Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
12/10/2024, 05:12
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786N.exe
Resource
win7-20241010-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786N.exe
-
Size
64KB
-
MD5
35328c7060f5ad06fa9ba87782424aa0
-
SHA1
698fc92301af8b06d5ac492d76fdcb1fdbbfe8f3
-
SHA256
38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786
-
SHA512
c0a16d8eb9bbb524dadbab08d3b9dce57bdd4f46964986f468acbe1a27b090d342aaa13434b8d4dc6983835ab914264957283ebe71d2af0b1a44f7a55934d0ab
-
SSDEEP
1536:jmRUEBoY7+5qVVdXt1eVB3p++n2LFOrDWBi:jYRX7+5qVVdX65+bU2Bi
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcnmme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dihmae32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebghkjjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkqbhf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnjnolap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbhoip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjmmcgha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikmibjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eonfgbhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obijpgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obijpgcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eijffhjd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hedllgjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bafkookd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nglmifca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihgadhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldangbhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eheblj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flbgak32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnakjaoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qifpqi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmholgpj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdigkk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfldno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjhahb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfphmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gielchpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbnhfhoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mkplnp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgndnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkppcmjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfihml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flmidkmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nplhooec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iodlcnmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdlclo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkjkcfjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbikokin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aemafjeg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfphmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mncfgh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pchdfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ehbcnajn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eccdmmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nepach32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkfiaqgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egfglocf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fakhhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klgpmgod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oaiglnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Apgcbmha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Geplpfnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mchokq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebjfiboe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fooghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebemnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihooog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfedlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mpjgag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nfqbol32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmmcfi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgmilmkb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdpcep32.exe -
Executes dropped EXE 64 IoCs
pid Process 1504 Bbfnchfb.exe 2888 Bpjnmlel.exe 3048 Cggcofkf.exe 3024 Clclhmin.exe 2660 Chjmmnnb.exe 1168 Ccpqjfnh.exe 392 Ceqjla32.exe 2960 Cjboeenh.exe 2164 Dckcnj32.exe 2016 Dcpmijqc.exe 808 Dcbjni32.exe 1740 Dbggpfci.exe 1696 Edhpaa32.exe 2248 Edmilpld.exe 680 Ejlnjg32.exe 1868 Ffeldglk.exe 1412 Ffiepg32.exe 1164 Fijnabef.exe 1604 Gaebfdba.exe 2536 Gmlckehe.exe 1388 Gjpddigo.exe 1684 Gdkebolm.exe 1900 Gpafgp32.exe 1600 Hpdbmooo.exe 2896 Hilgfe32.exe 3064 Hkppcmjk.exe 2676 Icbkhnan.exe 3016 Ijopjhfh.exe 2904 Iokhcodo.exe 2628 Ionehnbm.exe 1768 Jjcieg32.exe 1612 Jkgbcofn.exe 3000 Jgnchplb.exe 2996 Jkllnn32.exe 2952 Jcgqbq32.exe 1912 Jnlepioj.exe 756 Kqkalenn.exe 2076 Kcimhpma.exe 2064 Kjcedj32.exe 936 Kggfnoch.exe 112 Kcngcp32.exe 1968 Kikokf32.exe 1060 Kodghqop.exe 1520 Keappgmg.exe 1860 Kmhhae32.exe 2188 Knjdimdh.exe 1548 Lgbibb32.exe 1668 Lajmkhai.exe 1484 Ljcbcngi.exe 1272 Llbnnq32.exe 2876 Laogfg32.exe 1508 Ljgkom32.exe 2788 Lcppgbjd.exe 2636 Limhpihl.exe 2716 Mcbmmbhb.exe 2600 Mlmaad32.exe 2964 Mfceom32.exe 1288 Mbjfcnkg.exe 2056 Mpngmb32.exe 516 Maocekoo.exe 912 Mbopon32.exe 2172 Noepdo32.exe 784 Ndbile32.exe 1232 Npiiafpa.exe -
Loads dropped DLL 64 IoCs
pid Process 2732 38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786N.exe 2732 38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786N.exe 1504 Bbfnchfb.exe 1504 Bbfnchfb.exe 2888 Bpjnmlel.exe 2888 Bpjnmlel.exe 3048 Cggcofkf.exe 3048 Cggcofkf.exe 3024 Clclhmin.exe 3024 Clclhmin.exe 2660 Chjmmnnb.exe 2660 Chjmmnnb.exe 1168 Ccpqjfnh.exe 1168 Ccpqjfnh.exe 392 Ceqjla32.exe 392 Ceqjla32.exe 2960 Cjboeenh.exe 2960 Cjboeenh.exe 2164 Dckcnj32.exe 2164 Dckcnj32.exe 2016 Dcpmijqc.exe 2016 Dcpmijqc.exe 808 Dcbjni32.exe 808 Dcbjni32.exe 1740 Dbggpfci.exe 1740 Dbggpfci.exe 1696 Edhpaa32.exe 1696 Edhpaa32.exe 2248 Edmilpld.exe 2248 Edmilpld.exe 680 Ejlnjg32.exe 680 Ejlnjg32.exe 1868 Ffeldglk.exe 1868 Ffeldglk.exe 1412 Ffiepg32.exe 1412 Ffiepg32.exe 1164 Fijnabef.exe 1164 Fijnabef.exe 1604 Gaebfdba.exe 1604 Gaebfdba.exe 2536 Gmlckehe.exe 2536 Gmlckehe.exe 1388 Gjpddigo.exe 1388 Gjpddigo.exe 1684 Gdkebolm.exe 1684 Gdkebolm.exe 1900 Gpafgp32.exe 1900 Gpafgp32.exe 1600 Hpdbmooo.exe 1600 Hpdbmooo.exe 2896 Hilgfe32.exe 2896 Hilgfe32.exe 3064 Hkppcmjk.exe 3064 Hkppcmjk.exe 2676 Icbkhnan.exe 2676 Icbkhnan.exe 3016 Ijopjhfh.exe 3016 Ijopjhfh.exe 2904 Iokhcodo.exe 2904 Iokhcodo.exe 2628 Ionehnbm.exe 2628 Ionehnbm.exe 1768 Jjcieg32.exe 1768 Jjcieg32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gkaein32.dll Hbqdldhi.exe File opened for modification C:\Windows\SysWOW64\Oiniaboi.exe Opfdim32.exe File created C:\Windows\SysWOW64\Lbinkahf.dll Ngafdepl.exe File opened for modification C:\Windows\SysWOW64\Nogjbbma.exe Njjbjk32.exe File opened for modification C:\Windows\SysWOW64\Pinnfonh.exe Pbcfie32.exe File created C:\Windows\SysWOW64\Ajgegnce.dll Ojlkonpb.exe File created C:\Windows\SysWOW64\Mbopon32.exe Maocekoo.exe File created C:\Windows\SysWOW64\Gibcam32.dll Maocekoo.exe File created C:\Windows\SysWOW64\Mohkpn32.dll Dmcgik32.exe File created C:\Windows\SysWOW64\Becmcind.dll Fclkldqe.exe File created C:\Windows\SysWOW64\Hjcoaeol.exe Hefginae.exe File created C:\Windows\SysWOW64\Khhndi32.exe Kdlbckee.exe File created C:\Windows\SysWOW64\Fhcjilcb.exe Flmidkmn.exe File created C:\Windows\SysWOW64\Qpocno32.exe Qkbkfh32.exe File created C:\Windows\SysWOW64\Mcabpb32.dll Kjhahb32.exe File opened for modification C:\Windows\SysWOW64\Jbpfpd32.exe Jmbnhm32.exe File created C:\Windows\SysWOW64\Pmjaadjm.exe Pbppqf32.exe File opened for modification C:\Windows\SysWOW64\Ginefe32.exe Gngdadoj.exe File opened for modification C:\Windows\SysWOW64\Pnfipm32.exe Pdndggcl.exe File created C:\Windows\SysWOW64\Ladpqq32.dll Edmkei32.exe File created C:\Windows\SysWOW64\Dlcceboa.exe Dbkolmia.exe File opened for modification C:\Windows\SysWOW64\Eheblj32.exe Egbffj32.exe File opened for modification C:\Windows\SysWOW64\Iebmpcjc.exe Ikmibjkm.exe File opened for modification C:\Windows\SysWOW64\Kcllfi32.exe Kkqhbf32.exe File created C:\Windows\SysWOW64\Alqplmlb.exe Achlch32.exe File created C:\Windows\SysWOW64\Bpncbi32.dll Ginefe32.exe File created C:\Windows\SysWOW64\Fnhpam32.dll Iihgadhl.exe File opened for modification C:\Windows\SysWOW64\Goemhfco.exe Ghlell32.exe File opened for modification C:\Windows\SysWOW64\Chkpakla.exe Cbagdq32.exe File opened for modification C:\Windows\SysWOW64\Enhcnd32.exe Emggflfc.exe File created C:\Windows\SysWOW64\Dlifcqfl.exe Ddnaonia.exe File opened for modification C:\Windows\SysWOW64\Pbcfie32.exe Pikaqppk.exe File created C:\Windows\SysWOW64\Njhgfljc.dll Bkjfhile.exe File created C:\Windows\SysWOW64\Aojngh32.dll Djffihmp.exe File opened for modification C:\Windows\SysWOW64\Mlmaad32.exe Mcbmmbhb.exe File created C:\Windows\SysWOW64\Mciljggi.dll Dnfjiali.exe File opened for modification C:\Windows\SysWOW64\Jpcdqpqj.exe Jdlclo32.exe File created C:\Windows\SysWOW64\Ffckpq32.dll Mbjhlg32.exe File opened for modification C:\Windows\SysWOW64\Achlch32.exe Agakog32.exe File created C:\Windows\SysWOW64\Amfcfk32.exe Adnomfqc.exe File created C:\Windows\SysWOW64\Inpiogfm.dll Denknngk.exe File created C:\Windows\SysWOW64\Pedmbg32.exe Pceqfl32.exe File created C:\Windows\SysWOW64\Anhdmh32.exe Aqddcdbo.exe File created C:\Windows\SysWOW64\Qaapab32.dll Odmgnl32.exe File opened for modification C:\Windows\SysWOW64\Gkgbioee.exe Foqadnpq.exe File created C:\Windows\SysWOW64\Dhoeadlm.dll Gklkdn32.exe File opened for modification C:\Windows\SysWOW64\Bjjcdp32.exe Bpbokj32.exe File created C:\Windows\SysWOW64\Ibfbna32.dll Cbagdq32.exe File opened for modification C:\Windows\SysWOW64\Iockhigl.exe Iigcobid.exe File created C:\Windows\SysWOW64\Kejpdk32.dll Kkqhbf32.exe File created C:\Windows\SysWOW64\Jlkokm32.dll Ljjjmeie.exe File created C:\Windows\SysWOW64\Obonfj32.exe Njcibgcf.exe File opened for modification C:\Windows\SysWOW64\Kjdpcnfi.exe Kiccle32.exe File created C:\Windows\SysWOW64\Okmpgc32.dll Hhbfpj32.exe File opened for modification C:\Windows\SysWOW64\Jbjcaf32.exe Ipkgejcf.exe File opened for modification C:\Windows\SysWOW64\Kfobmc32.exe Kpbiempj.exe File opened for modification C:\Windows\SysWOW64\Ohppjpkc.exe Oohlaj32.exe File created C:\Windows\SysWOW64\Momdeobl.dll Ampncd32.exe File opened for modification C:\Windows\SysWOW64\Cbqekhmp.exe Cihqbb32.exe File opened for modification C:\Windows\SysWOW64\Hjhofj32.exe Hjfbaj32.exe File created C:\Windows\SysWOW64\Nakjff32.dll Jdbhcfjd.exe File created C:\Windows\SysWOW64\Kbgecc32.dll Mchokq32.exe File created C:\Windows\SysWOW64\Impcbm32.dll Imchcplm.exe File opened for modification C:\Windows\SysWOW64\Agebam32.exe Ampncd32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4676 4936 WerFault.exe 823 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkllnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abiqcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achikonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodlcnmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjqqianh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmemoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aemafjeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jljeeqfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbhoip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqfooonp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkbkfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnmfpnqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lppkgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmlofhmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjnolap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdbibjok.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjcieg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpdfjjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkcqfifp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldchdjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfghagio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcjqpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qfganb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdigakic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjboeenh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edhpaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbopon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmcfi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oepghe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pikohg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kngcbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfnaok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Licpki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcaghm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cikbjpqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphlgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omjbihpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eokiabjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edmkei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklaepbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hklhca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhfbmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klmfmacc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfjak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejlnjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijopjhfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjfbaj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deedfacn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmeiei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dggcbf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmikpngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbdbml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihcdkom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhihpl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfebcnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopcmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgcgebhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihooog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmdql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgfciee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdpgai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffeldglk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkhalo32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfehna32.dll" Gfldno32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnimkebm.dll" Njcibgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neghdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkqlnk32.dll" Egkgad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bknaehom.dll" Cgeopqfp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgcpnon.dll" Ebkndibq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnjicba.dll" Hjcoaeol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jlbhjkij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jffhec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ancacpck.dll" Cnjbfhqa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jpdibapb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmlckehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fohbqpki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgbgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpjgag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nbjpjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbmebgpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqddcdbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fiopah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oepghe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmfgkqba.dll" Pceqfl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmlngdhk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hefibg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdekjmob.dll" Plkchdiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnmada32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibjenkae.dll" Nhhqfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbfgopei.dll" Kaliaphd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boeppomj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gpjilj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pikohg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oljanhmc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ijpjik32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hliieioi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnjompcl.dll" Jpcfih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giolcp32.dll" Fhfgokap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgcgebhd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ienfml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfghagio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oifcqnkn.dll" Gmlckehe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Maocekoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Goodpb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lfgaaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekloon32.dll" Plbaafak.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adlqbf32.dll" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmmjcc32.dll" Lojclibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahoamplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nglmifca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lobehpok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmhhae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qooplh32.dll" Kmpfgklo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ilfadg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njnmiaib.dll" Jffhec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aglhph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhcbdmon.dll" Njjbjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Blnkbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efmoib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkokjpai.dll" Lkhalo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nplhooec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jffhec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldchdjom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jabmhccg.dll" Ibjikk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gjkcod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jogneifn.dll" Gjkcod32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2732 wrote to memory of 1504 2732 38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786N.exe 30 PID 2732 wrote to memory of 1504 2732 38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786N.exe 30 PID 2732 wrote to memory of 1504 2732 38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786N.exe 30 PID 2732 wrote to memory of 1504 2732 38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786N.exe 30 PID 1504 wrote to memory of 2888 1504 Bbfnchfb.exe 31 PID 1504 wrote to memory of 2888 1504 Bbfnchfb.exe 31 PID 1504 wrote to memory of 2888 1504 Bbfnchfb.exe 31 PID 1504 wrote to memory of 2888 1504 Bbfnchfb.exe 31 PID 2888 wrote to memory of 3048 2888 Bpjnmlel.exe 32 PID 2888 wrote to memory of 3048 2888 Bpjnmlel.exe 32 PID 2888 wrote to memory of 3048 2888 Bpjnmlel.exe 32 PID 2888 wrote to memory of 3048 2888 Bpjnmlel.exe 32 PID 3048 wrote to memory of 3024 3048 Cggcofkf.exe 33 PID 3048 wrote to memory of 3024 3048 Cggcofkf.exe 33 PID 3048 wrote to memory of 3024 3048 Cggcofkf.exe 33 PID 3048 wrote to memory of 3024 3048 Cggcofkf.exe 33 PID 3024 wrote to memory of 2660 3024 Clclhmin.exe 34 PID 3024 wrote to memory of 2660 3024 Clclhmin.exe 34 PID 3024 wrote to memory of 2660 3024 Clclhmin.exe 34 PID 3024 wrote to memory of 2660 3024 Clclhmin.exe 34 PID 2660 wrote to memory of 1168 2660 Chjmmnnb.exe 35 PID 2660 wrote to memory of 1168 2660 Chjmmnnb.exe 35 PID 2660 wrote to memory of 1168 2660 Chjmmnnb.exe 35 PID 2660 wrote to memory of 1168 2660 Chjmmnnb.exe 35 PID 1168 wrote to memory of 392 1168 Ccpqjfnh.exe 36 PID 1168 wrote to memory of 392 1168 Ccpqjfnh.exe 36 PID 1168 wrote to memory of 392 1168 Ccpqjfnh.exe 36 PID 1168 wrote to memory of 392 1168 Ccpqjfnh.exe 36 PID 392 wrote to memory of 2960 392 Ceqjla32.exe 37 PID 392 wrote to memory of 2960 392 Ceqjla32.exe 37 PID 392 wrote to memory of 2960 392 Ceqjla32.exe 37 PID 392 wrote to memory of 2960 392 Ceqjla32.exe 37 PID 2960 wrote to memory of 2164 2960 Cjboeenh.exe 38 PID 2960 wrote to memory of 2164 2960 Cjboeenh.exe 38 PID 2960 wrote to memory of 2164 2960 Cjboeenh.exe 38 PID 2960 wrote to memory of 2164 2960 Cjboeenh.exe 38 PID 2164 wrote to memory of 2016 2164 Dckcnj32.exe 39 PID 2164 wrote to memory of 2016 2164 Dckcnj32.exe 39 PID 2164 wrote to memory of 2016 2164 Dckcnj32.exe 39 PID 2164 wrote to memory of 2016 2164 Dckcnj32.exe 39 PID 2016 wrote to memory of 808 2016 Dcpmijqc.exe 40 PID 2016 wrote to memory of 808 2016 Dcpmijqc.exe 40 PID 2016 wrote to memory of 808 2016 Dcpmijqc.exe 40 PID 2016 wrote to memory of 808 2016 Dcpmijqc.exe 40 PID 808 wrote to memory of 1740 808 Dcbjni32.exe 41 PID 808 wrote to memory of 1740 808 Dcbjni32.exe 41 PID 808 wrote to memory of 1740 808 Dcbjni32.exe 41 PID 808 wrote to memory of 1740 808 Dcbjni32.exe 41 PID 1740 wrote to memory of 1696 1740 Dbggpfci.exe 42 PID 1740 wrote to memory of 1696 1740 Dbggpfci.exe 42 PID 1740 wrote to memory of 1696 1740 Dbggpfci.exe 42 PID 1740 wrote to memory of 1696 1740 Dbggpfci.exe 42 PID 1696 wrote to memory of 2248 1696 Edhpaa32.exe 43 PID 1696 wrote to memory of 2248 1696 Edhpaa32.exe 43 PID 1696 wrote to memory of 2248 1696 Edhpaa32.exe 43 PID 1696 wrote to memory of 2248 1696 Edhpaa32.exe 43 PID 2248 wrote to memory of 680 2248 Edmilpld.exe 44 PID 2248 wrote to memory of 680 2248 Edmilpld.exe 44 PID 2248 wrote to memory of 680 2248 Edmilpld.exe 44 PID 2248 wrote to memory of 680 2248 Edmilpld.exe 44 PID 680 wrote to memory of 1868 680 Ejlnjg32.exe 45 PID 680 wrote to memory of 1868 680 Ejlnjg32.exe 45 PID 680 wrote to memory of 1868 680 Ejlnjg32.exe 45 PID 680 wrote to memory of 1868 680 Ejlnjg32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786N.exe"C:\Users\Admin\AppData\Local\Temp\38d878e0fd50cc52ceb3e9c3eb593ab5f06038df5253ddab3da02038f747b786N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Bbfnchfb.exeC:\Windows\system32\Bbfnchfb.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\Bpjnmlel.exeC:\Windows\system32\Bpjnmlel.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\Cggcofkf.exeC:\Windows\system32\Cggcofkf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\Clclhmin.exeC:\Windows\system32\Clclhmin.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\SysWOW64\Chjmmnnb.exeC:\Windows\system32\Chjmmnnb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Ccpqjfnh.exeC:\Windows\system32\Ccpqjfnh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\SysWOW64\Ceqjla32.exeC:\Windows\system32\Ceqjla32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\SysWOW64\Cjboeenh.exeC:\Windows\system32\Cjboeenh.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\Dckcnj32.exeC:\Windows\system32\Dckcnj32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Windows\SysWOW64\Dcpmijqc.exeC:\Windows\system32\Dcpmijqc.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Dcbjni32.exeC:\Windows\system32\Dcbjni32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:808 -
C:\Windows\SysWOW64\Dbggpfci.exeC:\Windows\system32\Dbggpfci.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Edhpaa32.exeC:\Windows\system32\Edhpaa32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\SysWOW64\Edmilpld.exeC:\Windows\system32\Edmilpld.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Ejlnjg32.exeC:\Windows\system32\Ejlnjg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:680 -
C:\Windows\SysWOW64\Ffeldglk.exeC:\Windows\system32\Ffeldglk.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1868 -
C:\Windows\SysWOW64\Ffiepg32.exeC:\Windows\system32\Ffiepg32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1412 -
C:\Windows\SysWOW64\Fijnabef.exeC:\Windows\system32\Fijnabef.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1164 -
C:\Windows\SysWOW64\Gaebfdba.exeC:\Windows\system32\Gaebfdba.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Gmlckehe.exeC:\Windows\system32\Gmlckehe.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Gjpddigo.exeC:\Windows\system32\Gjpddigo.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Gdkebolm.exeC:\Windows\system32\Gdkebolm.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Gpafgp32.exeC:\Windows\system32\Gpafgp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1900 -
C:\Windows\SysWOW64\Hpdbmooo.exeC:\Windows\system32\Hpdbmooo.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1600 -
C:\Windows\SysWOW64\Hilgfe32.exeC:\Windows\system32\Hilgfe32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2896 -
C:\Windows\SysWOW64\Hkppcmjk.exeC:\Windows\system32\Hkppcmjk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:3064 -
C:\Windows\SysWOW64\Icbkhnan.exeC:\Windows\system32\Icbkhnan.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2676 -
C:\Windows\SysWOW64\Ijopjhfh.exeC:\Windows\system32\Ijopjhfh.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Iokhcodo.exeC:\Windows\system32\Iokhcodo.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2904 -
C:\Windows\SysWOW64\Ionehnbm.exeC:\Windows\system32\Ionehnbm.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Jjcieg32.exeC:\Windows\system32\Jjcieg32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\Jkgbcofn.exeC:\Windows\system32\Jkgbcofn.exe33⤵
- Executes dropped EXE
PID:1612 -
C:\Windows\SysWOW64\Jgnchplb.exeC:\Windows\system32\Jgnchplb.exe34⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Jkllnn32.exeC:\Windows\system32\Jkllnn32.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Jcgqbq32.exeC:\Windows\system32\Jcgqbq32.exe36⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Jnlepioj.exeC:\Windows\system32\Jnlepioj.exe37⤵
- Executes dropped EXE
PID:1912 -
C:\Windows\SysWOW64\Kqkalenn.exeC:\Windows\system32\Kqkalenn.exe38⤵
- Executes dropped EXE
PID:756 -
C:\Windows\SysWOW64\Kcimhpma.exeC:\Windows\system32\Kcimhpma.exe39⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Kjcedj32.exeC:\Windows\system32\Kjcedj32.exe40⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Kggfnoch.exeC:\Windows\system32\Kggfnoch.exe41⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Kcngcp32.exeC:\Windows\system32\Kcngcp32.exe42⤵
- Executes dropped EXE
PID:112 -
C:\Windows\SysWOW64\Kikokf32.exeC:\Windows\system32\Kikokf32.exe43⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Kodghqop.exeC:\Windows\system32\Kodghqop.exe44⤵
- Executes dropped EXE
PID:1060 -
C:\Windows\SysWOW64\Keappgmg.exeC:\Windows\system32\Keappgmg.exe45⤵
- Executes dropped EXE
PID:1520 -
C:\Windows\SysWOW64\Kmhhae32.exeC:\Windows\system32\Kmhhae32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1860 -
C:\Windows\SysWOW64\Knjdimdh.exeC:\Windows\system32\Knjdimdh.exe47⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Lgbibb32.exeC:\Windows\system32\Lgbibb32.exe48⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Lajmkhai.exeC:\Windows\system32\Lajmkhai.exe49⤵
- Executes dropped EXE
PID:1668 -
C:\Windows\SysWOW64\Ljcbcngi.exeC:\Windows\system32\Ljcbcngi.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:1484 -
C:\Windows\SysWOW64\Llbnnq32.exeC:\Windows\system32\Llbnnq32.exe51⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Laogfg32.exeC:\Windows\system32\Laogfg32.exe52⤵
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ljgkom32.exeC:\Windows\system32\Ljgkom32.exe53⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Lcppgbjd.exeC:\Windows\system32\Lcppgbjd.exe54⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Limhpihl.exeC:\Windows\system32\Limhpihl.exe55⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Mcbmmbhb.exeC:\Windows\system32\Mcbmmbhb.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Mlmaad32.exeC:\Windows\system32\Mlmaad32.exe57⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Mfceom32.exeC:\Windows\system32\Mfceom32.exe58⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Mbjfcnkg.exeC:\Windows\system32\Mbjfcnkg.exe59⤵
- Executes dropped EXE
PID:1288 -
C:\Windows\SysWOW64\Mpngmb32.exeC:\Windows\system32\Mpngmb32.exe60⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Maocekoo.exeC:\Windows\system32\Maocekoo.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:516 -
C:\Windows\SysWOW64\Mbopon32.exeC:\Windows\system32\Mbopon32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:912 -
C:\Windows\SysWOW64\Noepdo32.exeC:\Windows\system32\Noepdo32.exe63⤵
- Executes dropped EXE
PID:2172 -
C:\Windows\SysWOW64\Ndbile32.exeC:\Windows\system32\Ndbile32.exe64⤵
- Executes dropped EXE
PID:784 -
C:\Windows\SysWOW64\Npiiafpa.exeC:\Windows\system32\Npiiafpa.exe65⤵
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Ngcanq32.exeC:\Windows\system32\Ngcanq32.exe66⤵PID:1996
-
C:\Windows\SysWOW64\Ndgbgefh.exeC:\Windows\system32\Ndgbgefh.exe67⤵PID:540
-
C:\Windows\SysWOW64\Nmogpj32.exeC:\Windows\system32\Nmogpj32.exe68⤵PID:612
-
C:\Windows\SysWOW64\Nmacej32.exeC:\Windows\system32\Nmacej32.exe69⤵PID:1932
-
C:\Windows\SysWOW64\Ogjhnp32.exeC:\Windows\system32\Ogjhnp32.exe70⤵PID:2080
-
C:\Windows\SysWOW64\Ocqhcqgk.exeC:\Windows\system32\Ocqhcqgk.exe71⤵PID:1712
-
C:\Windows\SysWOW64\Ohmalgeb.exeC:\Windows\system32\Ohmalgeb.exe72⤵PID:2132
-
C:\Windows\SysWOW64\Oklmhcdf.exeC:\Windows\system32\Oklmhcdf.exe73⤵PID:2892
-
C:\Windows\SysWOW64\Oeaael32.exeC:\Windows\system32\Oeaael32.exe74⤵PID:2652
-
C:\Windows\SysWOW64\Onmfin32.exeC:\Windows\system32\Onmfin32.exe75⤵PID:1888
-
C:\Windows\SysWOW64\Ohbjgg32.exeC:\Windows\system32\Ohbjgg32.exe76⤵PID:2560
-
C:\Windows\SysWOW64\Oajopl32.exeC:\Windows\system32\Oajopl32.exe77⤵PID:2908
-
C:\Windows\SysWOW64\Ohdglfoj.exeC:\Windows\system32\Ohdglfoj.exe78⤵PID:1964
-
C:\Windows\SysWOW64\Pdkhag32.exeC:\Windows\system32\Pdkhag32.exe79⤵PID:1664
-
C:\Windows\SysWOW64\Pjhpin32.exeC:\Windows\system32\Pjhpin32.exe80⤵PID:2328
-
C:\Windows\SysWOW64\Pdndggcl.exeC:\Windows\system32\Pdndggcl.exe81⤵
- Drops file in System32 directory
PID:2004 -
C:\Windows\SysWOW64\Pnfipm32.exeC:\Windows\system32\Pnfipm32.exe82⤵PID:2148
-
C:\Windows\SysWOW64\Pccahc32.exeC:\Windows\system32\Pccahc32.exe83⤵PID:812
-
C:\Windows\SysWOW64\Pjmjdnop.exeC:\Windows\system32\Pjmjdnop.exe84⤵PID:1972
-
C:\Windows\SysWOW64\Pbhoip32.exeC:\Windows\system32\Pbhoip32.exe85⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1356 -
C:\Windows\SysWOW64\Pmmcfi32.exeC:\Windows\system32\Pmmcfi32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Pdigkk32.exeC:\Windows\system32\Pdigkk32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2512 -
C:\Windows\SysWOW64\Qonlhd32.exeC:\Windows\system32\Qonlhd32.exe88⤵PID:2448
-
C:\Windows\SysWOW64\Qifpqi32.exeC:\Windows\system32\Qifpqi32.exe89⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2440 -
C:\Windows\SysWOW64\Aemafjeg.exeC:\Windows\system32\Aemafjeg.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Akgibd32.exeC:\Windows\system32\Akgibd32.exe91⤵PID:2860
-
C:\Windows\SysWOW64\Aepnkjcd.exeC:\Windows\system32\Aepnkjcd.exe92⤵PID:2020
-
C:\Windows\SysWOW64\Bboahbio.exeC:\Windows\system32\Bboahbio.exe93⤵PID:2296
-
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe94⤵PID:2948
-
C:\Windows\SysWOW64\Bafkookd.exeC:\Windows\system32\Bafkookd.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:932 -
C:\Windows\SysWOW64\Bllomg32.exeC:\Windows\system32\Bllomg32.exe96⤵PID:2720
-
C:\Windows\SysWOW64\Bedcembk.exeC:\Windows\system32\Bedcembk.exe97⤵PID:2428
-
C:\Windows\SysWOW64\Blnkbg32.exeC:\Windows\system32\Blnkbg32.exe98⤵
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Befpkmph.exeC:\Windows\system32\Befpkmph.exe99⤵PID:1584
-
C:\Windows\SysWOW64\Cooddbfh.exeC:\Windows\system32\Cooddbfh.exe100⤵PID:1916
-
C:\Windows\SysWOW64\Ckfeic32.exeC:\Windows\system32\Ckfeic32.exe101⤵PID:544
-
C:\Windows\SysWOW64\Cikbjpqd.exeC:\Windows\system32\Cikbjpqd.exe102⤵
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Cmikpngk.exeC:\Windows\system32\Cmikpngk.exe103⤵
- System Location Discovery: System Language Discovery
PID:2028 -
C:\Windows\SysWOW64\Ccecheeb.exeC:\Windows\system32\Ccecheeb.exe104⤵PID:2136
-
C:\Windows\SysWOW64\Cpidai32.exeC:\Windows\system32\Cpidai32.exe105⤵PID:2784
-
C:\Windows\SysWOW64\Defljp32.exeC:\Windows\system32\Defljp32.exe106⤵PID:1748
-
C:\Windows\SysWOW64\Dlpdfjjp.exeC:\Windows\system32\Dlpdfjjp.exe107⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Dcjmcd32.exeC:\Windows\system32\Dcjmcd32.exe108⤵PID:2848
-
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe109⤵PID:1176
-
C:\Windows\SysWOW64\Dndndbnl.exeC:\Windows\system32\Dndndbnl.exe110⤵PID:2300
-
C:\Windows\SysWOW64\Dglbmg32.exeC:\Windows\system32\Dglbmg32.exe111⤵PID:2492
-
C:\Windows\SysWOW64\Dnfjiali.exeC:\Windows\system32\Dnfjiali.exe112⤵
- Drops file in System32 directory
PID:2484 -
C:\Windows\SysWOW64\Dkjkcfjc.exeC:\Windows\system32\Dkjkcfjc.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1692 -
C:\Windows\SysWOW64\Dkmghe32.exeC:\Windows\system32\Dkmghe32.exe114⤵PID:2532
-
C:\Windows\SysWOW64\Enkdda32.exeC:\Windows\system32\Enkdda32.exe115⤵PID:2152
-
C:\Windows\SysWOW64\Echlmh32.exeC:\Windows\system32\Echlmh32.exe116⤵PID:2928
-
C:\Windows\SysWOW64\Eplmflde.exeC:\Windows\system32\Eplmflde.exe117⤵PID:2696
-
C:\Windows\SysWOW64\Ehgaknbp.exeC:\Windows\system32\Ehgaknbp.exe118⤵PID:2772
-
C:\Windows\SysWOW64\Eqnillbb.exeC:\Windows\system32\Eqnillbb.exe119⤵PID:1376
-
C:\Windows\SysWOW64\Efkbdbai.exeC:\Windows\system32\Efkbdbai.exe120⤵PID:1148
-
C:\Windows\SysWOW64\Ekhjlioa.exeC:\Windows\system32\Ekhjlioa.exe121⤵PID:2084
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-