Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
30/09/2024, 06:22
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe
Resource
win10v2004-20240910-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe
-
Size
72KB
-
MD5
8cc79c63c6b2e78a32f54a6188d12180
-
SHA1
6e2cbf3e02cbdba937af343731edca46f3815ace
-
SHA256
2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5af
-
SHA512
5baa70a7a02e23ff3bd475f9b524eedfe9d33f5066761e0ee35214dad21146ea6594bd3f10268c8bad3015f5e745bd93f96e95c00027459728d7a3cb7e81a020
-
SSDEEP
1536:uOlhr4o4GgZJz6nsK3cilPPgUN3QivEtA:Bl9N4GkV5yNPPgU5QJA
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jolghndm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhknaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcckcbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfmhdpnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cagienkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkchmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqbdkk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjdkjpkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfkloq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knmdeioh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ndqkleln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnknoogp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klngkfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmfbpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bffbdadk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pghfnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mimgeigj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nnafnopi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbdiia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jolghndm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnhgim32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lddlkg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Danpemej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljddjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oibmpl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phcilf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kdbbgdjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kddomchg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnhgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oadkej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcaimgg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqbdkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgqocoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbafdlod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jefpeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpfmmf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjkhdacm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfmhdpnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfhkhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaompi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqlfaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdcifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obmnna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adlcfjgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkjjma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opglafab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aakjdo32.exe -
Executes dropped EXE 64 IoCs
pid Process 880 Jeafjiop.exe 2140 Jojkco32.exe 2000 Jedcpi32.exe 2820 Jlnklcej.exe 3000 Jolghndm.exe 1200 Jefpeh32.exe 2596 Jkchmo32.exe 2180 Jbjpom32.exe 2952 Khghgchk.exe 1600 Kkeecogo.exe 2104 Kaompi32.exe 1440 Kdnild32.exe 2900 Kocmim32.exe 2184 Kdpfadlm.exe 1968 Kgnbnpkp.exe 1276 Kjmnjkjd.exe 1856 Kdbbgdjj.exe 612 Kgqocoin.exe 276 Knkgpi32.exe 2248 Klngkfge.exe 2108 Kddomchg.exe 2528 Knmdeioh.exe 2844 Kpkpadnl.exe 2720 Ljddjj32.exe 2848 Lhfefgkg.exe 2832 Lboiol32.exe 2956 Lfkeokjp.exe 2592 Lldmleam.exe 2208 Lbafdlod.exe 1852 Lhknaf32.exe 340 Lkjjma32.exe 1864 Lnhgim32.exe 1936 Lfoojj32.exe 2904 Lhnkffeo.exe 2244 Lklgbadb.exe 2268 Lohccp32.exe 1224 Lbfook32.exe 1228 Lddlkg32.exe 1840 Lhpglecl.exe 324 Mkndhabp.exe 1244 Mjaddn32.exe 1504 Mnmpdlac.exe 2020 Mqklqhpg.exe 1512 Mcjhmcok.exe 836 Mgedmb32.exe 584 Mjcaimgg.exe 2800 Mnomjl32.exe 2776 Mqnifg32.exe 2604 Mclebc32.exe 2656 Mggabaea.exe 2148 Mnaiol32.exe 1444 Mobfgdcl.exe 2876 Mgjnhaco.exe 532 Mjhjdm32.exe 1932 Mikjpiim.exe 2756 Mqbbagjo.exe 1724 Mpebmc32.exe 908 Mbcoio32.exe 1148 Mfokinhf.exe 1880 Mjkgjl32.exe 1356 Mimgeigj.exe 1528 Mpgobc32.exe 3036 Mcckcbgp.exe 2332 Nbflno32.exe -
Loads dropped DLL 64 IoCs
pid Process 2028 2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe 2028 2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe 880 Jeafjiop.exe 880 Jeafjiop.exe 2140 Jojkco32.exe 2140 Jojkco32.exe 2000 Jedcpi32.exe 2000 Jedcpi32.exe 2820 Jlnklcej.exe 2820 Jlnklcej.exe 3000 Jolghndm.exe 3000 Jolghndm.exe 1200 Jefpeh32.exe 1200 Jefpeh32.exe 2596 Jkchmo32.exe 2596 Jkchmo32.exe 2180 Jbjpom32.exe 2180 Jbjpom32.exe 2952 Khghgchk.exe 2952 Khghgchk.exe 1600 Kkeecogo.exe 1600 Kkeecogo.exe 2104 Kaompi32.exe 2104 Kaompi32.exe 1440 Kdnild32.exe 1440 Kdnild32.exe 2900 Kocmim32.exe 2900 Kocmim32.exe 2184 Kdpfadlm.exe 2184 Kdpfadlm.exe 1968 Kgnbnpkp.exe 1968 Kgnbnpkp.exe 1276 Kjmnjkjd.exe 1276 Kjmnjkjd.exe 1856 Kdbbgdjj.exe 1856 Kdbbgdjj.exe 612 Kgqocoin.exe 612 Kgqocoin.exe 276 Knkgpi32.exe 276 Knkgpi32.exe 2248 Klngkfge.exe 2248 Klngkfge.exe 2368 Kffldlne.exe 2368 Kffldlne.exe 2528 Knmdeioh.exe 2528 Knmdeioh.exe 2844 Kpkpadnl.exe 2844 Kpkpadnl.exe 2720 Ljddjj32.exe 2720 Ljddjj32.exe 2848 Lhfefgkg.exe 2848 Lhfefgkg.exe 2832 Lboiol32.exe 2832 Lboiol32.exe 2956 Lfkeokjp.exe 2956 Lfkeokjp.exe 2592 Lldmleam.exe 2592 Lldmleam.exe 2208 Lbafdlod.exe 2208 Lbafdlod.exe 1852 Lhknaf32.exe 1852 Lhknaf32.exe 340 Lkjjma32.exe 340 Lkjjma32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Bmpkqklh.exe Bieopm32.exe File opened for modification C:\Windows\SysWOW64\Pkjphcff.exe Phlclgfc.exe File opened for modification C:\Windows\SysWOW64\Afffenbp.exe Aakjdo32.exe File opened for modification C:\Windows\SysWOW64\Abmgjo32.exe Anbkipok.exe File created C:\Windows\SysWOW64\Adlcfjgh.exe Abmgjo32.exe File opened for modification C:\Windows\SysWOW64\Bffbdadk.exe Bchfhfeh.exe File created C:\Windows\SysWOW64\Cmpgpond.exe Cjakccop.exe File opened for modification C:\Windows\SysWOW64\Mgedmb32.exe Mcjhmcok.exe File created C:\Windows\SysWOW64\Goembl32.dll Onfoin32.exe File created C:\Windows\SysWOW64\Aakjdo32.exe Achjibcl.exe File created C:\Windows\SysWOW64\Npbdcgjh.dll Nlcibc32.exe File opened for modification C:\Windows\SysWOW64\Njhfcp32.exe Nlefhcnc.exe File created C:\Windows\SysWOW64\Ngciog32.dll Pojecajj.exe File created C:\Windows\SysWOW64\Aacinhhc.dll Aojabdlf.exe File opened for modification C:\Windows\SysWOW64\Bqeqqk32.exe Bnfddp32.exe File opened for modification C:\Windows\SysWOW64\Ljddjj32.exe Kpkpadnl.exe File opened for modification C:\Windows\SysWOW64\Mclebc32.exe Mqnifg32.exe File created C:\Windows\SysWOW64\Nmkplgnq.exe Nedhjj32.exe File created C:\Windows\SysWOW64\Cagienkb.exe Cbdiia32.exe File created C:\Windows\SysWOW64\Njfjnpgp.exe Nlcibc32.exe File created C:\Windows\SysWOW64\Oabkom32.exe Opqoge32.exe File created C:\Windows\SysWOW64\Lboiol32.exe Lhfefgkg.exe File created C:\Windows\SysWOW64\Lhnkffeo.exe Lfoojj32.exe File created C:\Windows\SysWOW64\Qggfio32.dll Mgjnhaco.exe File created C:\Windows\SysWOW64\Caifjn32.exe Cbffoabe.exe File opened for modification C:\Windows\SysWOW64\Danpemej.exe Dmbcen32.exe File created C:\Windows\SysWOW64\Nedhjj32.exe Nbflno32.exe File created C:\Windows\SysWOW64\Ghfcobil.dll Ofhjopbg.exe File opened for modification C:\Windows\SysWOW64\Cebeem32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Omklkkpl.exe Ojmpooah.exe File created C:\Windows\SysWOW64\Bcjcme32.exe Bqlfaj32.exe File opened for modification C:\Windows\SysWOW64\Lhnkffeo.exe Lfoojj32.exe File opened for modification C:\Windows\SysWOW64\Cpfmmf32.exe Cgoelh32.exe File created C:\Windows\SysWOW64\Onaiomjo.dll Cbffoabe.exe File created C:\Windows\SysWOW64\Kgnbnpkp.exe Kdpfadlm.exe File created C:\Windows\SysWOW64\Bhapci32.dll Phlclgfc.exe File created C:\Windows\SysWOW64\Bnknoogp.exe Bjpaop32.exe File created C:\Windows\SysWOW64\Adifpk32.exe Afffenbp.exe File created C:\Windows\SysWOW64\Cgoelh32.exe Cileqlmg.exe File created C:\Windows\SysWOW64\Hfdoodan.dll 2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe File created C:\Windows\SysWOW64\Bnljlm32.dll Jlnklcej.exe File opened for modification C:\Windows\SysWOW64\Nidmfh32.exe Neiaeiii.exe File opened for modification C:\Windows\SysWOW64\Mjhjdm32.exe Mgjnhaco.exe File created C:\Windows\SysWOW64\Lmajfk32.dll Ciihklpj.exe File created C:\Windows\SysWOW64\Fffgkhmc.dll Mqklqhpg.exe File created C:\Windows\SysWOW64\Mgedmb32.exe Mcjhmcok.exe File created C:\Windows\SysWOW64\Hcelfiph.dll Mobfgdcl.exe File created C:\Windows\SysWOW64\Cbppnbhm.exe Coacbfii.exe File created C:\Windows\SysWOW64\Kccllg32.dll Lfkeokjp.exe File opened for modification C:\Windows\SysWOW64\Mjaddn32.exe Mkndhabp.exe File created C:\Windows\SysWOW64\Aebfidim.dll Anbkipok.exe File opened for modification C:\Windows\SysWOW64\Nefdpjkl.exe Nfdddm32.exe File created C:\Windows\SysWOW64\Eiapeffl.dll Opglafab.exe File created C:\Windows\SysWOW64\Olbkdn32.dll Qeppdo32.exe File created C:\Windows\SysWOW64\Lnhgim32.exe Lkjjma32.exe File created C:\Windows\SysWOW64\Afbioogg.dll Mggabaea.exe File created C:\Windows\SysWOW64\Edeomgho.dll Nbhhdnlh.exe File created C:\Windows\SysWOW64\Aaimopli.exe Acfmcc32.exe File opened for modification C:\Windows\SysWOW64\Aakjdo32.exe Achjibcl.exe File opened for modification C:\Windows\SysWOW64\Bjmeiq32.exe Bgoime32.exe File created C:\Windows\SysWOW64\Lfkeokjp.exe Lboiol32.exe File created C:\Windows\SysWOW64\Mlbakl32.dll Pkmlmbcd.exe File created C:\Windows\SysWOW64\Acfmcc32.exe Aojabdlf.exe File created C:\Windows\SysWOW64\Qpbglhjq.exe Qndkpmkm.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe File opened for modification C:\Windows\system32†Dcllbhdn.¿xe Dpapaj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3468 3388 WerFault.exe 266 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdbbgdjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfoojj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnkffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppnnai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caifjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkpadnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olbfagca.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pljlbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lldmleam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bceibfgj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooabmbbe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qndkpmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoagccfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bigkel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdqlajbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkegah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbnpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Andgop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnimiblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cchbgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbflno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiaeiii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcjcme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfkloq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqnifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obmnna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phlclgfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofhjopbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Coacbfii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhgim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcaimgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbagipfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pohhna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciihklpj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahebaiac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbfook32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddlkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcjhmcok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njfjnpgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nncbdomg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akabgebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkaehb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjobffl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnfddp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cgcnghpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlnklcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omklkkpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nedhjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkmlmbcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aakjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nameek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnkjnb32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nfdddm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" Bmlael32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdeqfhjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bqeqqk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdbdqh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgaaah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bibjaofg.dll" Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll" Bjbndpmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinhifdq.dll" Bjdkjpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mjaddn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Coamkc32.dll" Mcjhmcok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjeeidhg.dll" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pohhna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdpkangm.dll" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jidmcq32.dll" Cileqlmg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cjakccop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kocmim32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfoghakb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohncbdbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nloone32.dll" Cegoqlof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hfdoodan.dll" 2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adifpk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdqlajbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bceibfgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paodbg32.dll" Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Binbknik.dll" Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbehjc32.dll" Dmbcen32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jedcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jedcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mqnifg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfnmapnj.dll" Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnfddp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcjcme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpajfg32.dll" Clojhf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmmjebjg.dll" Lhfefgkg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Edeomgho.dll" Nbhhdnlh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pcljmdmj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Danpemej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgnbnpkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfebhg32.dll" Njfjnpgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nncbdomg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Agolnbok.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmedlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mimgeigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opihgfop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nfdgghho.dll" Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkppib32.dll" Acfmcc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dombicdm.dll" Obmnna32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pkjphcff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bnjdhe32.dll" Bigkel32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidobe32.dll" Pdbdqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdbdqh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfqgfg32.dll" Qiioon32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Calcpm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jolghndm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mikjpiim.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2028 wrote to memory of 880 2028 2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe 31 PID 2028 wrote to memory of 880 2028 2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe 31 PID 2028 wrote to memory of 880 2028 2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe 31 PID 2028 wrote to memory of 880 2028 2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe 31 PID 880 wrote to memory of 2140 880 Jeafjiop.exe 32 PID 880 wrote to memory of 2140 880 Jeafjiop.exe 32 PID 880 wrote to memory of 2140 880 Jeafjiop.exe 32 PID 880 wrote to memory of 2140 880 Jeafjiop.exe 32 PID 2140 wrote to memory of 2000 2140 Jojkco32.exe 33 PID 2140 wrote to memory of 2000 2140 Jojkco32.exe 33 PID 2140 wrote to memory of 2000 2140 Jojkco32.exe 33 PID 2140 wrote to memory of 2000 2140 Jojkco32.exe 33 PID 2000 wrote to memory of 2820 2000 Jedcpi32.exe 34 PID 2000 wrote to memory of 2820 2000 Jedcpi32.exe 34 PID 2000 wrote to memory of 2820 2000 Jedcpi32.exe 34 PID 2000 wrote to memory of 2820 2000 Jedcpi32.exe 34 PID 2820 wrote to memory of 3000 2820 Jlnklcej.exe 35 PID 2820 wrote to memory of 3000 2820 Jlnklcej.exe 35 PID 2820 wrote to memory of 3000 2820 Jlnklcej.exe 35 PID 2820 wrote to memory of 3000 2820 Jlnklcej.exe 35 PID 3000 wrote to memory of 1200 3000 Jolghndm.exe 36 PID 3000 wrote to memory of 1200 3000 Jolghndm.exe 36 PID 3000 wrote to memory of 1200 3000 Jolghndm.exe 36 PID 3000 wrote to memory of 1200 3000 Jolghndm.exe 36 PID 1200 wrote to memory of 2596 1200 Jefpeh32.exe 37 PID 1200 wrote to memory of 2596 1200 Jefpeh32.exe 37 PID 1200 wrote to memory of 2596 1200 Jefpeh32.exe 37 PID 1200 wrote to memory of 2596 1200 Jefpeh32.exe 37 PID 2596 wrote to memory of 2180 2596 Jkchmo32.exe 38 PID 2596 wrote to memory of 2180 2596 Jkchmo32.exe 38 PID 2596 wrote to memory of 2180 2596 Jkchmo32.exe 38 PID 2596 wrote to memory of 2180 2596 Jkchmo32.exe 38 PID 2180 wrote to memory of 2952 2180 Jbjpom32.exe 39 PID 2180 wrote to memory of 2952 2180 Jbjpom32.exe 39 PID 2180 wrote to memory of 2952 2180 Jbjpom32.exe 39 PID 2180 wrote to memory of 2952 2180 Jbjpom32.exe 39 PID 2952 wrote to memory of 1600 2952 Khghgchk.exe 40 PID 2952 wrote to memory of 1600 2952 Khghgchk.exe 40 PID 2952 wrote to memory of 1600 2952 Khghgchk.exe 40 PID 2952 wrote to memory of 1600 2952 Khghgchk.exe 40 PID 1600 wrote to memory of 2104 1600 Kkeecogo.exe 41 PID 1600 wrote to memory of 2104 1600 Kkeecogo.exe 41 PID 1600 wrote to memory of 2104 1600 Kkeecogo.exe 41 PID 1600 wrote to memory of 2104 1600 Kkeecogo.exe 41 PID 2104 wrote to memory of 1440 2104 Kaompi32.exe 42 PID 2104 wrote to memory of 1440 2104 Kaompi32.exe 42 PID 2104 wrote to memory of 1440 2104 Kaompi32.exe 42 PID 2104 wrote to memory of 1440 2104 Kaompi32.exe 42 PID 1440 wrote to memory of 2900 1440 Kdnild32.exe 43 PID 1440 wrote to memory of 2900 1440 Kdnild32.exe 43 PID 1440 wrote to memory of 2900 1440 Kdnild32.exe 43 PID 1440 wrote to memory of 2900 1440 Kdnild32.exe 43 PID 2900 wrote to memory of 2184 2900 Kocmim32.exe 44 PID 2900 wrote to memory of 2184 2900 Kocmim32.exe 44 PID 2900 wrote to memory of 2184 2900 Kocmim32.exe 44 PID 2900 wrote to memory of 2184 2900 Kocmim32.exe 44 PID 2184 wrote to memory of 1968 2184 Kdpfadlm.exe 45 PID 2184 wrote to memory of 1968 2184 Kdpfadlm.exe 45 PID 2184 wrote to memory of 1968 2184 Kdpfadlm.exe 45 PID 2184 wrote to memory of 1968 2184 Kdpfadlm.exe 45 PID 1968 wrote to memory of 1276 1968 Kgnbnpkp.exe 46 PID 1968 wrote to memory of 1276 1968 Kgnbnpkp.exe 46 PID 1968 wrote to memory of 1276 1968 Kgnbnpkp.exe 46 PID 1968 wrote to memory of 1276 1968 Kgnbnpkp.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe"C:\Users\Admin\AppData\Local\Temp\2715f9a24e2c5d0d78700db19ad0adaec79813fb604c440b74067e8e4b31d5afN.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Jeafjiop.exeC:\Windows\system32\Jeafjiop.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:880 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\Jlnklcej.exeC:\Windows\system32\Jlnklcej.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Jolghndm.exeC:\Windows\system32\Jolghndm.exe6⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Jkchmo32.exeC:\Windows\system32\Jkchmo32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Khghgchk.exeC:\Windows\system32\Khghgchk.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\Kdnild32.exeC:\Windows\system32\Kdnild32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1440 -
C:\Windows\SysWOW64\Kocmim32.exeC:\Windows\system32\Kocmim32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Kdbbgdjj.exeC:\Windows\system32\Kdbbgdjj.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\Kgqocoin.exeC:\Windows\system32\Kgqocoin.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:276 -
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2248 -
C:\Windows\SysWOW64\Kddomchg.exeC:\Windows\system32\Kddomchg.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe23⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2368 -
C:\Windows\SysWOW64\Knmdeioh.exeC:\Windows\system32\Knmdeioh.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2528 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2844 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Lhfefgkg.exeC:\Windows\system32\Lhfefgkg.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2848 -
C:\Windows\SysWOW64\Lboiol32.exeC:\Windows\system32\Lboiol32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2832 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2956 -
C:\Windows\SysWOW64\Lldmleam.exeC:\Windows\system32\Lldmleam.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2592 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2208 -
C:\Windows\SysWOW64\Lhknaf32.exeC:\Windows\system32\Lhknaf32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1852 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:340 -
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1864 -
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1936 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2904 -
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe37⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe38⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe39⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1224 -
C:\Windows\SysWOW64\Lddlkg32.exeC:\Windows\system32\Lddlkg32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1228 -
C:\Windows\SysWOW64\Lhpglecl.exeC:\Windows\system32\Lhpglecl.exe41⤵
- Executes dropped EXE
PID:1840 -
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:324 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Mnmpdlac.exeC:\Windows\system32\Mnmpdlac.exe44⤵
- Executes dropped EXE
PID:1504 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Mcjhmcok.exeC:\Windows\system32\Mcjhmcok.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Mgedmb32.exeC:\Windows\system32\Mgedmb32.exe47⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:584 -
C:\Windows\SysWOW64\Mnomjl32.exeC:\Windows\system32\Mnomjl32.exe49⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2776 -
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe51⤵
- Executes dropped EXE
PID:2604 -
C:\Windows\SysWOW64\Mggabaea.exeC:\Windows\system32\Mggabaea.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Mnaiol32.exeC:\Windows\system32\Mnaiol32.exe53⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Mobfgdcl.exeC:\Windows\system32\Mobfgdcl.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1444 -
C:\Windows\SysWOW64\Mgjnhaco.exeC:\Windows\system32\Mgjnhaco.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe56⤵
- Executes dropped EXE
PID:532 -
C:\Windows\SysWOW64\Mikjpiim.exeC:\Windows\system32\Mikjpiim.exe57⤵
- Executes dropped EXE
- Modifies registry class
PID:1932 -
C:\Windows\SysWOW64\Mqbbagjo.exeC:\Windows\system32\Mqbbagjo.exe58⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Mpebmc32.exeC:\Windows\system32\Mpebmc32.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe60⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Mfokinhf.exeC:\Windows\system32\Mfokinhf.exe61⤵
- Executes dropped EXE
PID:1148 -
C:\Windows\SysWOW64\Mjkgjl32.exeC:\Windows\system32\Mjkgjl32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:1880 -
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe63⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe64⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Mcckcbgp.exeC:\Windows\system32\Mcckcbgp.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe66⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Nedhjj32.exeC:\Windows\system32\Nedhjj32.exe67⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1164 -
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe68⤵PID:2732
-
C:\Windows\SysWOW64\Nlnpgd32.exeC:\Windows\system32\Nlnpgd32.exe69⤵PID:2784
-
C:\Windows\SysWOW64\Nnmlcp32.exeC:\Windows\system32\Nnmlcp32.exe70⤵PID:2608
-
C:\Windows\SysWOW64\Nbhhdnlh.exeC:\Windows\system32\Nbhhdnlh.exe71⤵
- Drops file in System32 directory
- Modifies registry class
PID:2632 -
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:640 -
C:\Windows\SysWOW64\Nefdpjkl.exeC:\Windows\system32\Nefdpjkl.exe73⤵PID:1460
-
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe74⤵PID:336
-
C:\Windows\SysWOW64\Nnoiio32.exeC:\Windows\system32\Nnoiio32.exe75⤵PID:536
-
C:\Windows\SysWOW64\Nameek32.exeC:\Windows\system32\Nameek32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2432 -
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe77⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2304 -
C:\Windows\SysWOW64\Nidmfh32.exeC:\Windows\system32\Nidmfh32.exe78⤵PID:1996
-
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe79⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Njfjnpgp.exeC:\Windows\system32\Njfjnpgp.exe80⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1732 -
C:\Windows\SysWOW64\Neknki32.exeC:\Windows\system32\Neknki32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2340 -
C:\Windows\SysWOW64\Nhjjgd32.exeC:\Windows\system32\Nhjjgd32.exe83⤵PID:2024
-
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe84⤵
- Drops file in System32 directory
- Modifies registry class
PID:2724 -
C:\Windows\SysWOW64\Njhfcp32.exeC:\Windows\system32\Njhfcp32.exe85⤵PID:2868
-
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe86⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2580 -
C:\Windows\SysWOW64\Nmfbpk32.exeC:\Windows\system32\Nmfbpk32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2160 -
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe88⤵PID:2648
-
C:\Windows\SysWOW64\Ndqkleln.exeC:\Windows\system32\Ndqkleln.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2316 -
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe90⤵
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe91⤵
- Drops file in System32 directory
PID:2204 -
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:572 -
C:\Windows\SysWOW64\Opglafab.exeC:\Windows\system32\Opglafab.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Ohncbdbd.exeC:\Windows\system32\Ohncbdbd.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1152 -
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe95⤵
- Drops file in System32 directory
PID:1192 -
C:\Windows\SysWOW64\Omklkkpl.exeC:\Windows\system32\Omklkkpl.exe96⤵
- System Location Discovery: System Language Discovery
PID:1488 -
C:\Windows\SysWOW64\Opihgfop.exeC:\Windows\system32\Opihgfop.exe97⤵
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Odedge32.exeC:\Windows\system32\Odedge32.exe98⤵PID:2192
-
C:\Windows\SysWOW64\Ofcqcp32.exeC:\Windows\system32\Ofcqcp32.exe99⤵PID:2976
-
C:\Windows\SysWOW64\Ojomdoof.exeC:\Windows\system32\Ojomdoof.exe100⤵PID:376
-
C:\Windows\SysWOW64\Oibmpl32.exeC:\Windows\system32\Oibmpl32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Olpilg32.exeC:\Windows\system32\Olpilg32.exe102⤵PID:1876
-
C:\Windows\SysWOW64\Odgamdef.exeC:\Windows\system32\Odgamdef.exe103⤵PID:2668
-
C:\Windows\SysWOW64\Offmipej.exeC:\Windows\system32\Offmipej.exe104⤵
- Modifies registry class
PID:1696 -
C:\Windows\SysWOW64\Oeindm32.exeC:\Windows\system32\Oeindm32.exe105⤵
- System Location Discovery: System Language Discovery
PID:1888 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe106⤵PID:1468
-
C:\Windows\SysWOW64\Olbfagca.exeC:\Windows\system32\Olbfagca.exe107⤵
- System Location Discovery: System Language Discovery
PID:2392 -
C:\Windows\SysWOW64\Ooabmbbe.exeC:\Windows\system32\Ooabmbbe.exe108⤵
- System Location Discovery: System Language Discovery
PID:2124 -
C:\Windows\SysWOW64\Obmnna32.exeC:\Windows\system32\Obmnna32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2704 -
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Ohiffh32.exeC:\Windows\system32\Ohiffh32.exe111⤵
- System Location Discovery: System Language Discovery
PID:1020 -
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe112⤵PID:2164
-
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe113⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2924 -
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe114⤵PID:1704
-
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe115⤵
- Modifies registry class
PID:1104 -
C:\Windows\SysWOW64\Phlclgfc.exeC:\Windows\system32\Phlclgfc.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2320 -
C:\Windows\SysWOW64\Pkjphcff.exeC:\Windows\system32\Pkjphcff.exe117⤵
- Modifies registry class
PID:1636 -
C:\Windows\SysWOW64\Pbagipfi.exeC:\Windows\system32\Pbagipfi.exe118⤵
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Padhdm32.exeC:\Windows\system32\Padhdm32.exe119⤵PID:2752
-
C:\Windows\SysWOW64\Pdbdqh32.exeC:\Windows\system32\Pdbdqh32.exe120⤵
- Modifies registry class
PID:1144 -
C:\Windows\SysWOW64\Pljlbf32.exeC:\Windows\system32\Pljlbf32.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2416
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-