Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
113s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
04/11/2024, 14:54
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe
Resource
win7-20241010-en
windows7-x64
13 signatures
120 seconds
Behavioral task
behavioral2
Sample
96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe
-
Size
163KB
-
MD5
b10787336e7feaf2373987cc6ea17b50
-
SHA1
b5c6dcbcff8c28e6ee0e2280f829ca8fbf9db267
-
SHA256
96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3
-
SHA512
ae09d3d1ef9a4129170b2f3829a29cb7e3492231e28d713b2162d68408504efccd426db868516e5c59bd53ef29e410871901ee8840b9abb0ca310a0a580c7304
-
SSDEEP
1536:P/2Gv/8dPjX3BeJipx+2ZPP56lHB8fptGirVoBZ85+cUnYlProNVU4qNVUrk/9QD:lX81jX3BmEhyBZuUYltOrWKDBr+yJb
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://master-x.com/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://crutop.ru/index.php
http://kaspersky.ru/index.php
http://color-bank.ru/index.php
http://adult-empire.com/index.php
http://virus-list.com/index.php
http://trojan.ru/index.php
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://fethard.biz/index.htm
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://kaspersky.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onocon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgjdmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfoeil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnnab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iqfiii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Keiqlihp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmpakm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajmfca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deiipp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhoeii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efmlqigc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inplqlng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljgkom32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnbkodci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljbkig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhcfjnhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eblpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mddibb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deiipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edelakoq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhfhaoec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmnngl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acjdgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ejadibmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdhnal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhcndhap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aejglo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cpejfjha.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elejqm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hijhhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gpgjnbnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpkbk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enhcnd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgddam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjppfl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmqihg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnjalhpp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghekhd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgoobg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmibmhoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amgjnepn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbnpbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coladm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilifndlo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jcleiclo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndicnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihijhpdo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hjoiiffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igcjgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbpqmfmd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghaeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mgbcfdmo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Omcngamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Enhcnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iljifm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cehhdkjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghoijebj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fabmmejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aphehidc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nmmjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blnkbg32.exe -
Berbew family
-
Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
-
Bruteratel family
-
Detect BruteRatel badger 1 IoCs
resource yara_rule behavioral1/files/0x000400000001cecd-1381.dat family_bruteratel -
Executes dropped EXE 64 IoCs
pid Process 2532 Qhilkege.exe 2476 Qkielpdf.exe 2796 Aeoijidl.exe 2720 Ajckilei.exe 2616 Alddjg32.exe 2612 Bfoeil32.exe 2644 Bfabnl32.exe 2580 Bknjfb32.exe 1624 Bnochnpm.exe 2940 Bnapnm32.exe 1460 Cmfmojcb.exe 2020 Cgnnab32.exe 2404 Cfckcoen.exe 2340 Cehhdkjf.exe 2792 Dnqlmq32.exe 1200 Demaoj32.exe 776 Dnhbmpkn.exe 1160 Dpklkgoj.exe 932 Emoldlmc.exe 2484 Eldiehbk.exe 2012 Elgfkhpi.exe 2428 Fbegbacp.exe 1464 Fkqlgc32.exe 2088 Fhdmph32.exe 1216 Fkefbcmf.exe 1592 Fkhbgbkc.exe 2268 Glklejoo.exe 2416 Gonale32.exe 2748 Ghgfekpn.exe 2628 Gdnfjl32.exe 2604 Hadcipbi.exe 2236 Hoqjqhjf.exe 2576 Iikkon32.exe 3000 Ibfmmb32.exe 2960 Iegeonpc.exe 2988 Ieibdnnp.exe 2964 Jpbcek32.exe 804 Jfmkbebl.exe 2560 Jpepkk32.exe 2304 Jllqplnp.exe 2204 Jmkmjoec.exe 2292 Jbhebfck.exe 936 Jplfkjbd.exe 844 Kambcbhb.exe 904 Koaclfgl.exe 1744 Kjhcag32.exe 1484 Kmimcbja.exe 3060 Kkmmlgik.exe 2328 Kbhbai32.exe 1500 Llpfjomf.exe 884 Llbconkd.exe 1748 Lekghdad.exe 2056 Liipnb32.exe 2300 Lohelidp.exe 2844 Mnmbme32.exe 2640 Mhcfjnhm.exe 2636 Makkcc32.exe 2248 Mnblhddb.exe 2992 Mfmqmgbm.exe 2888 Mqbejp32.exe 772 Nohaklfk.exe 1988 Njmfhe32.exe 2280 Nbhkmg32.exe 3016 Nmnojp32.exe -
Loads dropped DLL 64 IoCs
pid Process 1728 96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe 1728 96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe 2532 Qhilkege.exe 2532 Qhilkege.exe 2476 Qkielpdf.exe 2476 Qkielpdf.exe 2796 Aeoijidl.exe 2796 Aeoijidl.exe 2720 Ajckilei.exe 2720 Ajckilei.exe 2616 Alddjg32.exe 2616 Alddjg32.exe 2612 Bfoeil32.exe 2612 Bfoeil32.exe 2644 Bfabnl32.exe 2644 Bfabnl32.exe 2580 Bknjfb32.exe 2580 Bknjfb32.exe 1624 Bnochnpm.exe 1624 Bnochnpm.exe 2940 Bnapnm32.exe 2940 Bnapnm32.exe 1460 Cmfmojcb.exe 1460 Cmfmojcb.exe 2020 Cgnnab32.exe 2020 Cgnnab32.exe 2404 Cfckcoen.exe 2404 Cfckcoen.exe 2340 Cehhdkjf.exe 2340 Cehhdkjf.exe 2792 Dnqlmq32.exe 2792 Dnqlmq32.exe 1200 Demaoj32.exe 1200 Demaoj32.exe 776 Dnhbmpkn.exe 776 Dnhbmpkn.exe 1160 Dpklkgoj.exe 1160 Dpklkgoj.exe 932 Emoldlmc.exe 932 Emoldlmc.exe 2484 Eldiehbk.exe 2484 Eldiehbk.exe 2012 Elgfkhpi.exe 2012 Elgfkhpi.exe 2428 Fbegbacp.exe 2428 Fbegbacp.exe 1464 Fkqlgc32.exe 1464 Fkqlgc32.exe 2088 Fhdmph32.exe 2088 Fhdmph32.exe 1216 Fkefbcmf.exe 1216 Fkefbcmf.exe 1592 Fkhbgbkc.exe 1592 Fkhbgbkc.exe 2268 Glklejoo.exe 2268 Glklejoo.exe 2416 Gonale32.exe 2416 Gonale32.exe 2748 Ghgfekpn.exe 2748 Ghgfekpn.exe 2628 Gdnfjl32.exe 2628 Gdnfjl32.exe 2604 Hadcipbi.exe 2604 Hadcipbi.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Nncgkioi.dll Ghgfekpn.exe File created C:\Windows\SysWOW64\Bpmoggbh.dll Coladm32.exe File created C:\Windows\SysWOW64\Mmndfnpl.exe Mdepmh32.exe File created C:\Windows\SysWOW64\Gfmogk32.dll Jpeafo32.exe File created C:\Windows\SysWOW64\Nqhblj32.dll Olalpdbc.exe File created C:\Windows\SysWOW64\Mclqqeaq.exe Mhflcm32.exe File created C:\Windows\SysWOW64\Kneibo32.dll Fpbqcb32.exe File opened for modification C:\Windows\SysWOW64\Lbhmok32.exe Lgbibb32.exe File created C:\Windows\SysWOW64\Dnfjiali.exe Dekeeonn.exe File opened for modification C:\Windows\SysWOW64\Hbnpbm32.exe Hkdgecna.exe File created C:\Windows\SysWOW64\Gahpkd32.exe Glkgcmbg.exe File created C:\Windows\SysWOW64\Pokkfdac.dll Ndjfgkha.exe File created C:\Windows\SysWOW64\Hhdqma32.exe Hbghdj32.exe File created C:\Windows\SysWOW64\Meeopdhb.exe Mjpkbk32.exe File created C:\Windows\SysWOW64\Dhlmpmai.dll Kpbhjh32.exe File opened for modification C:\Windows\SysWOW64\Qncfphff.exe Qnqjkh32.exe File opened for modification C:\Windows\SysWOW64\Hhoeii32.exe Hcblqb32.exe File created C:\Windows\SysWOW64\Ikimqk32.dll Joebccpp.exe File opened for modification C:\Windows\SysWOW64\Edeclabl.exe Dfniee32.exe File opened for modification C:\Windows\SysWOW64\Cngcll32.exe Cfknhi32.exe File created C:\Windows\SysWOW64\Imogcj32.exe Iokfjf32.exe File opened for modification C:\Windows\SysWOW64\Lkifkdjm.exe Lpdankjg.exe File created C:\Windows\SysWOW64\Dgfpni32.exe Dajgfboj.exe File created C:\Windows\SysWOW64\Gfcdcl32.dll Lehfafgp.exe File created C:\Windows\SysWOW64\Fqhelqjm.dll Ooemcb32.exe File opened for modification C:\Windows\SysWOW64\Giejkp32.exe Gplebjbk.exe File opened for modification C:\Windows\SysWOW64\Mecbjd32.exe Mjmnmk32.exe File opened for modification C:\Windows\SysWOW64\Ikjlmjmp.exe Iencdc32.exe File opened for modification C:\Windows\SysWOW64\Jmkmjoec.exe Jllqplnp.exe File created C:\Windows\SysWOW64\Nabcho32.dll Iianmlfn.exe File created C:\Windows\SysWOW64\Epjecp32.dll Qnqjkh32.exe File created C:\Windows\SysWOW64\Lbhmok32.exe Lgbibb32.exe File created C:\Windows\SysWOW64\Lkfdfo32.exe Lfilnh32.exe File created C:\Windows\SysWOW64\Okkfmmqj.exe Omgfdhbq.exe File created C:\Windows\SysWOW64\Hgajdjlj.dll Jmkmjoec.exe File created C:\Windows\SysWOW64\Pbblkaea.exe Pdnkanfg.exe File created C:\Windows\SysWOW64\Ljmien32.dll Qidckjae.exe File created C:\Windows\SysWOW64\Fjecidcb.dll Dnfjiali.exe File created C:\Windows\SysWOW64\Omeini32.exe Nalldh32.exe File created C:\Windows\SysWOW64\Paiche32.exe Phaoppja.exe File opened for modification C:\Windows\SysWOW64\Jmibmhoj.exe Joebccpp.exe File created C:\Windows\SysWOW64\Jjmcfl32.exe Jcckibfg.exe File created C:\Windows\SysWOW64\Bdmhhh32.dll Oemhjlha.exe File created C:\Windows\SysWOW64\Pmibhn32.dll Jafmngde.exe File created C:\Windows\SysWOW64\Lekghdad.exe Llbconkd.exe File opened for modification C:\Windows\SysWOW64\Nkaane32.exe Ncfmjc32.exe File created C:\Windows\SysWOW64\Dajgfboj.exe Cagjqbam.exe File opened for modification C:\Windows\SysWOW64\Kaholp32.exe Khojcj32.exe File created C:\Windows\SysWOW64\Mghomh32.dll Kaholp32.exe File opened for modification C:\Windows\SysWOW64\Ldhgnk32.exe Lolofd32.exe File created C:\Windows\SysWOW64\Gaocdi32.dll Qmepanje.exe File opened for modification C:\Windows\SysWOW64\Pogegeoj.exe Pncljmko.exe File created C:\Windows\SysWOW64\Dodohnaa.dll Adgein32.exe File opened for modification C:\Windows\SysWOW64\Ceickb32.exe Bmnofp32.exe File opened for modification C:\Windows\SysWOW64\Ebofcd32.exe Eqnillbb.exe File created C:\Windows\SysWOW64\Gonakpgj.dll Ppcmfn32.exe File opened for modification C:\Windows\SysWOW64\Lcdjpfgh.exe Lkifkdjm.exe File created C:\Windows\SysWOW64\Qjdgpcmd.exe Pnnfkb32.exe File created C:\Windows\SysWOW64\Okkiakec.dll Eblpke32.exe File created C:\Windows\SysWOW64\Copblmbb.dll Hhoeii32.exe File opened for modification C:\Windows\SysWOW64\Dekeeonn.exe Dlbaljhn.exe File opened for modification C:\Windows\SysWOW64\Nlocka32.exe Naionh32.exe File created C:\Windows\SysWOW64\Oadilg32.dll Qlgndbil.exe File created C:\Windows\SysWOW64\Gpboioea.dll Olimlf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1724 1468 WerFault.exe 610 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejgeogmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcjgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojghf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhbmip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fedfgejh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfacdqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcnfdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhfjpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajmfca32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpeafo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmqmgbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enbogmnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkfdfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfgdij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gplebjbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jidbifmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gampaipe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aebakp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmgifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebabicfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhkghqpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfiocfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mecbjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pepfnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aalofa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfiaojkq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bikfklni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jempcgad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hijhhl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glkgcmbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akgibd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjoiiffo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oibohdmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efmlqigc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcgeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blnkbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alddjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgfmep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgjnbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdepmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiedfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbngfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgdfgbhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mddibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghgfekpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjppfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhmkbhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflmpebj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgbibb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Capmemci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meeopdhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egebjmdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjlmjmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfkhch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilgjhena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbblkaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cagjqbam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fihalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jopbnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoldlmc.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nkehql32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Paafmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pgcnnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkbhmg32.dll" Gfgdij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgbddi32.dll" Nmmjjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbhje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pndcenao.dll" Giejkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Makkcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lehfafgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oibohdmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pehebbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffemqioj.dll" Ajamfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nanfqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmkmjoec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jplfkjbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgfdgq32.dll" Iokfjf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ohmoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmddhe32.dll" Dlchfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcqoqi32.dll" Hdhnal32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlhmkbhb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmcmif32.dll" Lpdankjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dajgfboj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dflmpebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqkelimm.dll" Hogcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gibcam32.dll" Mifkfhpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jlghpa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eadbpdla.dll" Cgnnab32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojblbgdg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mgnfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iokfjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mgnfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bpjnmlel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kglgpo32.dll" Ffboohnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdqifajl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ocfkaone.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmchaflb.dll" Ihbdhepp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Chocodch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ecoihm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gfdaid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlbaljhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Joebccpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mhfhaoec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idohdhbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jqoljf32.dll" Ogbldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmhdkakc.dll" Befnbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdnkanfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbghdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhdmph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Enbogmnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mnncii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adhglggg.dll" Ckmbdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mioeeifi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Olalpdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kjkbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ideopekg.dll" Hhadgakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbbngc32.dll" Iegeonpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojkeah32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fpgnoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehlkfn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acjdgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfleblle.dll" Lmcilp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hlbpme32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2532 1728 96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe 31 PID 1728 wrote to memory of 2532 1728 96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe 31 PID 1728 wrote to memory of 2532 1728 96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe 31 PID 1728 wrote to memory of 2532 1728 96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe 31 PID 2532 wrote to memory of 2476 2532 Qhilkege.exe 32 PID 2532 wrote to memory of 2476 2532 Qhilkege.exe 32 PID 2532 wrote to memory of 2476 2532 Qhilkege.exe 32 PID 2532 wrote to memory of 2476 2532 Qhilkege.exe 32 PID 2476 wrote to memory of 2796 2476 Qkielpdf.exe 33 PID 2476 wrote to memory of 2796 2476 Qkielpdf.exe 33 PID 2476 wrote to memory of 2796 2476 Qkielpdf.exe 33 PID 2476 wrote to memory of 2796 2476 Qkielpdf.exe 33 PID 2796 wrote to memory of 2720 2796 Aeoijidl.exe 34 PID 2796 wrote to memory of 2720 2796 Aeoijidl.exe 34 PID 2796 wrote to memory of 2720 2796 Aeoijidl.exe 34 PID 2796 wrote to memory of 2720 2796 Aeoijidl.exe 34 PID 2720 wrote to memory of 2616 2720 Ajckilei.exe 35 PID 2720 wrote to memory of 2616 2720 Ajckilei.exe 35 PID 2720 wrote to memory of 2616 2720 Ajckilei.exe 35 PID 2720 wrote to memory of 2616 2720 Ajckilei.exe 35 PID 2616 wrote to memory of 2612 2616 Alddjg32.exe 36 PID 2616 wrote to memory of 2612 2616 Alddjg32.exe 36 PID 2616 wrote to memory of 2612 2616 Alddjg32.exe 36 PID 2616 wrote to memory of 2612 2616 Alddjg32.exe 36 PID 2612 wrote to memory of 2644 2612 Bfoeil32.exe 37 PID 2612 wrote to memory of 2644 2612 Bfoeil32.exe 37 PID 2612 wrote to memory of 2644 2612 Bfoeil32.exe 37 PID 2612 wrote to memory of 2644 2612 Bfoeil32.exe 37 PID 2644 wrote to memory of 2580 2644 Bfabnl32.exe 38 PID 2644 wrote to memory of 2580 2644 Bfabnl32.exe 38 PID 2644 wrote to memory of 2580 2644 Bfabnl32.exe 38 PID 2644 wrote to memory of 2580 2644 Bfabnl32.exe 38 PID 2580 wrote to memory of 1624 2580 Bknjfb32.exe 39 PID 2580 wrote to memory of 1624 2580 Bknjfb32.exe 39 PID 2580 wrote to memory of 1624 2580 Bknjfb32.exe 39 PID 2580 wrote to memory of 1624 2580 Bknjfb32.exe 39 PID 1624 wrote to memory of 2940 1624 Bnochnpm.exe 40 PID 1624 wrote to memory of 2940 1624 Bnochnpm.exe 40 PID 1624 wrote to memory of 2940 1624 Bnochnpm.exe 40 PID 1624 wrote to memory of 2940 1624 Bnochnpm.exe 40 PID 2940 wrote to memory of 1460 2940 Bnapnm32.exe 41 PID 2940 wrote to memory of 1460 2940 Bnapnm32.exe 41 PID 2940 wrote to memory of 1460 2940 Bnapnm32.exe 41 PID 2940 wrote to memory of 1460 2940 Bnapnm32.exe 41 PID 1460 wrote to memory of 2020 1460 Cmfmojcb.exe 42 PID 1460 wrote to memory of 2020 1460 Cmfmojcb.exe 42 PID 1460 wrote to memory of 2020 1460 Cmfmojcb.exe 42 PID 1460 wrote to memory of 2020 1460 Cmfmojcb.exe 42 PID 2020 wrote to memory of 2404 2020 Cgnnab32.exe 43 PID 2020 wrote to memory of 2404 2020 Cgnnab32.exe 43 PID 2020 wrote to memory of 2404 2020 Cgnnab32.exe 43 PID 2020 wrote to memory of 2404 2020 Cgnnab32.exe 43 PID 2404 wrote to memory of 2340 2404 Cfckcoen.exe 44 PID 2404 wrote to memory of 2340 2404 Cfckcoen.exe 44 PID 2404 wrote to memory of 2340 2404 Cfckcoen.exe 44 PID 2404 wrote to memory of 2340 2404 Cfckcoen.exe 44 PID 2340 wrote to memory of 2792 2340 Cehhdkjf.exe 45 PID 2340 wrote to memory of 2792 2340 Cehhdkjf.exe 45 PID 2340 wrote to memory of 2792 2340 Cehhdkjf.exe 45 PID 2340 wrote to memory of 2792 2340 Cehhdkjf.exe 45 PID 2792 wrote to memory of 1200 2792 Dnqlmq32.exe 46 PID 2792 wrote to memory of 1200 2792 Dnqlmq32.exe 46 PID 2792 wrote to memory of 1200 2792 Dnqlmq32.exe 46 PID 2792 wrote to memory of 1200 2792 Dnqlmq32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe"C:\Users\Admin\AppData\Local\Temp\96e84783269b4e04bd857a91955c50fa922ebd076d494eb49357f5ea1a7431c3N.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Qkielpdf.exeC:\Windows\system32\Qkielpdf.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\Aeoijidl.exeC:\Windows\system32\Aeoijidl.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2796 -
C:\Windows\SysWOW64\Ajckilei.exeC:\Windows\system32\Ajckilei.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\Alddjg32.exeC:\Windows\system32\Alddjg32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\Bfabnl32.exeC:\Windows\system32\Bfabnl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Bknjfb32.exeC:\Windows\system32\Bknjfb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\SysWOW64\Bnochnpm.exeC:\Windows\system32\Bnochnpm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Bnapnm32.exeC:\Windows\system32\Bnapnm32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\SysWOW64\Cmfmojcb.exeC:\Windows\system32\Cmfmojcb.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\SysWOW64\Cgnnab32.exeC:\Windows\system32\Cgnnab32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2020 -
C:\Windows\SysWOW64\Cfckcoen.exeC:\Windows\system32\Cfckcoen.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Cehhdkjf.exeC:\Windows\system32\Cehhdkjf.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Dnqlmq32.exeC:\Windows\system32\Dnqlmq32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Demaoj32.exeC:\Windows\system32\Demaoj32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1200 -
C:\Windows\SysWOW64\Dnhbmpkn.exeC:\Windows\system32\Dnhbmpkn.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1160 -
C:\Windows\SysWOW64\Emoldlmc.exeC:\Windows\system32\Emoldlmc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:932 -
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Elgfkhpi.exeC:\Windows\system32\Elgfkhpi.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2012 -
C:\Windows\SysWOW64\Fbegbacp.exeC:\Windows\system32\Fbegbacp.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Fkqlgc32.exeC:\Windows\system32\Fkqlgc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Fhdmph32.exeC:\Windows\system32\Fhdmph32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Fkefbcmf.exeC:\Windows\system32\Fkefbcmf.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\Fkhbgbkc.exeC:\Windows\system32\Fkhbgbkc.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Glklejoo.exeC:\Windows\system32\Glklejoo.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Gonale32.exeC:\Windows\system32\Gonale32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Ghgfekpn.exeC:\Windows\system32\Ghgfekpn.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2748 -
C:\Windows\SysWOW64\Gdnfjl32.exeC:\Windows\system32\Gdnfjl32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Hadcipbi.exeC:\Windows\system32\Hadcipbi.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2604 -
C:\Windows\SysWOW64\Hoqjqhjf.exeC:\Windows\system32\Hoqjqhjf.exe33⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Iikkon32.exeC:\Windows\system32\Iikkon32.exe34⤵
- Executes dropped EXE
PID:2576 -
C:\Windows\SysWOW64\Ibfmmb32.exeC:\Windows\system32\Ibfmmb32.exe35⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Iegeonpc.exeC:\Windows\system32\Iegeonpc.exe36⤵
- Executes dropped EXE
- Modifies registry class
PID:2960 -
C:\Windows\SysWOW64\Ieibdnnp.exeC:\Windows\system32\Ieibdnnp.exe37⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Jpbcek32.exeC:\Windows\system32\Jpbcek32.exe38⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Jfmkbebl.exeC:\Windows\system32\Jfmkbebl.exe39⤵
- Executes dropped EXE
PID:804 -
C:\Windows\SysWOW64\Jpepkk32.exeC:\Windows\system32\Jpepkk32.exe40⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Jllqplnp.exeC:\Windows\system32\Jllqplnp.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Jmkmjoec.exeC:\Windows\system32\Jmkmjoec.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Jbhebfck.exeC:\Windows\system32\Jbhebfck.exe43⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Jplfkjbd.exeC:\Windows\system32\Jplfkjbd.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:936 -
C:\Windows\SysWOW64\Kambcbhb.exeC:\Windows\system32\Kambcbhb.exe45⤵
- Executes dropped EXE
PID:844 -
C:\Windows\SysWOW64\Koaclfgl.exeC:\Windows\system32\Koaclfgl.exe46⤵
- Executes dropped EXE
PID:904 -
C:\Windows\SysWOW64\Kjhcag32.exeC:\Windows\system32\Kjhcag32.exe47⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Kmimcbja.exeC:\Windows\system32\Kmimcbja.exe48⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Kkmmlgik.exeC:\Windows\system32\Kkmmlgik.exe49⤵
- Executes dropped EXE
PID:3060 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe50⤵
- Executes dropped EXE
PID:2328 -
C:\Windows\SysWOW64\Llpfjomf.exeC:\Windows\system32\Llpfjomf.exe51⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Llbconkd.exeC:\Windows\system32\Llbconkd.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:884 -
C:\Windows\SysWOW64\Lekghdad.exeC:\Windows\system32\Lekghdad.exe53⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe54⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Lohelidp.exeC:\Windows\system32\Lohelidp.exe55⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Mnmbme32.exeC:\Windows\system32\Mnmbme32.exe56⤵
- Executes dropped EXE
PID:2844 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2640 -
C:\Windows\SysWOW64\Makkcc32.exeC:\Windows\system32\Makkcc32.exe58⤵
- Executes dropped EXE
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Mnblhddb.exeC:\Windows\system32\Mnblhddb.exe59⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Mfmqmgbm.exeC:\Windows\system32\Mfmqmgbm.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2992 -
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe61⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Nohaklfk.exeC:\Windows\system32\Nohaklfk.exe62⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Njmfhe32.exeC:\Windows\system32\Njmfhe32.exe63⤵
- Executes dropped EXE
PID:1988 -
C:\Windows\SysWOW64\Nbhkmg32.exeC:\Windows\system32\Nbhkmg32.exe64⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Nmnojp32.exeC:\Windows\system32\Nmnojp32.exe65⤵
- Executes dropped EXE
PID:3016 -
C:\Windows\SysWOW64\Ndicnb32.exeC:\Windows\system32\Ndicnb32.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1468 -
C:\Windows\SysWOW64\Noohlkpc.exeC:\Windows\system32\Noohlkpc.exe67⤵PID:764
-
C:\Windows\SysWOW64\Nkehql32.exeC:\Windows\system32\Nkehql32.exe68⤵
- Modifies registry class
PID:3032 -
C:\Windows\SysWOW64\Nbpqmfmd.exeC:\Windows\system32\Nbpqmfmd.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1092 -
C:\Windows\SysWOW64\Ncamen32.exeC:\Windows\system32\Ncamen32.exe70⤵PID:2456
-
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe71⤵
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe72⤵PID:2368
-
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe73⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Oibohdmd.exeC:\Windows\system32\Oibohdmd.exe74⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Oplgeoea.exeC:\Windows\system32\Oplgeoea.exe75⤵PID:2736
-
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe76⤵
- Modifies registry class
PID:2768 -
C:\Windows\SysWOW64\Olchjp32.exeC:\Windows\system32\Olchjp32.exe77⤵PID:1244
-
C:\Windows\SysWOW64\Oighcd32.exeC:\Windows\system32\Oighcd32.exe78⤵PID:2948
-
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe79⤵PID:1676
-
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe80⤵
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Pepfnd32.exeC:\Windows\system32\Pepfnd32.exe81⤵
- System Location Discovery: System Language Discovery
PID:2092 -
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe82⤵PID:2060
-
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe83⤵
- Drops file in System32 directory
PID:3004 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe84⤵PID:948
-
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe85⤵PID:1132
-
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe86⤵PID:276
-
C:\Windows\SysWOW64\Qigebglj.exeC:\Windows\system32\Qigebglj.exe87⤵PID:268
-
C:\Windows\SysWOW64\Qboikm32.exeC:\Windows\system32\Qboikm32.exe88⤵PID:2296
-
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe89⤵
- Drops file in System32 directory
PID:1600 -
C:\Windows\SysWOW64\Qbafalph.exeC:\Windows\system32\Qbafalph.exe90⤵PID:2856
-
C:\Windows\SysWOW64\Amgjnepn.exeC:\Windows\system32\Amgjnepn.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe92⤵PID:2972
-
C:\Windows\SysWOW64\Bccoeo32.exeC:\Windows\system32\Bccoeo32.exe93⤵PID:2840
-
C:\Windows\SysWOW64\Bjngbihn.exeC:\Windows\system32\Bjngbihn.exe94⤵PID:2784
-
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe95⤵PID:2200
-
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe96⤵PID:1920
-
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1652 -
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe98⤵PID:2272
-
C:\Windows\SysWOW64\Baneak32.exeC:\Windows\system32\Baneak32.exe99⤵PID:288
-
C:\Windows\SysWOW64\Ckfjjqhd.exeC:\Windows\system32\Ckfjjqhd.exe100⤵PID:1552
-
C:\Windows\SysWOW64\Cfknhi32.exeC:\Windows\system32\Cfknhi32.exe101⤵
- Drops file in System32 directory
PID:572 -
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe102⤵PID:556
-
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe103⤵PID:1696
-
C:\Windows\SysWOW64\Cbdkbjkl.exeC:\Windows\system32\Cbdkbjkl.exe104⤵PID:2488
-
C:\Windows\SysWOW64\Chocodch.exeC:\Windows\system32\Chocodch.exe105⤵
- Modifies registry class
PID:2880 -
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:664 -
C:\Windows\SysWOW64\Cmqihg32.exeC:\Windows\system32\Cmqihg32.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2956 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe108⤵
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Dghjkpck.exeC:\Windows\system32\Dghjkpck.exe109⤵PID:1072
-
C:\Windows\SysWOW64\Dmebcgbb.exeC:\Windows\system32\Dmebcgbb.exe110⤵PID:520
-
C:\Windows\SysWOW64\Dbbklnpj.exeC:\Windows\system32\Dbbklnpj.exe111⤵PID:2500
-
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe112⤵PID:3048
-
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe113⤵PID:1148
-
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe114⤵PID:1264
-
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe115⤵PID:1804
-
C:\Windows\SysWOW64\Eloipb32.exeC:\Windows\system32\Eloipb32.exe116⤵PID:1284
-
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe117⤵PID:1968
-
C:\Windows\SysWOW64\Ecmjid32.exeC:\Windows\system32\Ecmjid32.exe118⤵PID:856
-
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe119⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2600 -
C:\Windows\SysWOW64\Ecogodlk.exeC:\Windows\system32\Ecogodlk.exe120⤵PID:2820
-
C:\Windows\SysWOW64\Emgkhj32.exeC:\Windows\system32\Emgkhj32.exe121⤵PID:568
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-