Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 03:15
Behavioral task
behavioral1
Sample
640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
General
-
Target
640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6N.exe
-
Size
163KB
-
MD5
fff21188df38bcfa7ba086276686f3c0
-
SHA1
b457fead8fc70b141b5e9ddfabdd5af31575d8d6
-
SHA256
640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6
-
SHA512
4aa786c382e77f50a78ee883eab93e0ec13f2416974b7d6cc23dca33bbd4cf4997816cb6f109aad8fe4e7c571a00e3b31d82c624ba300420f3c6caf58eea8676
-
SSDEEP
1536:PapKLqx3N0vbZH6Th/W20/jyPelProNVU4qNVUrk/9QbfBr+7GwKrPAsqNVU:ypKL9voTh/WL/uPeltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfdabino.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aaolidlk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ipjoplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jocflgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdbkjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odjbdb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdipnqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ioaifhid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbbngf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ajbggjfq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afnagk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cilibi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hpbiommg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hiknhbcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfknbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ollajp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onpjghhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhehek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdlkiepd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gohjaf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkoplhip.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjbjhgde.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqjfoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hanlnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idnaoohk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modkfi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npagjpcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Onpjghhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bilmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cdoajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npagjpcd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgpeal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gpejeihi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qqeicede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhfcpb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pcfefmnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmccjbaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnkbam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdgdempa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljffag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqacic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbbhgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnfnfgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Baohhgnf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipgbjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfbpag32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oebimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmjqcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aeqabgoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjbcfn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmbknddp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkdgpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bilmcf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mgalqkbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmagdbci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lghjel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qeaedd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boplllob.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoopae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mencccop.exe -
Executes dropped EXE 64 IoCs
pid Process 2816 Gpejeihi.exe 2868 Gohjaf32.exe 1856 Gfobbc32.exe 2592 Hbfbgd32.exe 3016 Hkaglf32.exe 600 Hakphqja.exe 1496 Hhehek32.exe 2300 Hoopae32.exe 2564 Hanlnp32.exe 896 Hmdmcanc.exe 348 Hpbiommg.exe 1956 Hgmalg32.exe 1824 Hiknhbcg.exe 2032 Habfipdj.exe 2068 Iccbqh32.exe 2188 Ipgbjl32.exe 1900 Icfofg32.exe 2948 Ilncom32.exe 2476 Ipjoplgo.exe 968 Igchlf32.exe 1552 Ilqpdm32.exe 1752 Ieidmbcc.exe 2976 Ijdqna32.exe 2088 Ioaifhid.exe 992 Iapebchh.exe 2796 Idnaoohk.exe 2760 Jocflgga.exe 2612 Jgojpjem.exe 1612 Jkjfah32.exe 2228 Jnicmdli.exe 800 Jdbkjn32.exe 964 Jkmcfhkc.exe 2296 Jqilooij.exe 2468 Jchhkjhn.exe 1804 Jkoplhip.exe 1344 Jnmlhchd.exe 1788 Jdgdempa.exe 2024 Jgfqaiod.exe 1676 Jmbiipml.exe 2952 Jcmafj32.exe 2268 Jfknbe32.exe 1456 Kiijnq32.exe 1488 Kqqboncb.exe 1548 Kocbkk32.exe 2304 Kbbngf32.exe 1540 Kkjcplpa.exe 1964 Kcakaipc.exe 916 Kbdklf32.exe 3056 Kbfhbeek.exe 2572 Kpjhkjde.exe 2864 Knmhgf32.exe 2672 Kgemplap.exe 2288 Knpemf32.exe 996 Kbkameaf.exe 2568 Leimip32.exe 2208 Lghjel32.exe 1168 Ljffag32.exe 340 Lnbbbffj.exe 1696 Leljop32.exe 2236 Lcojjmea.exe 3068 Lfmffhde.exe 952 Lndohedg.exe 1092 Labkdack.exe 1360 Lgmcqkkh.exe -
Loads dropped DLL 64 IoCs
pid Process 2180 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6N.exe 2180 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6N.exe 2816 Gpejeihi.exe 2816 Gpejeihi.exe 2868 Gohjaf32.exe 2868 Gohjaf32.exe 1856 Gfobbc32.exe 1856 Gfobbc32.exe 2592 Hbfbgd32.exe 2592 Hbfbgd32.exe 3016 Hkaglf32.exe 3016 Hkaglf32.exe 600 Hakphqja.exe 600 Hakphqja.exe 1496 Hhehek32.exe 1496 Hhehek32.exe 2300 Hoopae32.exe 2300 Hoopae32.exe 2564 Hanlnp32.exe 2564 Hanlnp32.exe 896 Hmdmcanc.exe 896 Hmdmcanc.exe 348 Hpbiommg.exe 348 Hpbiommg.exe 1956 Hgmalg32.exe 1956 Hgmalg32.exe 1824 Hiknhbcg.exe 1824 Hiknhbcg.exe 2032 Habfipdj.exe 2032 Habfipdj.exe 2068 Iccbqh32.exe 2068 Iccbqh32.exe 2188 Ipgbjl32.exe 2188 Ipgbjl32.exe 1900 Icfofg32.exe 1900 Icfofg32.exe 2948 Ilncom32.exe 2948 Ilncom32.exe 2476 Ipjoplgo.exe 2476 Ipjoplgo.exe 968 Igchlf32.exe 968 Igchlf32.exe 1552 Ilqpdm32.exe 1552 Ilqpdm32.exe 1752 Ieidmbcc.exe 1752 Ieidmbcc.exe 2976 Ijdqna32.exe 2976 Ijdqna32.exe 2088 Ioaifhid.exe 2088 Ioaifhid.exe 992 Iapebchh.exe 992 Iapebchh.exe 2796 Idnaoohk.exe 2796 Idnaoohk.exe 2760 Jocflgga.exe 2760 Jocflgga.exe 2612 Jgojpjem.exe 2612 Jgojpjem.exe 1612 Jkjfah32.exe 1612 Jkjfah32.exe 2228 Jnicmdli.exe 2228 Jnicmdli.exe 800 Jdbkjn32.exe 800 Jdbkjn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Baadng32.exe Bmeimhdj.exe File created C:\Windows\SysWOW64\Cdoajb32.exe Baadng32.exe File created C:\Windows\SysWOW64\Nljddpfe.exe Nilhhdga.exe File created C:\Windows\SysWOW64\Apoooa32.exe Amqccfed.exe File created C:\Windows\SysWOW64\Bfqgjgep.dll Amcpie32.exe File created C:\Windows\SysWOW64\Pqfjpj32.dll Afnagk32.exe File created C:\Windows\SysWOW64\Behgcf32.exe Balkchpi.exe File opened for modification C:\Windows\SysWOW64\Afnagk32.exe Acpdko32.exe File created C:\Windows\SysWOW64\Oimbjlde.dll Bkglameg.exe File created C:\Windows\SysWOW64\Kgemplap.exe Knmhgf32.exe File created C:\Windows\SysWOW64\Lmlhnagm.exe Liplnc32.exe File created C:\Windows\SysWOW64\Ekebnbmn.dll Mdacop32.exe File opened for modification C:\Windows\SysWOW64\Pjldghjm.exe Ogmhkmki.exe File created C:\Windows\SysWOW64\Pgpeal32.exe Pcdipnqn.exe File created C:\Windows\SysWOW64\Pmojocel.exe Pjpnbg32.exe File created C:\Windows\SysWOW64\Imjcfnhk.dll Qbbhgi32.exe File opened for modification C:\Windows\SysWOW64\Chkmkacq.exe Cdoajb32.exe File created C:\Windows\SysWOW64\Iianmb32.dll Igchlf32.exe File opened for modification C:\Windows\SysWOW64\Ioaifhid.exe Ijdqna32.exe File created C:\Windows\SysWOW64\Mmneda32.exe Legmbd32.exe File created C:\Windows\SysWOW64\Djdfhjik.dll Mbmjah32.exe File created C:\Windows\SysWOW64\Lnhbfpnj.dll Ogmhkmki.exe File opened for modification C:\Windows\SysWOW64\Onpjghhn.exe Oomjlk32.exe File created C:\Windows\SysWOW64\Aobcmana.dll Poapfn32.exe File opened for modification C:\Windows\SysWOW64\Akmjfn32.exe Aganeoip.exe File created C:\Windows\SysWOW64\Lijigk32.dll Hpbiommg.exe File created C:\Windows\SysWOW64\Ilncom32.exe Icfofg32.exe File created C:\Windows\SysWOW64\Hnepch32.dll Jnicmdli.exe File created C:\Windows\SysWOW64\Nqdgapkm.dll Jqilooij.exe File opened for modification C:\Windows\SysWOW64\Ngdifkpi.exe Ndemjoae.exe File created C:\Windows\SysWOW64\Hpbiommg.exe Hmdmcanc.exe File opened for modification C:\Windows\SysWOW64\Jocflgga.exe Idnaoohk.exe File opened for modification C:\Windows\SysWOW64\Abphal32.exe Apalea32.exe File opened for modification C:\Windows\SysWOW64\Bjdplm32.exe Bhfcpb32.exe File opened for modification C:\Windows\SysWOW64\Habfipdj.exe Hiknhbcg.exe File created C:\Windows\SysWOW64\Khqpfa32.dll Lbfdaigg.exe File opened for modification C:\Windows\SysWOW64\Modkfi32.exe Mlfojn32.exe File created C:\Windows\SysWOW64\Pdlbongd.dll Mencccop.exe File created C:\Windows\SysWOW64\Kedakjgc.dll Ohhkjp32.exe File created C:\Windows\SysWOW64\Hmomkh32.dll Pmlmic32.exe File created C:\Windows\SysWOW64\Qflhbhgg.exe Pndpajgd.exe File opened for modification C:\Windows\SysWOW64\Hmdmcanc.exe Hanlnp32.exe File created C:\Windows\SysWOW64\Ilqpdm32.exe Igchlf32.exe File created C:\Windows\SysWOW64\Kpkdli32.dll Oagmmgdm.exe File opened for modification C:\Windows\SysWOW64\Afgkfl32.exe Achojp32.exe File created C:\Windows\SysWOW64\Ecjlgm32.dll Icfofg32.exe File created C:\Windows\SysWOW64\Igchlf32.exe Ipjoplgo.exe File created C:\Windows\SysWOW64\Ogmhkmki.exe Oqcpob32.exe File created C:\Windows\SysWOW64\Odmoin32.dll Akmjfn32.exe File created C:\Windows\SysWOW64\Qofpoogh.dll Ajbggjfq.exe File opened for modification C:\Windows\SysWOW64\Cacacg32.exe Cilibi32.exe File opened for modification C:\Windows\SysWOW64\Nplmop32.exe Nmnace32.exe File created C:\Windows\SysWOW64\Fcihoc32.dll Ngfflj32.exe File created C:\Windows\SysWOW64\Npagjpcd.exe Nmbknddp.exe File created C:\Windows\SysWOW64\Ollajp32.exe Odeiibdq.exe File created C:\Windows\SysWOW64\Icmqhn32.dll Qjnmlk32.exe File opened for modification C:\Windows\SysWOW64\Bjbcfn32.exe Bhdgjb32.exe File created C:\Windows\SysWOW64\Ipnndn32.dll Jkjfah32.exe File created C:\Windows\SysWOW64\Jnmlhchd.exe Jkoplhip.exe File created C:\Windows\SysWOW64\Hfjiem32.dll Ljffag32.exe File created C:\Windows\SysWOW64\Fdilgioe.dll Labkdack.exe File created C:\Windows\SysWOW64\Ogjgkqaa.dll Niebhf32.exe File created C:\Windows\SysWOW64\Bbdallnd.exe Bnielm32.exe File created C:\Windows\SysWOW64\Bjbcfn32.exe Bhdgjb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3148 3116 WerFault.exe 267 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdacop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojigbhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bonoflae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iapebchh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niebhf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afiglkle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckiigmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdcpdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pqemdbaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igchlf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfofg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oancnfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjnamh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmccjbaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anlfbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhehek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmffhde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nadpgggp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcibkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amqccfed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Habfipdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oagmmgdm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajgpbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mponel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhjbjopf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngfflj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocdmaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boplllob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkjfah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nibebfpl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcfefmnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbiqfied.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liplnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodgel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogkkfmml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgpeal32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qflhbhgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiladcdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laegiq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbnoliap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjnmlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baohhgnf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cilibi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cacacg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeeecekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Balkchpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlcnda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljddpfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbkbgjcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkdgpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pndpajgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkbam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnace32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjcplpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ngibaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdipnqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjdplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkglameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdbkjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkmdpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqilooij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdmddc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjpnbg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Legmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jhcfhi32.dll" Legmbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mmldme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nibebfpl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odeiibdq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pndpajgd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijdqna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbfhbeek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcnaga32.dll" Okoafmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njelgo32.dll" Alhmjbhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcggqfg.dll" Hmdmcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkeapk32.dll" Kpjhkjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amqccfed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmnbjfam.dll" Abphal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apdhjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Balkchpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnahcn32.dll" Odjbdb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qflhbhgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbefefec.dll" Kbbngf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpjhkjde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmgefl32.dll" Hkaglf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imfegi32.dll" Jkmcfhkc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nljddpfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qqeicede.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abeemhkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfobiqka.dll" Apalea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Baadng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmamaoln.dll" Gfobbc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmlhnagm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boplllob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnepch32.dll" Jnicmdli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Liplnc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiladcdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qjnmlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aeqabgoj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Leimip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohcaoajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ngdifkpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liggabfp.dll" Bjdplm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdqghfp.dll" Ogkkfmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okdkal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohhkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlbnp32.dll" Ngkogj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oqcpob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pjbjhgde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmagdbci.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hoopae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kiijnq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljffag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opdnhdpo.dll" Lfmffhde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Liplnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Melfncqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dfglke32.dll" Ocdmaj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738} 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnicmdli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmbckb32.dll" Ndjfeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oackeakj.dll" Nhllob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bkglameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Indgjihl.dll" Jnmlhchd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Linphc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmnace32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmojocel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nacehmno.dll" Qkhpkoen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akmjfn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2180 wrote to memory of 2816 2180 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6N.exe 30 PID 2180 wrote to memory of 2816 2180 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6N.exe 30 PID 2180 wrote to memory of 2816 2180 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6N.exe 30 PID 2180 wrote to memory of 2816 2180 640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6N.exe 30 PID 2816 wrote to memory of 2868 2816 Gpejeihi.exe 31 PID 2816 wrote to memory of 2868 2816 Gpejeihi.exe 31 PID 2816 wrote to memory of 2868 2816 Gpejeihi.exe 31 PID 2816 wrote to memory of 2868 2816 Gpejeihi.exe 31 PID 2868 wrote to memory of 1856 2868 Gohjaf32.exe 32 PID 2868 wrote to memory of 1856 2868 Gohjaf32.exe 32 PID 2868 wrote to memory of 1856 2868 Gohjaf32.exe 32 PID 2868 wrote to memory of 1856 2868 Gohjaf32.exe 32 PID 1856 wrote to memory of 2592 1856 Gfobbc32.exe 33 PID 1856 wrote to memory of 2592 1856 Gfobbc32.exe 33 PID 1856 wrote to memory of 2592 1856 Gfobbc32.exe 33 PID 1856 wrote to memory of 2592 1856 Gfobbc32.exe 33 PID 2592 wrote to memory of 3016 2592 Hbfbgd32.exe 34 PID 2592 wrote to memory of 3016 2592 Hbfbgd32.exe 34 PID 2592 wrote to memory of 3016 2592 Hbfbgd32.exe 34 PID 2592 wrote to memory of 3016 2592 Hbfbgd32.exe 34 PID 3016 wrote to memory of 600 3016 Hkaglf32.exe 35 PID 3016 wrote to memory of 600 3016 Hkaglf32.exe 35 PID 3016 wrote to memory of 600 3016 Hkaglf32.exe 35 PID 3016 wrote to memory of 600 3016 Hkaglf32.exe 35 PID 600 wrote to memory of 1496 600 Hakphqja.exe 36 PID 600 wrote to memory of 1496 600 Hakphqja.exe 36 PID 600 wrote to memory of 1496 600 Hakphqja.exe 36 PID 600 wrote to memory of 1496 600 Hakphqja.exe 36 PID 1496 wrote to memory of 2300 1496 Hhehek32.exe 37 PID 1496 wrote to memory of 2300 1496 Hhehek32.exe 37 PID 1496 wrote to memory of 2300 1496 Hhehek32.exe 37 PID 1496 wrote to memory of 2300 1496 Hhehek32.exe 37 PID 2300 wrote to memory of 2564 2300 Hoopae32.exe 38 PID 2300 wrote to memory of 2564 2300 Hoopae32.exe 38 PID 2300 wrote to memory of 2564 2300 Hoopae32.exe 38 PID 2300 wrote to memory of 2564 2300 Hoopae32.exe 38 PID 2564 wrote to memory of 896 2564 Hanlnp32.exe 39 PID 2564 wrote to memory of 896 2564 Hanlnp32.exe 39 PID 2564 wrote to memory of 896 2564 Hanlnp32.exe 39 PID 2564 wrote to memory of 896 2564 Hanlnp32.exe 39 PID 896 wrote to memory of 348 896 Hmdmcanc.exe 40 PID 896 wrote to memory of 348 896 Hmdmcanc.exe 40 PID 896 wrote to memory of 348 896 Hmdmcanc.exe 40 PID 896 wrote to memory of 348 896 Hmdmcanc.exe 40 PID 348 wrote to memory of 1956 348 Hpbiommg.exe 41 PID 348 wrote to memory of 1956 348 Hpbiommg.exe 41 PID 348 wrote to memory of 1956 348 Hpbiommg.exe 41 PID 348 wrote to memory of 1956 348 Hpbiommg.exe 41 PID 1956 wrote to memory of 1824 1956 Hgmalg32.exe 42 PID 1956 wrote to memory of 1824 1956 Hgmalg32.exe 42 PID 1956 wrote to memory of 1824 1956 Hgmalg32.exe 42 PID 1956 wrote to memory of 1824 1956 Hgmalg32.exe 42 PID 1824 wrote to memory of 2032 1824 Hiknhbcg.exe 43 PID 1824 wrote to memory of 2032 1824 Hiknhbcg.exe 43 PID 1824 wrote to memory of 2032 1824 Hiknhbcg.exe 43 PID 1824 wrote to memory of 2032 1824 Hiknhbcg.exe 43 PID 2032 wrote to memory of 2068 2032 Habfipdj.exe 44 PID 2032 wrote to memory of 2068 2032 Habfipdj.exe 44 PID 2032 wrote to memory of 2068 2032 Habfipdj.exe 44 PID 2032 wrote to memory of 2068 2032 Habfipdj.exe 44 PID 2068 wrote to memory of 2188 2068 Iccbqh32.exe 45 PID 2068 wrote to memory of 2188 2068 Iccbqh32.exe 45 PID 2068 wrote to memory of 2188 2068 Iccbqh32.exe 45 PID 2068 wrote to memory of 2188 2068 Iccbqh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6N.exe"C:\Users\Admin\AppData\Local\Temp\640756ea3174d7f821f0c941f6f2bdaab9840a0af5791d4ada35f34cceebbbe6N.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\Gpejeihi.exeC:\Windows\system32\Gpejeihi.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Gohjaf32.exeC:\Windows\system32\Gohjaf32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Gfobbc32.exeC:\Windows\system32\Gfobbc32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1856 -
C:\Windows\SysWOW64\Hbfbgd32.exeC:\Windows\system32\Hbfbgd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\Hkaglf32.exeC:\Windows\system32\Hkaglf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3016 -
C:\Windows\SysWOW64\Hakphqja.exeC:\Windows\system32\Hakphqja.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\Hhehek32.exeC:\Windows\system32\Hhehek32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Hoopae32.exeC:\Windows\system32\Hoopae32.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Windows\SysWOW64\Hmdmcanc.exeC:\Windows\system32\Hmdmcanc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:896 -
C:\Windows\SysWOW64\Hpbiommg.exeC:\Windows\system32\Hpbiommg.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\Hgmalg32.exeC:\Windows\system32\Hgmalg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Hiknhbcg.exeC:\Windows\system32\Hiknhbcg.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\Habfipdj.exeC:\Windows\system32\Habfipdj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Iccbqh32.exeC:\Windows\system32\Iccbqh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Ipgbjl32.exeC:\Windows\system32\Ipgbjl32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2188 -
C:\Windows\SysWOW64\Icfofg32.exeC:\Windows\system32\Icfofg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1900 -
C:\Windows\SysWOW64\Ilncom32.exeC:\Windows\system32\Ilncom32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Igchlf32.exeC:\Windows\system32\Igchlf32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:968 -
C:\Windows\SysWOW64\Ilqpdm32.exeC:\Windows\system32\Ilqpdm32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Ieidmbcc.exeC:\Windows\system32\Ieidmbcc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Ijdqna32.exeC:\Windows\system32\Ijdqna32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Ioaifhid.exeC:\Windows\system32\Ioaifhid.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2088 -
C:\Windows\SysWOW64\Iapebchh.exeC:\Windows\system32\Iapebchh.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:992 -
C:\Windows\SysWOW64\Idnaoohk.exeC:\Windows\system32\Idnaoohk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2796 -
C:\Windows\SysWOW64\Jocflgga.exeC:\Windows\system32\Jocflgga.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Jgojpjem.exeC:\Windows\system32\Jgojpjem.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Jkjfah32.exeC:\Windows\system32\Jkjfah32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Jnicmdli.exeC:\Windows\system32\Jnicmdli.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Jdbkjn32.exeC:\Windows\system32\Jdbkjn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:800 -
C:\Windows\SysWOW64\Jkmcfhkc.exeC:\Windows\system32\Jkmcfhkc.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\Jchhkjhn.exeC:\Windows\system32\Jchhkjhn.exe35⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Jkoplhip.exeC:\Windows\system32\Jkoplhip.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1804 -
C:\Windows\SysWOW64\Jnmlhchd.exeC:\Windows\system32\Jnmlhchd.exe37⤵
- Executes dropped EXE
- Modifies registry class
PID:1344 -
C:\Windows\SysWOW64\Jdgdempa.exeC:\Windows\system32\Jdgdempa.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1788 -
C:\Windows\SysWOW64\Jgfqaiod.exeC:\Windows\system32\Jgfqaiod.exe39⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe40⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Jcmafj32.exeC:\Windows\system32\Jcmafj32.exe41⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Kiijnq32.exeC:\Windows\system32\Kiijnq32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1456 -
C:\Windows\SysWOW64\Kqqboncb.exeC:\Windows\system32\Kqqboncb.exe44⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe45⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Kbbngf32.exeC:\Windows\system32\Kbbngf32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2304 -
C:\Windows\SysWOW64\Kkjcplpa.exeC:\Windows\system32\Kkjcplpa.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1540 -
C:\Windows\SysWOW64\Kcakaipc.exeC:\Windows\system32\Kcakaipc.exe48⤵
- Executes dropped EXE
PID:1964 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe49⤵
- Executes dropped EXE
PID:916 -
C:\Windows\SysWOW64\Kbfhbeek.exeC:\Windows\system32\Kbfhbeek.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:3056 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2572 -
C:\Windows\SysWOW64\Knmhgf32.exeC:\Windows\system32\Knmhgf32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2864 -
C:\Windows\SysWOW64\Kgemplap.exeC:\Windows\system32\Kgemplap.exe53⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Knpemf32.exeC:\Windows\system32\Knpemf32.exe54⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Kbkameaf.exeC:\Windows\system32\Kbkameaf.exe55⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Leimip32.exeC:\Windows\system32\Leimip32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2568 -
C:\Windows\SysWOW64\Lghjel32.exeC:\Windows\system32\Lghjel32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2208 -
C:\Windows\SysWOW64\Ljffag32.exeC:\Windows\system32\Ljffag32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1168 -
C:\Windows\SysWOW64\Lnbbbffj.exeC:\Windows\system32\Lnbbbffj.exe59⤵
- Executes dropped EXE
PID:340 -
C:\Windows\SysWOW64\Leljop32.exeC:\Windows\system32\Leljop32.exe60⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe61⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Lfmffhde.exeC:\Windows\system32\Lfmffhde.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3068 -
C:\Windows\SysWOW64\Lndohedg.exeC:\Windows\system32\Lndohedg.exe63⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1092 -
C:\Windows\SysWOW64\Lgmcqkkh.exeC:\Windows\system32\Lgmcqkkh.exe65⤵
- Executes dropped EXE
PID:1360 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe66⤵PID:1780
-
C:\Windows\SysWOW64\Linphc32.exeC:\Windows\system32\Linphc32.exe67⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Laegiq32.exeC:\Windows\system32\Laegiq32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1056 -
C:\Windows\SysWOW64\Lphhenhc.exeC:\Windows\system32\Lphhenhc.exe69⤵PID:2116
-
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe70⤵
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3064 -
C:\Windows\SysWOW64\Liplnc32.exeC:\Windows\system32\Liplnc32.exe72⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2260 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe73⤵
- Modifies registry class
PID:908 -
C:\Windows\SysWOW64\Lpjdjmfp.exeC:\Windows\system32\Lpjdjmfp.exe74⤵PID:2464
-
C:\Windows\SysWOW64\Lbiqfied.exeC:\Windows\system32\Lbiqfied.exe75⤵
- System Location Discovery: System Language Discovery
PID:2776 -
C:\Windows\SysWOW64\Legmbd32.exeC:\Windows\system32\Legmbd32.exe76⤵
- Drops file in System32 directory
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Mmneda32.exeC:\Windows\system32\Mmneda32.exe77⤵PID:2836
-
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe78⤵PID:3008
-
C:\Windows\SysWOW64\Mooaljkh.exeC:\Windows\system32\Mooaljkh.exe79⤵PID:1340
-
C:\Windows\SysWOW64\Meijhc32.exeC:\Windows\system32\Meijhc32.exe80⤵PID:2772
-
C:\Windows\SysWOW64\Mieeibkn.exeC:\Windows\system32\Mieeibkn.exe81⤵PID:2008
-
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe82⤵PID:444
-
C:\Windows\SysWOW64\Mponel32.exeC:\Windows\system32\Mponel32.exe83⤵
- System Location Discovery: System Language Discovery
PID:2376 -
C:\Windows\SysWOW64\Mbmjah32.exeC:\Windows\system32\Mbmjah32.exe84⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Melfncqb.exeC:\Windows\system32\Melfncqb.exe85⤵
- Modifies registry class
PID:1660 -
C:\Windows\SysWOW64\Mhjbjopf.exeC:\Windows\system32\Mhjbjopf.exe86⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Mlfojn32.exeC:\Windows\system32\Mlfojn32.exe87⤵
- Drops file in System32 directory
PID:2828 -
C:\Windows\SysWOW64\Modkfi32.exeC:\Windows\system32\Modkfi32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Mencccop.exeC:\Windows\system32\Mencccop.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Mdacop32.exeC:\Windows\system32\Mdacop32.exe90⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1832 -
C:\Windows\SysWOW64\Mofglh32.exeC:\Windows\system32\Mofglh32.exe91⤵PID:1792
-
C:\Windows\SysWOW64\Meppiblm.exeC:\Windows\system32\Meppiblm.exe92⤵PID:2912
-
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Mgalqkbk.exeC:\Windows\system32\Mgalqkbk.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Mmldme32.exeC:\Windows\system32\Mmldme32.exe95⤵
- Modifies registry class
PID:2656 -
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe96⤵PID:1268
-
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe97⤵
- Drops file in System32 directory
PID:2896 -
C:\Windows\SysWOW64\Ngdifkpi.exeC:\Windows\system32\Ngdifkpi.exe98⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Nibebfpl.exeC:\Windows\system32\Nibebfpl.exe99⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1728 -
C:\Windows\SysWOW64\Nmnace32.exeC:\Windows\system32\Nmnace32.exe100⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2148 -
C:\Windows\SysWOW64\Nplmop32.exeC:\Windows\system32\Nplmop32.exe101⤵PID:2132
-
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe102⤵PID:1288
-
C:\Windows\SysWOW64\Ngfflj32.exeC:\Windows\system32\Ngfflj32.exe103⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1436 -
C:\Windows\SysWOW64\Niebhf32.exeC:\Windows\system32\Niebhf32.exe104⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:840 -
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe105⤵
- System Location Discovery: System Language Discovery
PID:336 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe106⤵
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Ngibaj32.exeC:\Windows\system32\Ngibaj32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe108⤵PID:1776
-
C:\Windows\SysWOW64\Nmbknddp.exeC:\Windows\system32\Nmbknddp.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Npagjpcd.exeC:\Windows\system32\Npagjpcd.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1868 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe111⤵
- System Location Discovery: System Language Discovery
PID:2320 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe112⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Niikceid.exeC:\Windows\system32\Niikceid.exe113⤵PID:792
-
C:\Windows\SysWOW64\Nhllob32.exeC:\Windows\system32\Nhllob32.exe114⤵
- Modifies registry class
PID:2584 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe115⤵PID:2284
-
C:\Windows\SysWOW64\Nofdklgl.exeC:\Windows\system32\Nofdklgl.exe116⤵PID:1292
-
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe117⤵
- System Location Discovery: System Language Discovery
PID:768 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe118⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Nljddpfe.exeC:\Windows\system32\Nljddpfe.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1236 -
C:\Windows\SysWOW64\Nkmdpm32.exeC:\Windows\system32\Nkmdpm32.exe120⤵
- System Location Discovery: System Language Discovery
PID:1328 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe121⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1356
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-