Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
52s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
02/10/2024, 09:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe
-
Size
96KB
-
MD5
0ff527b9f402071ea2b4b7a79a629ca0
-
SHA1
95fe256a1d8a8cdad912f98242ee3b5d3b7aeb2e
-
SHA256
a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5
-
SHA512
c6ca609041c3bdd79309d57a8dd90d7e67e01c5c7e873cc9b5bbfa4cbd79ab55334b06a344d6a400b9ec468391de10a9b88d63dda89ba03327f2179d3196c1b2
-
SSDEEP
1536:6jeIM6D7prN0GGB0G+81O7BK2L0Q7RZObZUUWaegPYA:8u47px01I75xClUUWae
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nkjapglg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npdfhhhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cepfgdnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgoopkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifaciae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcokiaji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmjnak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajqljc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklejh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nhlddkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Leammn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pojbkh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pakllc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmejllia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aboaff32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Palepb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcedkd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfqpecma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achojp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akncimmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdkjnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgkocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkkbkp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddiibc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciddedl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbdallnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnjplo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egjbdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eoiiijcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciqcmiei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enqdhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpgjhbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abhkfg32.exe -
Executes dropped EXE 64 IoCs
pid Process 2820 Ncpcfkbg.exe 2612 Niikceid.exe 2588 Ncbplk32.exe 2616 Neplhf32.exe 344 Nljddpfe.exe 2672 Ocdmaj32.exe 1260 Oebimf32.exe 2276 Ollajp32.exe 2404 Ocfigjlp.exe 2632 Oeeecekc.exe 2184 Olonpp32.exe 1420 Oalfhf32.exe 1768 Odjbdb32.exe 1792 Oghopm32.exe 3064 Onbgmg32.exe 2316 Oqacic32.exe 1028 Okfgfl32.exe 1732 Onecbg32.exe 824 Oappcfmb.exe 2056 Odoloalf.exe 748 Pkidlk32.exe 896 Pjldghjm.exe 2352 Pqemdbaj.exe 2928 Pdaheq32.exe 3004 Pfbelipa.exe 2816 Pnimnfpc.exe 2684 Pqhijbog.exe 3024 Pfdabino.exe 472 Pmojocel.exe 1652 Pcibkm32.exe 2168 Pbkbgjcc.exe 2120 Pjbjhgde.exe 2960 Poocpnbm.exe 1236 Pfikmh32.exe 2804 Pkfceo32.exe 1188 Poapfn32.exe 1284 Qijdocfj.exe 3068 Qgmdjp32.exe 2476 Qbbhgi32.exe 560 Qqeicede.exe 1868 Qgoapp32.exe 2504 Qjnmlk32.exe 1356 Aaheie32.exe 1780 Acfaeq32.exe 796 Akmjfn32.exe 1676 Anlfbi32.exe 340 Aajbne32.exe 960 Aeenochi.exe 2620 Achojp32.exe 2568 Afgkfl32.exe 2416 Amqccfed.exe 1152 Aaloddnn.exe 2172 Apoooa32.exe 1708 Afiglkle.exe 1252 Ajecmj32.exe 2660 Aaolidlk.exe 2000 Apalea32.exe 2284 Acmhepko.exe 1688 Afkdakjb.exe 2440 Aijpnfif.exe 908 Amelne32.exe 1528 Acpdko32.exe 2128 Abbeflpf.exe 1648 Afnagk32.exe -
Loads dropped DLL 64 IoCs
pid Process 2720 a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe 2720 a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe 2820 Ncpcfkbg.exe 2820 Ncpcfkbg.exe 2612 Niikceid.exe 2612 Niikceid.exe 2588 Ncbplk32.exe 2588 Ncbplk32.exe 2616 Neplhf32.exe 2616 Neplhf32.exe 344 Nljddpfe.exe 344 Nljddpfe.exe 2672 Ocdmaj32.exe 2672 Ocdmaj32.exe 1260 Oebimf32.exe 1260 Oebimf32.exe 2276 Ollajp32.exe 2276 Ollajp32.exe 2404 Ocfigjlp.exe 2404 Ocfigjlp.exe 2632 Oeeecekc.exe 2632 Oeeecekc.exe 2184 Olonpp32.exe 2184 Olonpp32.exe 1420 Oalfhf32.exe 1420 Oalfhf32.exe 1768 Odjbdb32.exe 1768 Odjbdb32.exe 1792 Oghopm32.exe 1792 Oghopm32.exe 3064 Onbgmg32.exe 3064 Onbgmg32.exe 2316 Oqacic32.exe 2316 Oqacic32.exe 1028 Okfgfl32.exe 1028 Okfgfl32.exe 1732 Onecbg32.exe 1732 Onecbg32.exe 824 Oappcfmb.exe 824 Oappcfmb.exe 2056 Odoloalf.exe 2056 Odoloalf.exe 748 Pkidlk32.exe 748 Pkidlk32.exe 896 Pjldghjm.exe 896 Pjldghjm.exe 2352 Pqemdbaj.exe 2352 Pqemdbaj.exe 2928 Pdaheq32.exe 2928 Pdaheq32.exe 3004 Pfbelipa.exe 3004 Pfbelipa.exe 2816 Pnimnfpc.exe 2816 Pnimnfpc.exe 2684 Pqhijbog.exe 2684 Pqhijbog.exe 3024 Pfdabino.exe 3024 Pfdabino.exe 472 Pmojocel.exe 472 Pmojocel.exe 1652 Pcibkm32.exe 1652 Pcibkm32.exe 2168 Pbkbgjcc.exe 2168 Pbkbgjcc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ilppdi32.dll Ioliqbjn.exe File created C:\Windows\SysWOW64\Ijdbodng.dll Cafgle32.exe File created C:\Windows\SysWOW64\Fmlbjq32.exe Process not Found File created C:\Windows\SysWOW64\Chfkee32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Kdnkdmec.exe Process not Found File created C:\Windows\SysWOW64\Egiiapci.exe Ecnmpa32.exe File opened for modification C:\Windows\SysWOW64\Hpjeialg.exe Hloiib32.exe File opened for modification C:\Windows\SysWOW64\Noffdd32.exe Npdfhhhe.exe File created C:\Windows\SysWOW64\Napbjjom.exe Process not Found File opened for modification C:\Windows\SysWOW64\Bnknoogp.exe Process not Found File created C:\Windows\SysWOW64\Fepjea32.exe Process not Found File created C:\Windows\SysWOW64\Gdboig32.exe Gacbmk32.exe File created C:\Windows\SysWOW64\Hllmcc32.exe Hmjlhfof.exe File created C:\Windows\SysWOW64\Ngdjmc32.dll Process not Found File created C:\Windows\SysWOW64\Nhlgmd32.exe Process not Found File created C:\Windows\SysWOW64\Gckdgjeb.exe Process not Found File created C:\Windows\SysWOW64\Pcqejkep.dll Process not Found File created C:\Windows\SysWOW64\Ffbhcq32.dll Process not Found File created C:\Windows\SysWOW64\Ebenek32.dll Process not Found File created C:\Windows\SysWOW64\Ocohkh32.exe Ooclji32.exe File created C:\Windows\SysWOW64\Ddiibc32.exe Degiggjm.exe File created C:\Windows\SysWOW64\Ihnoip32.dll Ilofhffj.exe File created C:\Windows\SysWOW64\Mcjdhh32.dll Fgigil32.exe File created C:\Windows\SysWOW64\Nnmlcp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dphfbiem.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ippbnjni.exe Inafbooe.exe File opened for modification C:\Windows\SysWOW64\Gceailog.exe Process not Found File created C:\Windows\SysWOW64\Dlofgj32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Kpojkp32.exe Process not Found File created C:\Windows\SysWOW64\Jgifkl32.dll Process not Found File created C:\Windows\SysWOW64\Odoloalf.exe Oappcfmb.exe File created C:\Windows\SysWOW64\Mfoiqe32.exe Mbcmpfhi.exe File created C:\Windows\SysWOW64\Nhiholof.exe Ndnlnm32.exe File created C:\Windows\SysWOW64\Jckgicnp.exe Jplkmgol.exe File created C:\Windows\SysWOW64\Kjihalag.exe Kgkleabc.exe File opened for modification C:\Windows\SysWOW64\Achjibcl.exe Process not Found File opened for modification C:\Windows\SysWOW64\Hqnapb32.exe Process not Found File created C:\Windows\SysWOW64\Khohkamc.exe Process not Found File opened for modification C:\Windows\SysWOW64\Daqamj32.exe Dobdqo32.exe File created C:\Windows\SysWOW64\Aklabp32.exe Process not Found File created C:\Windows\SysWOW64\Llpfjomf.exe Process not Found File opened for modification C:\Windows\SysWOW64\Paocnkph.exe Process not Found File opened for modification C:\Windows\SysWOW64\Dklddhka.exe Dhmhhmlm.exe File created C:\Windows\SysWOW64\Aohndnll.dll Process not Found File created C:\Windows\SysWOW64\Nflchkii.exe Process not Found File created C:\Windows\SysWOW64\Ikgkei32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Npdfhhhe.exe Nmejllia.exe File opened for modification C:\Windows\SysWOW64\Dnnhbjnk.exe Djclbl32.exe File created C:\Windows\SysWOW64\Meccmfen.dll Cmpdgf32.exe File created C:\Windows\SysWOW64\Biaign32.exe Bajqfq32.exe File created C:\Windows\SysWOW64\Dahifbpk.exe Diaaeepi.exe File created C:\Windows\SysWOW64\Kfodfh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Clooiddm.exe Cmlong32.exe File opened for modification C:\Windows\SysWOW64\Bccjdnbi.exe Bepjha32.exe File created C:\Windows\SysWOW64\Bbjdjjdn.exe Bplhnoej.exe File created C:\Windows\SysWOW64\Kdhcli32.exe Kbigpn32.exe File created C:\Windows\SysWOW64\Bokblhqh.dll Process not Found File created C:\Windows\SysWOW64\Flnlkgjq.exe Process not Found File created C:\Windows\SysWOW64\Aidphq32.exe Affdle32.exe File created C:\Windows\SysWOW64\Libmpn32.dll Jlelhe32.exe File created C:\Windows\SysWOW64\Aondioej.dll Process not Found File created C:\Windows\SysWOW64\Lpcfmngo.dll Process not Found File created C:\Windows\SysWOW64\Knmamp32.exe Kfeikcfa.exe File created C:\Windows\SysWOW64\Njbdea32.exe Nhdhif32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6224 6700 Process not Found 1943 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akcldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dchmkkkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfacfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbhjlbbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbplk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knjegqif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lclgjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklqcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpmdofno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egglkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epoqde32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbemb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbgckgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fheabelm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdmaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddajoelp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgebdipp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agjmim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omqlpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkqnoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncaekhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkpbdq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcokiaji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfkfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcejm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdcmbgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phcpgm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmabj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbeded32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogcnkgoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbnkigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnimnfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aajbne32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmifhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobgihgp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecnoijbd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gacbmk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apkodqok.dll" Jajala32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mfaefd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qcqaok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqglggcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omefkplm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ciqmoj32.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Egglkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bffpki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeckfndj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Omqlpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bcpgdhpp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ecbhdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejjbbkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbcpac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odikqa32.dll" Fbpbpkpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nblpfepo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lomgjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hloiib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifdjeoep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcmfmlen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oemegc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pnjfae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdhfppnm.dll" Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpbbmeon.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojbkibad.dll" Ffibkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmjnak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpqhdl32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdjjgb32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlklnjoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Doiddc32.dll" Ilabmedg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlnjo32.dll" Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdclnelo.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjcceqko.dll" Pdaheq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Achojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcebfo32.dll" Kklikejc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafple32.dll" Hpjeialg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibkkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Padqpaec.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Niikceid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Apalea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ccbpgj32.dll" Hebdfind.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dblifk32.dll" Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Edibhmml.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2820 2720 a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe 30 PID 2720 wrote to memory of 2820 2720 a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe 30 PID 2720 wrote to memory of 2820 2720 a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe 30 PID 2720 wrote to memory of 2820 2720 a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe 30 PID 2820 wrote to memory of 2612 2820 Ncpcfkbg.exe 31 PID 2820 wrote to memory of 2612 2820 Ncpcfkbg.exe 31 PID 2820 wrote to memory of 2612 2820 Ncpcfkbg.exe 31 PID 2820 wrote to memory of 2612 2820 Ncpcfkbg.exe 31 PID 2612 wrote to memory of 2588 2612 Niikceid.exe 32 PID 2612 wrote to memory of 2588 2612 Niikceid.exe 32 PID 2612 wrote to memory of 2588 2612 Niikceid.exe 32 PID 2612 wrote to memory of 2588 2612 Niikceid.exe 32 PID 2588 wrote to memory of 2616 2588 Ncbplk32.exe 33 PID 2588 wrote to memory of 2616 2588 Ncbplk32.exe 33 PID 2588 wrote to memory of 2616 2588 Ncbplk32.exe 33 PID 2588 wrote to memory of 2616 2588 Ncbplk32.exe 33 PID 2616 wrote to memory of 344 2616 Neplhf32.exe 34 PID 2616 wrote to memory of 344 2616 Neplhf32.exe 34 PID 2616 wrote to memory of 344 2616 Neplhf32.exe 34 PID 2616 wrote to memory of 344 2616 Neplhf32.exe 34 PID 344 wrote to memory of 2672 344 Nljddpfe.exe 35 PID 344 wrote to memory of 2672 344 Nljddpfe.exe 35 PID 344 wrote to memory of 2672 344 Nljddpfe.exe 35 PID 344 wrote to memory of 2672 344 Nljddpfe.exe 35 PID 2672 wrote to memory of 1260 2672 Ocdmaj32.exe 36 PID 2672 wrote to memory of 1260 2672 Ocdmaj32.exe 36 PID 2672 wrote to memory of 1260 2672 Ocdmaj32.exe 36 PID 2672 wrote to memory of 1260 2672 Ocdmaj32.exe 36 PID 1260 wrote to memory of 2276 1260 Oebimf32.exe 37 PID 1260 wrote to memory of 2276 1260 Oebimf32.exe 37 PID 1260 wrote to memory of 2276 1260 Oebimf32.exe 37 PID 1260 wrote to memory of 2276 1260 Oebimf32.exe 37 PID 2276 wrote to memory of 2404 2276 Ollajp32.exe 38 PID 2276 wrote to memory of 2404 2276 Ollajp32.exe 38 PID 2276 wrote to memory of 2404 2276 Ollajp32.exe 38 PID 2276 wrote to memory of 2404 2276 Ollajp32.exe 38 PID 2404 wrote to memory of 2632 2404 Ocfigjlp.exe 39 PID 2404 wrote to memory of 2632 2404 Ocfigjlp.exe 39 PID 2404 wrote to memory of 2632 2404 Ocfigjlp.exe 39 PID 2404 wrote to memory of 2632 2404 Ocfigjlp.exe 39 PID 2632 wrote to memory of 2184 2632 Oeeecekc.exe 40 PID 2632 wrote to memory of 2184 2632 Oeeecekc.exe 40 PID 2632 wrote to memory of 2184 2632 Oeeecekc.exe 40 PID 2632 wrote to memory of 2184 2632 Oeeecekc.exe 40 PID 2184 wrote to memory of 1420 2184 Olonpp32.exe 41 PID 2184 wrote to memory of 1420 2184 Olonpp32.exe 41 PID 2184 wrote to memory of 1420 2184 Olonpp32.exe 41 PID 2184 wrote to memory of 1420 2184 Olonpp32.exe 41 PID 1420 wrote to memory of 1768 1420 Oalfhf32.exe 42 PID 1420 wrote to memory of 1768 1420 Oalfhf32.exe 42 PID 1420 wrote to memory of 1768 1420 Oalfhf32.exe 42 PID 1420 wrote to memory of 1768 1420 Oalfhf32.exe 42 PID 1768 wrote to memory of 1792 1768 Odjbdb32.exe 43 PID 1768 wrote to memory of 1792 1768 Odjbdb32.exe 43 PID 1768 wrote to memory of 1792 1768 Odjbdb32.exe 43 PID 1768 wrote to memory of 1792 1768 Odjbdb32.exe 43 PID 1792 wrote to memory of 3064 1792 Oghopm32.exe 44 PID 1792 wrote to memory of 3064 1792 Oghopm32.exe 44 PID 1792 wrote to memory of 3064 1792 Oghopm32.exe 44 PID 1792 wrote to memory of 3064 1792 Oghopm32.exe 44 PID 3064 wrote to memory of 2316 3064 Onbgmg32.exe 45 PID 3064 wrote to memory of 2316 3064 Onbgmg32.exe 45 PID 3064 wrote to memory of 2316 3064 Onbgmg32.exe 45 PID 3064 wrote to memory of 2316 3064 Onbgmg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe"C:\Users\Admin\AppData\Local\Temp\a7882c99e75496cbb8c31418618e2937a9574b1e9d138a49c53351d8878952c5N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Ncpcfkbg.exeC:\Windows\system32\Ncpcfkbg.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Neplhf32.exeC:\Windows\system32\Neplhf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:344 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\SysWOW64\Oebimf32.exeC:\Windows\system32\Oebimf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Windows\SysWOW64\Ollajp32.exeC:\Windows\system32\Ollajp32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\Ocfigjlp.exeC:\Windows\system32\Ocfigjlp.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Oeeecekc.exeC:\Windows\system32\Oeeecekc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\SysWOW64\Odjbdb32.exeC:\Windows\system32\Odjbdb32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2316 -
C:\Windows\SysWOW64\Okfgfl32.exeC:\Windows\system32\Okfgfl32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1028 -
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:824 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2056 -
C:\Windows\SysWOW64\Pkidlk32.exeC:\Windows\system32\Pkidlk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:748 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:896 -
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2352 -
C:\Windows\SysWOW64\Pdaheq32.exeC:\Windows\system32\Pdaheq32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2928 -
C:\Windows\SysWOW64\Pfbelipa.exeC:\Windows\system32\Pfbelipa.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3004 -
C:\Windows\SysWOW64\Pnimnfpc.exeC:\Windows\system32\Pnimnfpc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2816 -
C:\Windows\SysWOW64\Pqhijbog.exeC:\Windows\system32\Pqhijbog.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2684 -
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3024 -
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:472 -
C:\Windows\SysWOW64\Pcibkm32.exeC:\Windows\system32\Pcibkm32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1652 -
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe33⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Poocpnbm.exeC:\Windows\system32\Poocpnbm.exe34⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Pfikmh32.exeC:\Windows\system32\Pfikmh32.exe35⤵
- Executes dropped EXE
PID:1236 -
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe36⤵
- Executes dropped EXE
PID:2804 -
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe37⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe38⤵
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe39⤵
- Executes dropped EXE
PID:3068 -
C:\Windows\SysWOW64\Qbbhgi32.exeC:\Windows\system32\Qbbhgi32.exe40⤵
- Executes dropped EXE
PID:2476 -
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe41⤵
- Executes dropped EXE
PID:560 -
C:\Windows\SysWOW64\Qgoapp32.exeC:\Windows\system32\Qgoapp32.exe42⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe43⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Aaheie32.exeC:\Windows\system32\Aaheie32.exe44⤵
- Executes dropped EXE
PID:1356 -
C:\Windows\SysWOW64\Acfaeq32.exeC:\Windows\system32\Acfaeq32.exe45⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Akmjfn32.exeC:\Windows\system32\Akmjfn32.exe46⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Anlfbi32.exeC:\Windows\system32\Anlfbi32.exe47⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:340 -
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe49⤵
- Executes dropped EXE
PID:960 -
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2620 -
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe51⤵
- Executes dropped EXE
PID:2568 -
C:\Windows\SysWOW64\Amqccfed.exeC:\Windows\system32\Amqccfed.exe52⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe53⤵
- Executes dropped EXE
PID:1152 -
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe54⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Afiglkle.exeC:\Windows\system32\Afiglkle.exe55⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe56⤵
- Executes dropped EXE
PID:1252 -
C:\Windows\SysWOW64\Aaolidlk.exeC:\Windows\system32\Aaolidlk.exe57⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2000 -
C:\Windows\SysWOW64\Acmhepko.exeC:\Windows\system32\Acmhepko.exe59⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Afkdakjb.exeC:\Windows\system32\Afkdakjb.exe60⤵
- Executes dropped EXE
PID:1688 -
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe61⤵
- Executes dropped EXE
PID:2440 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe62⤵
- Executes dropped EXE
PID:908 -
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe63⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Abbeflpf.exeC:\Windows\system32\Abbeflpf.exe64⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe65⤵
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Bilmcf32.exeC:\Windows\system32\Bilmcf32.exe66⤵PID:1244
-
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe67⤵PID:2216
-
C:\Windows\SysWOW64\Bpfeppop.exeC:\Windows\system32\Bpfeppop.exe68⤵PID:2860
-
C:\Windows\SysWOW64\Bbdallnd.exeC:\Windows\system32\Bbdallnd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2144 -
C:\Windows\SysWOW64\Becnhgmg.exeC:\Windows\system32\Becnhgmg.exe70⤵PID:1376
-
C:\Windows\SysWOW64\Biojif32.exeC:\Windows\system32\Biojif32.exe71⤵PID:2748
-
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe72⤵PID:2552
-
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe73⤵PID:2908
-
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe74⤵PID:1916
-
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe75⤵PID:2196
-
C:\Windows\SysWOW64\Bhdgjb32.exeC:\Windows\system32\Bhdgjb32.exe76⤵PID:1668
-
C:\Windows\SysWOW64\Bbikgk32.exeC:\Windows\system32\Bbikgk32.exe77⤵PID:2140
-
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe78⤵PID:1456
-
C:\Windows\SysWOW64\Bhfcpb32.exeC:\Windows\system32\Bhfcpb32.exe79⤵PID:1280
-
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe80⤵PID:2528
-
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe81⤵PID:1820
-
C:\Windows\SysWOW64\Baohhgnf.exeC:\Windows\system32\Baohhgnf.exe82⤵PID:2512
-
C:\Windows\SysWOW64\Bejdiffp.exeC:\Windows\system32\Bejdiffp.exe83⤵PID:2360
-
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe84⤵PID:3052
-
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe85⤵PID:2220
-
C:\Windows\SysWOW64\Bmeimhdj.exeC:\Windows\system32\Bmeimhdj.exe86⤵PID:800
-
C:\Windows\SysWOW64\Cpceidcn.exeC:\Windows\system32\Cpceidcn.exe87⤵PID:2540
-
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe88⤵PID:1248
-
C:\Windows\SysWOW64\Cfnmfn32.exeC:\Windows\system32\Cfnmfn32.exe89⤵PID:1940
-
C:\Windows\SysWOW64\Ckiigmcd.exeC:\Windows\system32\Ckiigmcd.exe90⤵PID:1268
-
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe91⤵PID:2032
-
C:\Windows\SysWOW64\Cdanpb32.exeC:\Windows\system32\Cdanpb32.exe92⤵PID:1788
-
C:\Windows\SysWOW64\Cbdnko32.exeC:\Windows\system32\Cbdnko32.exe93⤵PID:904
-
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe94⤵PID:984
-
C:\Windows\SysWOW64\Cinfhigl.exeC:\Windows\system32\Cinfhigl.exe95⤵PID:1756
-
C:\Windows\SysWOW64\Cphndc32.exeC:\Windows\system32\Cphndc32.exe96⤵PID:3056
-
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe97⤵PID:1596
-
C:\Windows\SysWOW64\Cgbfamff.exeC:\Windows\system32\Cgbfamff.exe98⤵PID:2648
-
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:564 -
C:\Windows\SysWOW64\Cmlong32.exeC:\Windows\system32\Cmlong32.exe100⤵
- Drops file in System32 directory
PID:2180 -
C:\Windows\SysWOW64\Clooiddm.exeC:\Windows\system32\Clooiddm.exe101⤵PID:2108
-
C:\Windows\SysWOW64\Ccigfn32.exeC:\Windows\system32\Ccigfn32.exe102⤵PID:2872
-
C:\Windows\SysWOW64\Cgdcgm32.exeC:\Windows\system32\Cgdcgm32.exe103⤵PID:1240
-
C:\Windows\SysWOW64\Cicpch32.exeC:\Windows\system32\Cicpch32.exe104⤵PID:2484
-
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe105⤵PID:2492
-
C:\Windows\SysWOW64\Cpmhpbkc.exeC:\Windows\system32\Cpmhpbkc.exe106⤵PID:832
-
C:\Windows\SysWOW64\Candgk32.exeC:\Windows\system32\Candgk32.exe107⤵PID:2080
-
C:\Windows\SysWOW64\Cejphiik.exeC:\Windows\system32\Cejphiik.exe108⤵PID:1644
-
C:\Windows\SysWOW64\Dldhdc32.exeC:\Windows\system32\Dldhdc32.exe109⤵PID:2992
-
C:\Windows\SysWOW64\Dobdqo32.exeC:\Windows\system32\Dobdqo32.exe110⤵
- Drops file in System32 directory
PID:3020 -
C:\Windows\SysWOW64\Daqamj32.exeC:\Windows\system32\Daqamj32.exe111⤵PID:532
-
C:\Windows\SysWOW64\Ddomif32.exeC:\Windows\system32\Ddomif32.exe112⤵PID:2488
-
C:\Windows\SysWOW64\Dhkiid32.exeC:\Windows\system32\Dhkiid32.exe113⤵PID:2408
-
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe114⤵PID:2760
-
C:\Windows\SysWOW64\Dngabk32.exeC:\Windows\system32\Dngabk32.exe115⤵PID:400
-
C:\Windows\SysWOW64\Dacnbjml.exeC:\Windows\system32\Dacnbjml.exe116⤵PID:1616
-
C:\Windows\SysWOW64\Ddajoelp.exeC:\Windows\system32\Ddajoelp.exe117⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Dhmfod32.exeC:\Windows\system32\Dhmfod32.exe118⤵PID:2984
-
C:\Windows\SysWOW64\Dkkbkp32.exeC:\Windows\system32\Dkkbkp32.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2572 -
C:\Windows\SysWOW64\Daejhjkj.exeC:\Windows\system32\Daejhjkj.exe120⤵PID:828
-
C:\Windows\SysWOW64\Dddfdejn.exeC:\Windows\system32\Dddfdejn.exe121⤵PID:2020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-