Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
15s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 06:18
Behavioral task
behavioral1
Sample
05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983N.exe
Resource
win7-20240729-en
windows7-x64
12 signatures
120 seconds
General
-
Target
05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983N.exe
-
Size
93KB
-
MD5
dd61b1a97ef9dba9376a511632190dd0
-
SHA1
01257d29d62e953c61da1be473e7d03071edd255
-
SHA256
05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983
-
SHA512
8a38cde7180468977960655f0b857f9b56941f58436ee357b32b687f3180c6e0f9bf1851586885394b09382267f319988a4b8cc12b7cec8466edb0ebc4ac3c52
-
SSDEEP
1536:wW7a1KqrewF7nVV3L1FkdyaAiDto1DaYfMZRWuLsV+15:vmFFz78dgiRogYfc0DV+15
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oebffm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahlnmjkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akmgoehg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bohoogbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Deljfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ephhmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elaego32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggphji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" 05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983N.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nqgngk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Effidg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbdpjgjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fokaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpojlp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gohqhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmojfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amdmkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbcdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Febmfcjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdloab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opcaiggo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ejpipf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelfedpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faljqcmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hobcok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjnaehgj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odgchjhl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achlch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbflkcao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhlogo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjpakdbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hnbgdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hkfgnldd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hngppgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ckopch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfknjfbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deljfqmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebmjihqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fbbcdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iiekkdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Blgfml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocbbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eenckc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ggmldj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkfgnldd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hdailaib.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajbdpblo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bfnnpbnn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cnpieceq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cqcomn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcojbm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fofhdidp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feppqc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fljhmmci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fangfcki.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Glongpao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oakcan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bgfdjfkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnmlpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cqcomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Giikkehc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmcjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oepianef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccmanjch.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 2704 Mgjpcf32.exe 2728 Nndhpqma.exe 3036 Nqbdllld.exe 3020 Niilmi32.exe 2312 Ndpmbjbk.exe 2660 Nkjeod32.exe 2588 Nqgngk32.exe 2716 Ngafdepl.exe 2384 Nqijmkfm.exe 2992 Ncggifep.exe 476 Nidoamch.exe 2708 Npngng32.exe 2984 Nbmcjc32.exe 1028 Ojdlkp32.exe 3040 Olehbh32.exe 2216 Obopobhe.exe 2228 Olgehh32.exe 1988 Opcaiggo.exe 2232 Obamebfc.exe 1908 Oepianef.exe 292 Oikeal32.exe 1972 Oljanhmc.exe 1880 Obdjjb32.exe 928 Oebffm32.exe 3068 Onkjocjd.exe 2088 Oaiglnih.exe 2800 Odgchjhl.exe 2736 Olokighn.exe 1592 Onmgeb32.exe 2644 Oakcan32.exe 2612 Pjchjcmf.exe 1460 Pmbdfolj.exe 2656 Pjfdpckc.exe 1708 Pmdalo32.exe 2328 Pjhaec32.exe 1016 Pljnmkoo.exe 2864 Pfobjdoe.exe 2972 Pinnfonh.exe 792 Ppgfciee.exe 1876 Pbfcoedi.exe 1740 Phckglbq.exe 2256 Qlnghj32.exe 2220 Qeglqpaj.exe 3032 Qlqdmj32.exe 1920 Qamleagn.exe 316 Ahgdbk32.exe 1964 Alcqcjgd.exe 1488 Amdmkb32.exe 2196 Aapikqel.exe 1192 Agmacgcc.exe 2192 Akhndf32.exe 2836 Aodjdede.exe 2768 Apeflmjc.exe 2788 Ahlnmjkf.exe 2616 Agonig32.exe 668 Aniffaim.exe 2156 Apgcbmha.exe 2720 Akmgoehg.exe 2868 Ankckagj.exe 2172 Apjpglfn.exe 1852 Achlch32.exe 2236 Aefhpc32.exe 2380 Ajbdpblo.exe 772 Alqplmlb.exe -
Loads dropped DLL 64 IoCs
pid Process 1456 05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983N.exe 1456 05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983N.exe 2704 Mgjpcf32.exe 2704 Mgjpcf32.exe 2728 Nndhpqma.exe 2728 Nndhpqma.exe 3036 Nqbdllld.exe 3036 Nqbdllld.exe 3020 Niilmi32.exe 3020 Niilmi32.exe 2312 Ndpmbjbk.exe 2312 Ndpmbjbk.exe 2660 Nkjeod32.exe 2660 Nkjeod32.exe 2588 Nqgngk32.exe 2588 Nqgngk32.exe 2716 Ngafdepl.exe 2716 Ngafdepl.exe 2384 Nqijmkfm.exe 2384 Nqijmkfm.exe 2992 Ncggifep.exe 2992 Ncggifep.exe 476 Nidoamch.exe 476 Nidoamch.exe 2708 Npngng32.exe 2708 Npngng32.exe 2984 Nbmcjc32.exe 2984 Nbmcjc32.exe 1028 Ojdlkp32.exe 1028 Ojdlkp32.exe 3040 Olehbh32.exe 3040 Olehbh32.exe 2216 Obopobhe.exe 2216 Obopobhe.exe 2228 Olgehh32.exe 2228 Olgehh32.exe 1988 Opcaiggo.exe 1988 Opcaiggo.exe 2232 Obamebfc.exe 2232 Obamebfc.exe 1908 Oepianef.exe 1908 Oepianef.exe 292 Oikeal32.exe 292 Oikeal32.exe 1972 Oljanhmc.exe 1972 Oljanhmc.exe 1880 Obdjjb32.exe 1880 Obdjjb32.exe 928 Oebffm32.exe 928 Oebffm32.exe 3068 Onkjocjd.exe 3068 Onkjocjd.exe 2088 Oaiglnih.exe 2088 Oaiglnih.exe 2800 Odgchjhl.exe 2800 Odgchjhl.exe 2736 Olokighn.exe 2736 Olokighn.exe 1592 Onmgeb32.exe 1592 Onmgeb32.exe 2644 Oakcan32.exe 2644 Oakcan32.exe 2612 Pjchjcmf.exe 2612 Pjchjcmf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ebmjihqn.exe Eponmmaj.exe File created C:\Windows\SysWOW64\Ecbjdbcp.dll Hnimeg32.exe File created C:\Windows\SysWOW64\Didlinpd.dll Aniffaim.exe File created C:\Windows\SysWOW64\Edlmlclc.dll Edfqclni.exe File created C:\Windows\SysWOW64\Gngcgmgi.dll Ejpipf32.exe File created C:\Windows\SysWOW64\Fhfbmn32.exe Fpojlp32.exe File created C:\Windows\SysWOW64\Laodbj32.dll Hnbgdh32.exe File created C:\Windows\SysWOW64\Iqgaenpf.dll Hgkknm32.exe File created C:\Windows\SysWOW64\Nkjeod32.exe Ndpmbjbk.exe File created C:\Windows\SysWOW64\Oebffm32.exe Obdjjb32.exe File created C:\Windows\SysWOW64\Amdmkb32.exe Alcqcjgd.exe File opened for modification C:\Windows\SysWOW64\Apjpglfn.exe Ankckagj.exe File created C:\Windows\SysWOW64\Dhmchljg.exe Dcaghm32.exe File created C:\Windows\SysWOW64\Onmgeb32.exe Olokighn.exe File opened for modification C:\Windows\SysWOW64\Amdmkb32.exe Alcqcjgd.exe File created C:\Windows\SysWOW64\Ghifhnnl.dll Alcqcjgd.exe File opened for modification C:\Windows\SysWOW64\Pmbdfolj.exe Pjchjcmf.exe File created C:\Windows\SysWOW64\Ngnlaehe.dll Faimkd32.exe File created C:\Windows\SysWOW64\Nmamgl32.dll Gljdlq32.exe File created C:\Windows\SysWOW64\Odgchjhl.exe Oaiglnih.exe File created C:\Windows\SysWOW64\Chmpml32.dll Pjchjcmf.exe File created C:\Windows\SysWOW64\Qmhfaj32.dll Cdgdlnop.exe File opened for modification C:\Windows\SysWOW64\Cqneaodd.exe Cnpieceq.exe File created C:\Windows\SysWOW64\Cfknjfbl.exe Ccmanjch.exe File opened for modification C:\Windows\SysWOW64\Nndhpqma.exe Mgjpcf32.exe File opened for modification C:\Windows\SysWOW64\Nqijmkfm.exe Ngafdepl.exe File opened for modification C:\Windows\SysWOW64\Ojdlkp32.exe Nbmcjc32.exe File opened for modification C:\Windows\SysWOW64\Hnimeg32.exe Hjnaehgj.exe File opened for modification C:\Windows\SysWOW64\Bbdoec32.exe Bofbih32.exe File created C:\Windows\SysWOW64\Lkclin32.dll Febmfcjj.exe File created C:\Windows\SysWOW64\Gphmbolk.exe Ghaeaaki.exe File opened for modification C:\Windows\SysWOW64\Gomjckqc.exe Glongpao.exe File opened for modification C:\Windows\SysWOW64\Olgehh32.exe Obopobhe.exe File opened for modification C:\Windows\SysWOW64\Onmgeb32.exe Olokighn.exe File opened for modification C:\Windows\SysWOW64\Agonig32.exe Ahlnmjkf.exe File created C:\Windows\SysWOW64\Pfplmh32.dll Hgmhcm32.exe File opened for modification C:\Windows\SysWOW64\Obdjjb32.exe Oljanhmc.exe File created C:\Windows\SysWOW64\Ccakij32.exe Cqcomn32.exe File created C:\Windows\SysWOW64\Nlqgnc32.dll Dbkaee32.exe File created C:\Windows\SysWOW64\Ajqmqmfm.dll Hmojfcdk.exe File created C:\Windows\SysWOW64\Hiegacgd.dll Pinnfonh.exe File opened for modification C:\Windows\SysWOW64\Eelfedpa.exe Ebmjihqn.exe File opened for modification C:\Windows\SysWOW64\Gljdlq32.exe Gngdadoj.exe File created C:\Windows\SysWOW64\Lekjbf32.dll Ginefe32.exe File created C:\Windows\SysWOW64\Hnbgdh32.exe Hkdkhl32.exe File opened for modification C:\Windows\SysWOW64\Hgmhcm32.exe Hdolga32.exe File opened for modification C:\Windows\SysWOW64\Bhgaan32.exe Bjdqfajl.exe File created C:\Windows\SysWOW64\Dcelqihb.dll Dcojbm32.exe File opened for modification C:\Windows\SysWOW64\Elaego32.exe Eibikc32.exe File created C:\Windows\SysWOW64\Agednnhp.dll Hchbcmlh.exe File created C:\Windows\SysWOW64\Hbjbmonp.dll Cfknjfbl.exe File created C:\Windows\SysWOW64\Eenckc32.exe Ebpgoh32.exe File opened for modification C:\Windows\SysWOW64\Fokaoh32.exe Fhaibnim.exe File created C:\Windows\SysWOW64\Inhpjehm.dll Opcaiggo.exe File opened for modification C:\Windows\SysWOW64\Epjdbn32.exe Emlhfb32.exe File opened for modification C:\Windows\SysWOW64\Fkmhij32.exe Fljhmmci.exe File created C:\Windows\SysWOW64\Oaiglnih.exe Onkjocjd.exe File created C:\Windows\SysWOW64\Bgagnjbi.exe Bdbkaoce.exe File opened for modification C:\Windows\SysWOW64\Effidg32.exe Ebkndibq.exe File opened for modification C:\Windows\SysWOW64\Nqbdllld.exe Nndhpqma.exe File opened for modification C:\Windows\SysWOW64\Dnbbjf32.exe Dlcfnk32.exe File created C:\Windows\SysWOW64\Fbdpjgjf.exe Fkmhij32.exe File created C:\Windows\SysWOW64\Affdii32.dll Bhljlnma.exe File created C:\Windows\SysWOW64\Cqneaodd.exe Cnpieceq.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3400 3380 WerFault.exe 236 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppgfciee.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfnnpbnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbcdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqhiab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojdlkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejpipf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhlogo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fokaoh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nndhpqma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjfdpckc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckopch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnbbjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebmjihqn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apgcbmha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcojbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgehh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bofbih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpedghl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Febmfcjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faimkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hngppgae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alcqcjgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Deljfqmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmojfcdk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfknjfbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cincaq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmhij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfobjdoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boolhikf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbdje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlcfnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gegbpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hobcok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apeflmjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oljanhmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlqdmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmgblphf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fljhmmci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gomjckqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niilmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djibogkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faljqcmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcfenn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onkjocjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apjpglfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glongpao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oebffm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edfqclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdmcbojl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdgdlnop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Achlch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hancef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpgee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdailaib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obamebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opcaiggo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbflkcao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gokmnlcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjhaec32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cklpml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epakcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbdpjgjf.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Amdmkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcaghm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhaibnim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gdmcbojl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gokmnlcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hobcok32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Phckglbq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajabpehm.dll" Alqplmlb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dbidof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnbbjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gofhgafa.dll" Gohqhl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ginefe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agednnhp.dll" Hchbcmlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iiekkdjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Didlinpd.dll" Aniffaim.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qeglqpaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Benqjobn.dll" Aapikqel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ehopnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fhlogo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olehbh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaiglnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hneddmal.dll" Aefhpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoecelol.dll" Bdbkaoce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcgpig32.dll" Nqbdllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olgehh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pmbdfolj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bdbkaoce.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgjjdijo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fbdpjgjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Koocqj32.dll" Fkbadifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jkocglhl.dll" Ggphji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Niilmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Afmhjhpn.dll" Eenckc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Faimkd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obfoioei.dll" Hkidclbb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bbflkcao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epjdbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggphji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnahndjj.dll" Dmgokcja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iinnfbbo.dll" Obopobhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bofednkl.dll" Bpnibl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aojngh32.dll" Deljfqmf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Emilqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ephhmn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fhfbmn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nndhpqma.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncpcapia.dll" Oaiglnih.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pffjpg32.dll" Agonig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnepjk32.dll" Blejgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ckopch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naegmigc.dll" Ccmanjch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Akfalc32.dll" Cbfhjfdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fkbadifn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nqbdllld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcebdo32.dll" Hcfenn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmojfcdk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fkbadifn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bocfch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jnllio32.dll" Degqka32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejpipf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ebmjihqn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqhaap32.dll" Fgffck32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Achlch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahlnmjkf.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1456 wrote to memory of 2704 1456 05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983N.exe 29 PID 1456 wrote to memory of 2704 1456 05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983N.exe 29 PID 1456 wrote to memory of 2704 1456 05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983N.exe 29 PID 1456 wrote to memory of 2704 1456 05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983N.exe 29 PID 2704 wrote to memory of 2728 2704 Mgjpcf32.exe 30 PID 2704 wrote to memory of 2728 2704 Mgjpcf32.exe 30 PID 2704 wrote to memory of 2728 2704 Mgjpcf32.exe 30 PID 2704 wrote to memory of 2728 2704 Mgjpcf32.exe 30 PID 2728 wrote to memory of 3036 2728 Nndhpqma.exe 31 PID 2728 wrote to memory of 3036 2728 Nndhpqma.exe 31 PID 2728 wrote to memory of 3036 2728 Nndhpqma.exe 31 PID 2728 wrote to memory of 3036 2728 Nndhpqma.exe 31 PID 3036 wrote to memory of 3020 3036 Nqbdllld.exe 32 PID 3036 wrote to memory of 3020 3036 Nqbdllld.exe 32 PID 3036 wrote to memory of 3020 3036 Nqbdllld.exe 32 PID 3036 wrote to memory of 3020 3036 Nqbdllld.exe 32 PID 3020 wrote to memory of 2312 3020 Niilmi32.exe 33 PID 3020 wrote to memory of 2312 3020 Niilmi32.exe 33 PID 3020 wrote to memory of 2312 3020 Niilmi32.exe 33 PID 3020 wrote to memory of 2312 3020 Niilmi32.exe 33 PID 2312 wrote to memory of 2660 2312 Ndpmbjbk.exe 34 PID 2312 wrote to memory of 2660 2312 Ndpmbjbk.exe 34 PID 2312 wrote to memory of 2660 2312 Ndpmbjbk.exe 34 PID 2312 wrote to memory of 2660 2312 Ndpmbjbk.exe 34 PID 2660 wrote to memory of 2588 2660 Nkjeod32.exe 35 PID 2660 wrote to memory of 2588 2660 Nkjeod32.exe 35 PID 2660 wrote to memory of 2588 2660 Nkjeod32.exe 35 PID 2660 wrote to memory of 2588 2660 Nkjeod32.exe 35 PID 2588 wrote to memory of 2716 2588 Nqgngk32.exe 36 PID 2588 wrote to memory of 2716 2588 Nqgngk32.exe 36 PID 2588 wrote to memory of 2716 2588 Nqgngk32.exe 36 PID 2588 wrote to memory of 2716 2588 Nqgngk32.exe 36 PID 2716 wrote to memory of 2384 2716 Ngafdepl.exe 37 PID 2716 wrote to memory of 2384 2716 Ngafdepl.exe 37 PID 2716 wrote to memory of 2384 2716 Ngafdepl.exe 37 PID 2716 wrote to memory of 2384 2716 Ngafdepl.exe 37 PID 2384 wrote to memory of 2992 2384 Nqijmkfm.exe 38 PID 2384 wrote to memory of 2992 2384 Nqijmkfm.exe 38 PID 2384 wrote to memory of 2992 2384 Nqijmkfm.exe 38 PID 2384 wrote to memory of 2992 2384 Nqijmkfm.exe 38 PID 2992 wrote to memory of 476 2992 Ncggifep.exe 39 PID 2992 wrote to memory of 476 2992 Ncggifep.exe 39 PID 2992 wrote to memory of 476 2992 Ncggifep.exe 39 PID 2992 wrote to memory of 476 2992 Ncggifep.exe 39 PID 476 wrote to memory of 2708 476 Nidoamch.exe 40 PID 476 wrote to memory of 2708 476 Nidoamch.exe 40 PID 476 wrote to memory of 2708 476 Nidoamch.exe 40 PID 476 wrote to memory of 2708 476 Nidoamch.exe 40 PID 2708 wrote to memory of 2984 2708 Npngng32.exe 41 PID 2708 wrote to memory of 2984 2708 Npngng32.exe 41 PID 2708 wrote to memory of 2984 2708 Npngng32.exe 41 PID 2708 wrote to memory of 2984 2708 Npngng32.exe 41 PID 2984 wrote to memory of 1028 2984 Nbmcjc32.exe 42 PID 2984 wrote to memory of 1028 2984 Nbmcjc32.exe 42 PID 2984 wrote to memory of 1028 2984 Nbmcjc32.exe 42 PID 2984 wrote to memory of 1028 2984 Nbmcjc32.exe 42 PID 1028 wrote to memory of 3040 1028 Ojdlkp32.exe 43 PID 1028 wrote to memory of 3040 1028 Ojdlkp32.exe 43 PID 1028 wrote to memory of 3040 1028 Ojdlkp32.exe 43 PID 1028 wrote to memory of 3040 1028 Ojdlkp32.exe 43 PID 3040 wrote to memory of 2216 3040 Olehbh32.exe 44 PID 3040 wrote to memory of 2216 3040 Olehbh32.exe 44 PID 3040 wrote to memory of 2216 3040 Olehbh32.exe 44 PID 3040 wrote to memory of 2216 3040 Olehbh32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983N.exe"C:\Users\Admin\AppData\Local\Temp\05cca3f3571178abba310a865b564ac43832d6bfe7ae1968e0afc6ef2fcba983N.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1456 -
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Windows\SysWOW64\Nndhpqma.exeC:\Windows\system32\Nndhpqma.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Nqbdllld.exeC:\Windows\system32\Nqbdllld.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\Niilmi32.exeC:\Windows\system32\Niilmi32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\Ndpmbjbk.exeC:\Windows\system32\Ndpmbjbk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Nkjeod32.exeC:\Windows\system32\Nkjeod32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Nqgngk32.exeC:\Windows\system32\Nqgngk32.exe8⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ngafdepl.exeC:\Windows\system32\Ngafdepl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Nqijmkfm.exeC:\Windows\system32\Nqijmkfm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Ncggifep.exeC:\Windows\system32\Ncggifep.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\Nidoamch.exeC:\Windows\system32\Nidoamch.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:476 -
C:\Windows\SysWOW64\Npngng32.exeC:\Windows\system32\Npngng32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Nbmcjc32.exeC:\Windows\system32\Nbmcjc32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Ojdlkp32.exeC:\Windows\system32\Ojdlkp32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Olehbh32.exeC:\Windows\system32\Olehbh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\Obopobhe.exeC:\Windows\system32\Obopobhe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2216 -
C:\Windows\SysWOW64\Olgehh32.exeC:\Windows\system32\Olgehh32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Opcaiggo.exeC:\Windows\system32\Opcaiggo.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1988 -
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2232 -
C:\Windows\SysWOW64\Oepianef.exeC:\Windows\system32\Oepianef.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1908 -
C:\Windows\SysWOW64\Oikeal32.exeC:\Windows\system32\Oikeal32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:292 -
C:\Windows\SysWOW64\Oljanhmc.exeC:\Windows\system32\Oljanhmc.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Obdjjb32.exeC:\Windows\system32\Obdjjb32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1880 -
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:928 -
C:\Windows\SysWOW64\Onkjocjd.exeC:\Windows\system32\Onkjocjd.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3068 -
C:\Windows\SysWOW64\Oaiglnih.exeC:\Windows\system32\Oaiglnih.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2088 -
C:\Windows\SysWOW64\Odgchjhl.exeC:\Windows\system32\Odgchjhl.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2800 -
C:\Windows\SysWOW64\Olokighn.exeC:\Windows\system32\Olokighn.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Onmgeb32.exeC:\Windows\system32\Onmgeb32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Oakcan32.exeC:\Windows\system32\Oakcan32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Pjchjcmf.exeC:\Windows\system32\Pjchjcmf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Pmbdfolj.exeC:\Windows\system32\Pmbdfolj.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Pjfdpckc.exeC:\Windows\system32\Pjfdpckc.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2656 -
C:\Windows\SysWOW64\Pmdalo32.exeC:\Windows\system32\Pmdalo32.exe35⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Pjhaec32.exeC:\Windows\system32\Pjhaec32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Pljnmkoo.exeC:\Windows\system32\Pljnmkoo.exe37⤵
- Executes dropped EXE
PID:1016 -
C:\Windows\SysWOW64\Pfobjdoe.exeC:\Windows\system32\Pfobjdoe.exe38⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Pinnfonh.exeC:\Windows\system32\Pinnfonh.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Ppgfciee.exeC:\Windows\system32\Ppgfciee.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:792 -
C:\Windows\SysWOW64\Pbfcoedi.exeC:\Windows\system32\Pbfcoedi.exe41⤵
- Executes dropped EXE
PID:1876 -
C:\Windows\SysWOW64\Phckglbq.exeC:\Windows\system32\Phckglbq.exe42⤵
- Executes dropped EXE
- Modifies registry class
PID:1740 -
C:\Windows\SysWOW64\Qlnghj32.exeC:\Windows\system32\Qlnghj32.exe43⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2220 -
C:\Windows\SysWOW64\Qlqdmj32.exeC:\Windows\system32\Qlqdmj32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Qamleagn.exeC:\Windows\system32\Qamleagn.exe46⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Ahgdbk32.exeC:\Windows\system32\Ahgdbk32.exe47⤵
- Executes dropped EXE
PID:316 -
C:\Windows\SysWOW64\Alcqcjgd.exeC:\Windows\system32\Alcqcjgd.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Amdmkb32.exeC:\Windows\system32\Amdmkb32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Aapikqel.exeC:\Windows\system32\Aapikqel.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Agmacgcc.exeC:\Windows\system32\Agmacgcc.exe51⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Akhndf32.exeC:\Windows\system32\Akhndf32.exe52⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Aodjdede.exeC:\Windows\system32\Aodjdede.exe53⤵
- Executes dropped EXE
PID:2836 -
C:\Windows\SysWOW64\Apeflmjc.exeC:\Windows\system32\Apeflmjc.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768 -
C:\Windows\SysWOW64\Ahlnmjkf.exeC:\Windows\system32\Ahlnmjkf.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Agonig32.exeC:\Windows\system32\Agonig32.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2616 -
C:\Windows\SysWOW64\Aniffaim.exeC:\Windows\system32\Aniffaim.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Apgcbmha.exeC:\Windows\system32\Apgcbmha.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Ankckagj.exeC:\Windows\system32\Ankckagj.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2868 -
C:\Windows\SysWOW64\Apjpglfn.exeC:\Windows\system32\Apjpglfn.exe61⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2172 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1852 -
C:\Windows\SysWOW64\Aefhpc32.exeC:\Windows\system32\Aefhpc32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2236 -
C:\Windows\SysWOW64\Ajbdpblo.exeC:\Windows\system32\Ajbdpblo.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2380 -
C:\Windows\SysWOW64\Alqplmlb.exeC:\Windows\system32\Alqplmlb.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:772 -
C:\Windows\SysWOW64\Boolhikf.exeC:\Windows\system32\Boolhikf.exe66⤵
- System Location Discovery: System Language Discovery
PID:1468 -
C:\Windows\SysWOW64\Bgfdjfkh.exeC:\Windows\system32\Bgfdjfkh.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Bjdqfajl.exeC:\Windows\system32\Bjdqfajl.exe68⤵
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Bhgaan32.exeC:\Windows\system32\Bhgaan32.exe69⤵PID:3016
-
C:\Windows\SysWOW64\Bpnibl32.exeC:\Windows\system32\Bpnibl32.exe70⤵
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Bapejd32.exeC:\Windows\system32\Bapejd32.exe71⤵PID:2752
-
C:\Windows\SysWOW64\Bfkakbpp.exeC:\Windows\system32\Bfkakbpp.exe72⤵PID:2840
-
C:\Windows\SysWOW64\Bhjngnod.exeC:\Windows\system32\Bhjngnod.exe73⤵PID:2824
-
C:\Windows\SysWOW64\Blejgm32.exeC:\Windows\system32\Blejgm32.exe74⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Bocfch32.exeC:\Windows\system32\Bocfch32.exe75⤵
- Modifies registry class
PID:2168 -
C:\Windows\SysWOW64\Bfnnpbnn.exeC:\Windows\system32\Bfnnpbnn.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Bhljlnma.exeC:\Windows\system32\Bhljlnma.exe77⤵
- Drops file in System32 directory
PID:2336 -
C:\Windows\SysWOW64\Blgfml32.exeC:\Windows\system32\Blgfml32.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2516 -
C:\Windows\SysWOW64\Bofbih32.exeC:\Windows\system32\Bofbih32.exe79⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2372 -
C:\Windows\SysWOW64\Bbdoec32.exeC:\Windows\system32\Bbdoec32.exe80⤵PID:908
-
C:\Windows\SysWOW64\Bdbkaoce.exeC:\Windows\system32\Bdbkaoce.exe81⤵
- Drops file in System32 directory
- Modifies registry class
PID:3048 -
C:\Windows\SysWOW64\Bgagnjbi.exeC:\Windows\system32\Bgagnjbi.exe82⤵PID:2252
-
C:\Windows\SysWOW64\Bohoogbk.exeC:\Windows\system32\Bohoogbk.exe83⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3044 -
C:\Windows\SysWOW64\Bbflkcao.exeC:\Windows\system32\Bbflkcao.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:824 -
C:\Windows\SysWOW64\Bdehgnqc.exeC:\Windows\system32\Bdehgnqc.exe85⤵PID:1892
-
C:\Windows\SysWOW64\Ckopch32.exeC:\Windows\system32\Ckopch32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:920 -
C:\Windows\SysWOW64\Cnmlpd32.exeC:\Windows\system32\Cnmlpd32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2944 -
C:\Windows\SysWOW64\Cbihpbpl.exeC:\Windows\system32\Cbihpbpl.exe88⤵PID:2624
-
C:\Windows\SysWOW64\Cdgdlnop.exeC:\Windows\system32\Cdgdlnop.exe89⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Ckamihfm.exeC:\Windows\system32\Ckamihfm.exe90⤵PID:2204
-
C:\Windows\SysWOW64\Cnpieceq.exeC:\Windows\system32\Cnpieceq.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2240 -
C:\Windows\SysWOW64\Cqneaodd.exeC:\Windows\system32\Cqneaodd.exe92⤵PID:2876
-
C:\Windows\SysWOW64\Ccmanjch.exeC:\Windows\system32\Ccmanjch.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Cfknjfbl.exeC:\Windows\system32\Cfknjfbl.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:604 -
C:\Windows\SysWOW64\Cnbfkccn.exeC:\Windows\system32\Cnbfkccn.exe95⤵PID:2012
-
C:\Windows\SysWOW64\Cocbbk32.exeC:\Windows\system32\Cocbbk32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1544 -
C:\Windows\SysWOW64\Cgjjdijo.exeC:\Windows\system32\Cgjjdijo.exe97⤵
- Modifies registry class
PID:768 -
C:\Windows\SysWOW64\Cmgblphf.exeC:\Windows\system32\Cmgblphf.exe98⤵
- System Location Discovery: System Language Discovery
PID:1108 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1948 -
C:\Windows\SysWOW64\Ccakij32.exeC:\Windows\system32\Ccakij32.exe100⤵PID:3064
-
C:\Windows\SysWOW64\Cfpgee32.exeC:\Windows\system32\Cfpgee32.exe101⤵
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Cincaq32.exeC:\Windows\system32\Cincaq32.exe102⤵
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Cklpml32.exeC:\Windows\system32\Cklpml32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Cbfhjfdk.exeC:\Windows\system32\Cbfhjfdk.exe104⤵
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Dfbdje32.exeC:\Windows\system32\Dfbdje32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2332 -
C:\Windows\SysWOW64\Dippfplg.exeC:\Windows\system32\Dippfplg.exe106⤵PID:2904
-
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe107⤵
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Dbidof32.exeC:\Windows\system32\Dbidof32.exe108⤵
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Degqka32.exeC:\Windows\system32\Degqka32.exe109⤵
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Dgemgm32.exeC:\Windows\system32\Dgemgm32.exe110⤵PID:1552
-
C:\Windows\SysWOW64\Dnpedghl.exeC:\Windows\system32\Dnpedghl.exe111⤵
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Dbkaee32.exeC:\Windows\system32\Dbkaee32.exe112⤵
- Drops file in System32 directory
PID:916 -
C:\Windows\SysWOW64\Dieiap32.exeC:\Windows\system32\Dieiap32.exe113⤵PID:2248
-
C:\Windows\SysWOW64\Dlcfnk32.exeC:\Windows\system32\Dlcfnk32.exe114⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Dnbbjf32.exeC:\Windows\system32\Dnbbjf32.exe115⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:880 -
C:\Windows\SysWOW64\Deljfqmf.exeC:\Windows\system32\Deljfqmf.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Dcojbm32.exeC:\Windows\system32\Dcojbm32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1160 -
C:\Windows\SysWOW64\Djibogkn.exeC:\Windows\system32\Djibogkn.exe118⤵
- System Location Discovery: System Language Discovery
PID:2596 -
C:\Windows\SysWOW64\Dmgokcja.exeC:\Windows\system32\Dmgokcja.exe119⤵
- Modifies registry class
PID:2004 -
C:\Windows\SysWOW64\Dabkla32.exeC:\Windows\system32\Dabkla32.exe120⤵PID:2440
-
C:\Windows\SysWOW64\Dcaghm32.exeC:\Windows\system32\Dcaghm32.exe121⤵
- Drops file in System32 directory
- Modifies registry class
PID:1752
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-