows\system32\Hffibceh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Hjaeba32.exeC:\Windows\system32\Hjaeba32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Hgeelf32.exeC:\Windows\system32\Hgeelf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Hoqjqhjf.exeC:\Windows\system32\Hoqjqhjf.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Hmdkjmip.exeC:\Windows\system32\Hmdkjmip.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Iocgfhhc.exeC:\Windows\system32\Iocgfhhc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852 -
C:\Windows\SysWOW64\Ifmocb32.exeC:\Windows\system32\Ifmocb32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Ikjhki32.exeC:\Windows\system32\Ikjhki32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:540 -
C:\Windows\SysWOW64\Ibcphc32.exeC:\Windows\system32\Ibcphc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Windows\SysWOW64\Igqhpj32.exeC:\Windows\system32\Igqhpj32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:776 -
C:\Windows\SysWOW64\Injqmdki.exeC:\Windows\system32\Injqmdki.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\SysWOW64\Iipejmko.exeC:\Windows\system32\Iipejmko.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2336 -
C:\Windows\SysWOW64\Ijaaae32.exeC:\Windows\system32\Ijaaae32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Iegeonpc.exeC:\Windows\system32\Iegeonpc.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064 -
C:\Windows\SysWOW64\Ikqnlh32.exeC:\Windows\system32\Ikqnlh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Inojhc32.exeC:\Windows\system32\Inojhc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1288 -
C:\Windows\SysWOW64\Iamfdo32.exeC:\Windows\system32\Iamfdo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:276 -
C:\Windows\SysWOW64\Jggoqimd.exeC:\Windows\system32\Jggoqimd.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1536 -
C:\Windows\SysWOW64\Jmdgipkk.exeC:\Windows\system32\Jmdgipkk.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Jcnoejch.exeC:\Windows\system32\Jcnoejch.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Jjhgbd32.exeC:\Windows\system32\Jjhgbd32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2252 -
C:\Windows\SysWOW64\Jmfcop32.exeC:\Windows\system32\Jmfcop32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1844 -
C:\Windows\SysWOW64\Jcqlkjae.exeC:\Windows\system32\Jcqlkjae.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2068 -
C:\Windows\SysWOW64\Jjjdhc32.exeC:\Windows\system32\Jjjdhc32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1708 -
C:\Windows\SysWOW64\Jmipdo32.exeC:\Windows\system32\Jmipdo32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Jpgmpk32.exeC:\Windows\system32\Jpgmpk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2984 -
C:\Windows\SysWOW64\Jcciqi32.exeC:\Windows\system32\Jcciqi32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2700 -
C:\Windows\SysWOW64\Jpjifjdg.exeC:\Windows\system32\Jpjifjdg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2552 -
C:\Windows\SysWOW64\Jbhebfck.exeC:\Windows\system32\Jbhebfck.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1300 -
C:\Windows\SysWOW64\Jlqjkk32.exeC:\Windows\system32\Jlqjkk32.exe33⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Kbjbge32.exeC:\Windows\system32\Kbjbge32.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:444 -
C:\Windows\SysWOW64\Kambcbhb.exeC:\Windows\system32\Kambcbhb.exe35⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Kjeglh32.exeC:\Windows\system32\Kjeglh32.exe36⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Kekkiq32.exeC:\Windows\system32\Kekkiq32.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Khjgel32.exeC:\Windows\system32\Khjgel32.exe38⤵
- Executes dropped EXE
PID:292 -
C:\Windows\SysWOW64\Kjhcag32.exeC:\Windows\system32\Kjhcag32.exe39⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Kenhopmf.exeC:\Windows\system32\Kenhopmf.exe40⤵
- Executes dropped EXE
PID:2156 -
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe41⤵
- Executes dropped EXE
PID:2360 -
C:\Windows\SysWOW64\Kmimcbja.exeC:\Windows\system32\Kmimcbja.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Kdbepm32.exeC:\Windows\system32\Kdbepm32.exe43⤵
- Executes dropped EXE
PID:1856 -
C:\Windows\SysWOW64\Kkmmlgik.exeC:\Windows\system32\Kkmmlgik.exe44⤵
- Executes dropped EXE
PID:928 -
C:\Windows\SysWOW64\Kpieengb.exeC:\Windows\system32\Kpieengb.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe46⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Lmmfnb32.exeC:\Windows\system32\Lmmfnb32.exe47⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Ldgnklmi.exeC:\Windows\system32\Ldgnklmi.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2884 -
C:\Windows\SysWOW64\Lidgcclp.exeC:\Windows\system32\Lidgcclp.exe49⤵
- Executes dropped EXE
PID:1580 -
C:\Windows\SysWOW64\Lmpcca32.exeC:\Windows\system32\Lmpcca32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2760 -
C:\Windows\SysWOW64\Lghgmg32.exeC:\Windows\system32\Lghgmg32.exe51⤵
- Executes dropped EXE
PID:2792 -
C:\Windows\SysWOW64\Lifcib32.exeC:\Windows\system32\Lifcib32.exe52⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Lpqlemaj.exeC:\Windows\system32\Lpqlemaj.exe53⤵
- Executes dropped EXE
PID:1496 -
C:\Windows\SysWOW64\Lcohahpn.exeC:\Windows\system32\Lcohahpn.exe54⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Lemdncoa.exeC:\Windows\system32\Lemdncoa.exe55⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Lhlqjone.exeC:\Windows\system32\Lhlqjone.exe56⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2888 -
C:\Windows\SysWOW64\Ldbaopdj.exeC:\Windows\system32\Ldbaopdj.exe58⤵
- Executes dropped EXE
PID:2012 -
C:\Windows\SysWOW64\Lljipmdl.exeC:\Windows\system32\Lljipmdl.exe59⤵
- Executes dropped EXE
PID:2832 -
C:\Windows\SysWOW64\Lnkege32.exeC:\Windows\system32\Lnkege32.exe60⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Mdendpbg.exeC:\Windows\system32\Mdendpbg.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Mojbaham.exeC:\Windows\system32\Mojbaham.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1936 -
C:\Windows\SysWOW64\Mainndaq.exeC:\Windows\system32\Mainndaq.exe63⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Mdgkjopd.exeC:\Windows\system32\Mdgkjopd.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:620 -
C:\Windows\SysWOW64\Mjdcbf32.exeC:\Windows\system32\Mjdcbf32.exe65⤵
- Executes dropped EXE
PID:1388 -
C:\Windows\SysWOW64\Mpnkopeh.exeC:\Windows\system32\Mpnkopeh.exe66⤵
- System Location Discovery: System Language Discovery
PID:1152 -
C:\Windows\SysWOW64\Mkcplien.exeC:\Windows\system32\Mkcplien.exe67⤵PID:1656
-
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe68⤵PID:1956
-
C:\Windows\SysWOW64\Mdldeo32.exeC:\Windows\system32\Mdldeo32.exe69⤵PID:2784
-
C:\Windows\SysWOW64\Mgjpaj32.exeC:\Windows\system32\Mgjpaj32.exe70⤵PID:2568
-
C:\Windows\SysWOW64\Mndhnd32.exeC:\Windows\system32\Mndhnd32.exe71⤵PID:3052
-
C:\Windows\SysWOW64\Moeeelhn.exeC:\Windows\system32\Moeeelhn.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2380 -
C:\Windows\SysWOW64\Mfpmbf32.exeC:\Windows\system32\Mfpmbf32.exe73⤵
- Modifies registry class
PID:2112 -
C:\Windows\SysWOW64\Mhninb32.exeC:\Windows\system32\Mhninb32.exe74⤵PID:1900
-
C:\Windows\SysWOW64\Mlieoqgg.exeC:\Windows\system32\Mlieoqgg.exe75⤵
- Drops file in System32 directory
PID:1672 -
C:\Windows\SysWOW64\Nccnlk32.exeC:\Windows\system32\Nccnlk32.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1052 -
C:\Windows\SysWOW64\Nllbdp32.exeC:\Windows\system32\Nllbdp32.exe77⤵PID:2084
-
C:\Windows\SysWOW64\Ncfjajma.exeC:\Windows\system32\Ncfjajma.exe78⤵
- Drops file in System32 directory
PID:2316 -
C:\Windows\SysWOW64\Ndggib32.exeC:\Windows\system32\Ndggib32.exe79⤵PID:2088
-
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe80⤵PID:1748
-
C:\Windows\SysWOW64\Nomkfk32.exeC:\Windows\system32\Nomkfk32.exe81⤵PID:2028
-
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe82⤵PID:2924
-
C:\Windows\SysWOW64\Nghpjn32.exeC:\Windows\system32\Nghpjn32.exe83⤵
- Drops file in System32 directory
PID:700 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe84⤵PID:1836
-
C:\Windows\SysWOW64\Nqpdcc32.exeC:\Windows\system32\Nqpdcc32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe86⤵PID:2684
-
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe87⤵PID:2564
-
C:\Windows\SysWOW64\Okhefl32.exeC:\Windows\system32\Okhefl32.exe88⤵PID:3056
-
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe89⤵
- System Location Discovery: System Language Discovery
PID:2572 -
C:\Windows\SysWOW64\Oepjoa32.exeC:\Windows\system32\Oepjoa32.exe90⤵
- System Location Discovery: System Language Discovery
PID:2424 -
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe91⤵PID:1624
-
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe92⤵PID:1072
-
C:\Windows\SysWOW64\Oqgjdbpi.exeC:\Windows\system32\Oqgjdbpi.exe93⤵PID:2228
-
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe94⤵PID:2020
-
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe95⤵PID:3008
-
C:\Windows\SysWOW64\Oaigib32.exeC:\Windows\system32\Oaigib32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1556 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe97⤵
- Drops file in System32 directory
PID:1504 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe98⤵
- Drops file in System32 directory
- Modifies registry class
PID:1044 -
C:\Windows\SysWOW64\Omphocck.exeC:\Windows\system32\Omphocck.exe99⤵PID:1584
-
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe100⤵PID:2656
-
C:\Windows\SysWOW64\Ocjpkm32.exeC:\Windows\system32\Ocjpkm32.exe101⤵PID:2956
-
C:\Windows\SysWOW64\Oekmceaf.exeC:\Windows\system32\Oekmceaf.exe102⤵PID:2108
-
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe103⤵PID:2768
-
C:\Windows\SysWOW64\Opaqpn32.exeC:\Windows\system32\Opaqpn32.exe104⤵PID:2600
-
C:\Windows\SysWOW64\Pfkimhhi.exeC:\Windows\system32\Pfkimhhi.exe105⤵PID:2168
-
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe106⤵PID:3004
-
C:\Windows\SysWOW64\Pnfnajed.exeC:\Windows\system32\Pnfnajed.exe107⤵PID:1112
-
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe108⤵PID:1384
-
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe109⤵PID:2300
-
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe110⤵
- Drops file in System32 directory
PID:2616 -
C:\Windows\SysWOW64\Pebbcdkn.exeC:\Windows\system32\Pebbcdkn.exe111⤵PID:2556
-
C:\Windows\SysWOW64\Pllkpn32.exeC:\Windows\system32\Pllkpn32.exe112⤵PID:2376
-
C:\Windows\SysWOW64\Pnkglj32.exeC:\Windows\system32\Pnkglj32.exe113⤵PID:2936
-
C:\Windows\SysWOW64\Peeoidik.exeC:\Windows\system32\Peeoidik.exe114⤵
- Drops file in System32 directory
PID:1000 -
C:\Windows\SysWOW64\Pdhpdq32.exeC:\Windows\system32\Pdhpdq32.exe115⤵PID:2776
-
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1904 -
C:\Windows\SysWOW64\Pmpdmfff.exeC:\Windows\system32\Pmpdmfff.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3024 -
C:\Windows\SysWOW64\Ppopja32.exeC:\Windows\system32\Ppopja32.exe118⤵PID:1752
-
C:\Windows\SysWOW64\Pfhhflmg.exeC:\Windows\system32\Pfhhflmg.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2268 -
C:\Windows\SysWOW64\Qjddgj32.exeC:\Windows\system32\Qjddgj32.exe120⤵PID:2688
-
C:\Windows\SysWOW64\Qdlipplq.exeC:\Windows\system32\Qdlipplq.exe121⤵PID:648
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-