Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
05/12/2024, 10:47
Behavioral task
behavioral1
Sample
03ab727c6cfe5324cd7a887a28e7f02b37adf13b511a7260eccb9f3e55de75d9.exe
Resource
win7-20240729-en
windows7-x64
11 signatures
120 seconds
General
-
Target
03ab727c6cfe5324cd7a887a28e7f02b37adf13b511a7260eccb9f3e55de75d9.exe
-
Size
93KB
-
MD5
40155a9a88fe9fb393756ec3d273f7c4
-
SHA1
e422d211445686b4526e3a1b5eba1b9e69aae9ad
-
SHA256
03ab727c6cfe5324cd7a887a28e7f02b37adf13b511a7260eccb9f3e55de75d9
-
SHA512
2c3c664b1268b556a0649ae7d89b1f277c56d11a5f8401d125d987eafdd3ae4071430d1651a051824270cf52dec3916f7218af9c84a072ac28665e2e3e1ac0e8
-
SSDEEP
1536:Kxwjq78mJ2mhG03j3q6QM1DaYfMZRWuLsV+17:K6u7T00z66QMgYfc0DV+17
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bkhjamcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dkmljcdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehmpeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goiafp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odflmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcfgoadd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpmkbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdhpdq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bheaiekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dmcfngde.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kjmoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abinjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Icplje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kimjhnnl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mldeik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfchqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hganjo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifgklp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ncnjeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbadagln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhnnnbaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbpnkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgdfjfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kijmbnpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cppobaeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cgnpjkhj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbhhkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kaggbihl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbgdgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ecadddjh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icfbkded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pnnfkb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Beggec32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ecadddjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Igpaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ojceef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipcbidn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenmfbml.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hokjkbkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdpnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phgannal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhbmip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pkhdnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qmepanje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnlaqhi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cffjagko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbfnchfb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cofaog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Glfgnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Halcmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldbjdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qifnhaho.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlggjlep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifpnaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikocoa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igeddb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmgfgham.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpoaheja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mohhea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oapcfo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpaohjkk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dijfch32.exe -
Berbew family
-
Njrat family
-
Executes dropped EXE 64 IoCs
pid Process 1976 Nnokahip.exe 2668 Nffccejb.exe 2944 Nnahgh32.exe 2596 Ndlpdbnj.exe 2616 Njhilimb.exe 1720 Ndnmialh.exe 2384 Ojkeah32.exe 2900 Oqennbbl.exe 852 Ogofkm32.exe 1728 Oninhgae.exe 604 Opjkpo32.exe 2576 Ogabql32.exe 1204 Ofdclinq.exe 2216 Ojblbgdg.exe 3060 Opodknco.exe 2344 Ofilgh32.exe 1924 Ombddbah.exe 2628 Oleepo32.exe 1888 Pndalkgf.exe 1464 Phledp32.exe 1996 Ppcmfn32.exe 1064 Padjmfdg.exe 1244 Phobjp32.exe 2120 Pbdfgilj.exe 288 Phaoppja.exe 2760 Phaoppja.exe 2780 Pjoklkie.exe 2804 Pdhpdq32.exe 2712 Pjahakgb.exe 2956 Pnmdbi32.exe 1760 Pdjljpnc.exe 2372 Qanmcdlm.exe 2892 Qjfalj32.exe 1344 Qdofep32.exe 1740 Aepbmhpl.exe 1188 Aiknnf32.exe 1624 Abdbflnf.exe 1864 Allgoa32.exe 2220 Aphcppmo.exe 2304 Aipgifcp.exe 1596 Alodeacc.exe 2064 Adjhicpo.exe 1776 Ahedjb32.exe 3024 Aoomflpd.exe 2396 Anbmbi32.exe 2264 Adleoc32.exe 2920 Ahhaobfe.exe 2740 Agkako32.exe 2768 Akfnkmei.exe 2276 Andjgidl.exe 2536 Bapfhg32.exe 2104 Bpcfcddp.exe 2196 Bhjneadb.exe 1868 Bgmnpn32.exe 988 Bkhjamcf.exe 1732 Babbng32.exe 2292 Bdaojbjf.exe 1144 Bkkgfm32.exe 2080 Bnicbh32.exe 2476 Bllcnega.exe 2176 Bdckobhd.exe 2068 Bcflko32.exe 328 Bedhgj32.exe 1984 Bpjldc32.exe -
Loads dropped DLL 64 IoCs
pid Process 2328 03ab727c6cfe5324cd7a887a28e7f02b37adf13b511a7260eccb9f3e55de75d9.exe 2328 03ab727c6cfe5324cd7a887a28e7f02b37adf13b511a7260eccb9f3e55de75d9.exe 1976 Nnokahip.exe 1976 Nnokahip.exe 2668 Nffccejb.exe 2668 Nffccejb.exe 2944 Nnahgh32.exe 2944 Nnahgh32.exe 2596 Ndlpdbnj.exe 2596 Ndlpdbnj.exe 2616 Njhilimb.exe 2616 Njhilimb.exe 1720 Ndnmialh.exe 1720 Ndnmialh.exe 2384 Ojkeah32.exe 2384 Ojkeah32.exe 2900 Oqennbbl.exe 2900 Oqennbbl.exe 852 Ogofkm32.exe 852 Ogofkm32.exe 1728 Oninhgae.exe 1728 Oninhgae.exe 604 Opjkpo32.exe 604 Opjkpo32.exe 2576 Ogabql32.exe 2576 Ogabql32.exe 1204 Ofdclinq.exe 1204 Ofdclinq.exe 2216 Ojblbgdg.exe 2216 Ojblbgdg.exe 3060 Opodknco.exe 3060 Opodknco.exe 2344 Ofilgh32.exe 2344 Ofilgh32.exe 1924 Ombddbah.exe 1924 Ombddbah.exe 2628 Oleepo32.exe 2628 Oleepo32.exe 1888 Pndalkgf.exe 1888 Pndalkgf.exe 1464 Phledp32.exe 1464 Phledp32.exe 1996 Ppcmfn32.exe 1996 Ppcmfn32.exe 1064 Padjmfdg.exe 1064 Padjmfdg.exe 1244 Phobjp32.exe 1244 Phobjp32.exe 2120 Pbdfgilj.exe 2120 Pbdfgilj.exe 288 Phaoppja.exe 288 Phaoppja.exe 2760 Phaoppja.exe 2760 Phaoppja.exe 2780 Pjoklkie.exe 2780 Pjoklkie.exe 2804 Pdhpdq32.exe 2804 Pdhpdq32.exe 2712 Pjahakgb.exe 2712 Pjahakgb.exe 2956 Pnmdbi32.exe 2956 Pnmdbi32.exe 1760 Pdjljpnc.exe 1760 Pdjljpnc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Cbghhj32.exe Cjppfl32.exe File opened for modification C:\Windows\SysWOW64\Fdapcg32.exe Fbpclofe.exe File created C:\Windows\SysWOW64\Pemapqnd.dll Kjmoeo32.exe File opened for modification C:\Windows\SysWOW64\Nakikpin.exe Nommodjj.exe File created C:\Windows\SysWOW64\Mhefgd32.dll Gidhbgag.exe File opened for modification C:\Windows\SysWOW64\Nanfqo32.exe Noojdc32.exe File created C:\Windows\SysWOW64\Dmpgan32.dll Pgcnnh32.exe File opened for modification C:\Windows\SysWOW64\Qgfkchmp.exe Qcjoci32.exe File opened for modification C:\Windows\SysWOW64\Oleepo32.exe Ombddbah.exe File opened for modification C:\Windows\SysWOW64\Fdfmpc32.exe Floeof32.exe File opened for modification C:\Windows\SysWOW64\Nladco32.exe Njchfc32.exe File created C:\Windows\SysWOW64\Golgon32.exe Gpjfcali.exe File opened for modification C:\Windows\SysWOW64\Ecjgio32.exe Eqkjmcmq.exe File opened for modification C:\Windows\SysWOW64\Hmijajbd.exe Hofjem32.exe File created C:\Windows\SysWOW64\Cpgope32.dll Hehhqk32.exe File created C:\Windows\SysWOW64\Lkmldbcj.exe Lhoohgdg.exe File created C:\Windows\SysWOW64\Ekmlgnnl.dll Ojblbgdg.exe File opened for modification C:\Windows\SysWOW64\Ccmblnif.exe Coafko32.exe File created C:\Windows\SysWOW64\Kjbclamj.exe Kgdgpfnf.exe File opened for modification C:\Windows\SysWOW64\Pbjifgcd.exe Ppkmjlca.exe File created C:\Windows\SysWOW64\Pofldf32.exe Pgodcich.exe File opened for modification C:\Windows\SysWOW64\Ojceef32.exe Ogdhik32.exe File created C:\Windows\SysWOW64\Pjlgle32.exe Pbepkh32.exe File opened for modification C:\Windows\SysWOW64\Bkqiek32.exe Bhbmip32.exe File created C:\Windows\SysWOW64\Nhjdcghg.dll Oqgmmk32.exe File opened for modification C:\Windows\SysWOW64\Eldbkbop.exe Ecmjid32.exe File created C:\Windows\SysWOW64\Igmepdbc.exe Idohdhbo.exe File opened for modification C:\Windows\SysWOW64\Jbphgpfg.exe Jnemfa32.exe File created C:\Windows\SysWOW64\Ncipjieo.exe Npkdnnfk.exe File created C:\Windows\SysWOW64\Kbnhpdke.exe Kckhdg32.exe File opened for modification C:\Windows\SysWOW64\Pjpmdd32.exe Pkmmigjo.exe File created C:\Windows\SysWOW64\Cbkgog32.exe Bpmkbl32.exe File created C:\Windows\SysWOW64\Jdbnpf32.dll Omfnnnhj.exe File created C:\Windows\SysWOW64\Amjiln32.exe Ainmlomf.exe File created C:\Windows\SysWOW64\Clclhmin.exe Chhpgn32.exe File opened for modification C:\Windows\SysWOW64\Bdckobhd.exe Bllcnega.exe File created C:\Windows\SysWOW64\Bchhqo32.exe Bpjldc32.exe File opened for modification C:\Windows\SysWOW64\Cnipak32.exe Cofofolh.exe File created C:\Windows\SysWOW64\Mpbelhkp.dll Njalacon.exe File created C:\Windows\SysWOW64\Kcacil32.dll Cjhckg32.exe File created C:\Windows\SysWOW64\Dnfhqi32.exe Dkgldm32.exe File opened for modification C:\Windows\SysWOW64\Ligfakaa.exe Lfhiepbn.exe File created C:\Windows\SysWOW64\Pajhnb32.dll Eegmhhie.exe File created C:\Windows\SysWOW64\Clfnfl32.dll Hhaanh32.exe File opened for modification C:\Windows\SysWOW64\Klkfdi32.exe Kimjhnnl.exe File opened for modification C:\Windows\SysWOW64\Njchfc32.exe Ngeljh32.exe File opened for modification C:\Windows\SysWOW64\Nnahgh32.exe Nffccejb.exe File created C:\Windows\SysWOW64\Cdakffdn.dll Oqennbbl.exe File created C:\Windows\SysWOW64\Hbgghlmq.dll Dbgdgm32.exe File opened for modification C:\Windows\SysWOW64\Egfjdchi.exe Eegmhhie.exe File created C:\Windows\SysWOW64\Eknjoj32.dll Bogljj32.exe File created C:\Windows\SysWOW64\Fbhfajia.exe Fjaoplho.exe File created C:\Windows\SysWOW64\Mlnbgj32.dll Fikelhib.exe File opened for modification C:\Windows\SysWOW64\Mheeif32.exe Mpnngi32.exe File created C:\Windows\SysWOW64\Cgqmpkfg.exe Cceapl32.exe File opened for modification C:\Windows\SysWOW64\Dcjjkkji.exe Dkbbinig.exe File created C:\Windows\SysWOW64\Jacgio32.dll Enmnahnm.exe File created C:\Windows\SysWOW64\Cjmoammm.dll Kffqqm32.exe File created C:\Windows\SysWOW64\Bcpaqn32.dll Klfmijae.exe File created C:\Windows\SysWOW64\Mghomh32.dll Kjpceebh.exe File created C:\Windows\SysWOW64\Njhbabif.exe Nflfad32.exe File opened for modification C:\Windows\SysWOW64\Afgnkilf.exe Ablbjj32.exe File created C:\Windows\SysWOW64\Ldiceg32.dll Fdlpnamm.exe File created C:\Windows\SysWOW64\Dqhooh32.dll Ihnjmf32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oddphp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcdldknm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amafgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccgnelll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkciic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmblnif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmcfngde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahbmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcgbhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmpakm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abbhje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chgnneiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glfgnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hipkfkgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiokholk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pflbpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahngomkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geilah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmijajbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhjneadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iickckcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nladco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jgbjjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lonlkcho.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhflcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpboinpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqennbbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opjkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnmdbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bldpiifb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npechhgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Palbgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alaccj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjepaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjgjpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anbmbi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clefdcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkimpfmg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obecld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dboglhna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feipbefb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpgjnbnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ephdjeol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkkjeeke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ooggpiek.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfkchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anpooe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmidlmcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Genlgnhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efjpkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpfpe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnfhqi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gidhbgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmalgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpfnckhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oodjjign.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afeaei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eiilge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkgfm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheaiekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbngfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikocoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nphpng32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kbnhpdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojceef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdeffdbl.dll" Oqojhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddmchcnd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Goocenaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Abbhje32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alofnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coafko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ofdclinq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Imacijjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ompjookk.dll" Mgnfji32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eclcon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdbeobe.dll" Ladgkmlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mmqioe32.dll" Oninhgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkkjeeke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kffqqm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Colldggd.dll" Lpanne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nphpng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlilhb32.dll" Ccpqjfnh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njhilimb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fplkghjl.dll" Hokjkbkp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hajfgnjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iejkhlip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cngcll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgdqpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddhaie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hokjkbkp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdaimdkg.dll" Pbepkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jghqia32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lffmpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ankedf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljllgmcl.dll" Opjkpo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qfkgdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcacochk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pagmgi32.dll" Hlhddh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Keoabo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Boeoek32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ffjljmla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phobjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpmdcijc.dll" Adleoc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Einlmkhp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kmclmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbelhkp.dll" Njalacon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmglihnc.dll" Npkdnnfk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkebqmfj.dll" Paafmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Igooceih.dll" Qhincn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Padjmfdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Efjpkj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fheoiqgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdgkicek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kndbko32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Odcimipf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccqhdmbc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kjbclamj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kpfbegei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fappgflg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Igeddb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmgfgham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lbmnea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bijpeihq.dll" Bpfebmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bakbgd32.dll" Fdfmpc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Afqhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Idghhf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2328 wrote to memory of 1976 2328 03ab727c6cfe5324cd7a887a28e7f02b37adf13b511a7260eccb9f3e55de75d9.exe 30 PID 2328 wrote to memory of 1976 2328 03ab727c6cfe5324cd7a887a28e7f02b37adf13b511a7260eccb9f3e55de75d9.exe 30 PID 2328 wrote to memory of 1976 2328 03ab727c6cfe5324cd7a887a28e7f02b37adf13b511a7260eccb9f3e55de75d9.exe 30 PID 2328 wrote to memory of 1976 2328 03ab727c6cfe5324cd7a887a28e7f02b37adf13b511a7260eccb9f3e55de75d9.exe 30 PID 1976 wrote to memory of 2668 1976 Nnokahip.exe 31 PID 1976 wrote to memory of 2668 1976 Nnokahip.exe 31 PID 1976 wrote to memory of 2668 1976 Nnokahip.exe 31 PID 1976 wrote to memory of 2668 1976 Nnokahip.exe 31 PID 2668 wrote to memory of 2944 2668 Nffccejb.exe 32 PID 2668 wrote to memory of 2944 2668 Nffccejb.exe 32 PID 2668 wrote to memory of 2944 2668 Nffccejb.exe 32 PID 2668 wrote to memory of 2944 2668 Nffccejb.exe 32 PID 2944 wrote to memory of 2596 2944 Nnahgh32.exe 33 PID 2944 wrote to memory of 2596 2944 Nnahgh32.exe 33 PID 2944 wrote to memory of 2596 2944 Nnahgh32.exe 33 PID 2944 wrote to memory of 2596 2944 Nnahgh32.exe 33 PID 2596 wrote to memory of 2616 2596 Ndlpdbnj.exe 34 PID 2596 wrote to memory of 2616 2596 Ndlpdbnj.exe 34 PID 2596 wrote to memory of 2616 2596 Ndlpdbnj.exe 34 PID 2596 wrote to memory of 2616 2596 Ndlpdbnj.exe 34 PID 2616 wrote to memory of 1720 2616 Njhilimb.exe 35 PID 2616 wrote to memory of 1720 2616 Njhilimb.exe 35 PID 2616 wrote to memory of 1720 2616 Njhilimb.exe 35 PID 2616 wrote to memory of 1720 2616 Njhilimb.exe 35 PID 1720 wrote to memory of 2384 1720 Ndnmialh.exe 36 PID 1720 wrote to memory of 2384 1720 Ndnmialh.exe 36 PID 1720 wrote to memory of 2384 1720 Ndnmialh.exe 36 PID 1720 wrote to memory of 2384 1720 Ndnmialh.exe 36 PID 2384 wrote to memory of 2900 2384 Ojkeah32.exe 37 PID 2384 wrote to memory of 2900 2384 Ojkeah32.exe 37 PID 2384 wrote to memory of 2900 2384 Ojkeah32.exe 37 PID 2384 wrote to memory of 2900 2384 Ojkeah32.exe 37 PID 2900 wrote to memory of 852 2900 Oqennbbl.exe 38 PID 2900 wrote to memory of 852 2900 Oqennbbl.exe 38 PID 2900 wrote to memory of 852 2900 Oqennbbl.exe 38 PID 2900 wrote to memory of 852 2900 Oqennbbl.exe 38 PID 852 wrote to memory of 1728 852 Ogofkm32.exe 39 PID 852 wrote to memory of 1728 852 Ogofkm32.exe 39 PID 852 wrote to memory of 1728 852 Ogofkm32.exe 39 PID 852 wrote to memory of 1728 852 Ogofkm32.exe 39 PID 1728 wrote to memory of 604 1728 Oninhgae.exe 40 PID 1728 wrote to memory of 604 1728 Oninhgae.exe 40 PID 1728 wrote to memory of 604 1728 Oninhgae.exe 40 PID 1728 wrote to memory of 604 1728 Oninhgae.exe 40 PID 604 wrote to memory of 2576 604 Opjkpo32.exe 41 PID 604 wrote to memory of 2576 604 Opjkpo32.exe 41 PID 604 wrote to memory of 2576 604 Opjkpo32.exe 41 PID 604 wrote to memory of 2576 604 Opjkpo32.exe 41 PID 2576 wrote to memory of 1204 2576 Ogabql32.exe 42 PID 2576 wrote to memory of 1204 2576 Ogabql32.exe 42 PID 2576 wrote to memory of 1204 2576 Ogabql32.exe 42 PID 2576 wrote to memory of 1204 2576 Ogabql32.exe 42 PID 1204 wrote to memory of 2216 1204 Ofdclinq.exe 43 PID 1204 wrote to memory of 2216 1204 Ofdclinq.exe 43 PID 1204 wrote to memory of 2216 1204 Ofdclinq.exe 43 PID 1204 wrote to memory of 2216 1204 Ofdclinq.exe 43 PID 2216 wrote to memory of 3060 2216 Ojblbgdg.exe 44 PID 2216 wrote to memory of 3060 2216 Ojblbgdg.exe 44 PID 2216 wrote to memory of 3060 2216 Ojblbgdg.exe 44 PID 2216 wrote to memory of 3060 2216 Ojblbgdg.exe 44 PID 3060 wrote to memory of 2344 3060 Opodknco.exe 45 PID 3060 wrote to memory of 2344 3060 Opodknco.exe 45 PID 3060 wrote to memory of 2344 3060 Opodknco.exe 45 PID 3060 wrote to memory of 2344 3060 Opodknco.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\03ab727c6cfe5324cd7a887a28e7f02b37adf13b511a7260eccb9f3e55de75d9.exe"C:\Users\Admin\AppData\Local\Temp\03ab727c6cfe5324cd7a887a28e7f02b37adf13b511a7260eccb9f3e55de75d9.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Nnokahip.exeC:\Windows\system32\Nnokahip.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Windows\SysWOW64\Nffccejb.exeC:\Windows\system32\Nffccejb.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Windows\SysWOW64\Nnahgh32.exeC:\Windows\system32\Nnahgh32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Ndlpdbnj.exeC:\Windows\system32\Ndlpdbnj.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Njhilimb.exeC:\Windows\system32\Njhilimb.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Ndnmialh.exeC:\Windows\system32\Ndnmialh.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Oqennbbl.exeC:\Windows\system32\Oqennbbl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Ogofkm32.exeC:\Windows\system32\Ogofkm32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Opjkpo32.exeC:\Windows\system32\Opjkpo32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:604 -
C:\Windows\SysWOW64\Ogabql32.exeC:\Windows\system32\Ogabql32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2576 -
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\SysWOW64\Opodknco.exeC:\Windows\system32\Opodknco.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Ofilgh32.exeC:\Windows\system32\Ofilgh32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2344 -
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1924 -
C:\Windows\SysWOW64\Oleepo32.exeC:\Windows\system32\Oleepo32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2628 -
C:\Windows\SysWOW64\Pndalkgf.exeC:\Windows\system32\Pndalkgf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1888 -
C:\Windows\SysWOW64\Phledp32.exeC:\Windows\system32\Phledp32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1464 -
C:\Windows\SysWOW64\Ppcmfn32.exeC:\Windows\system32\Ppcmfn32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Padjmfdg.exeC:\Windows\system32\Padjmfdg.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Phobjp32.exeC:\Windows\system32\Phobjp32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1244 -
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:288 -
C:\Windows\SysWOW64\Phaoppja.exeC:\Windows\system32\Phaoppja.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2760 -
C:\Windows\SysWOW64\Pjoklkie.exeC:\Windows\system32\Pjoklkie.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Pdhpdq32.exeC:\Windows\system32\Pdhpdq32.exe29⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Pnmdbi32.exeC:\Windows\system32\Pnmdbi32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1760 -
C:\Windows\SysWOW64\Qanmcdlm.exeC:\Windows\system32\Qanmcdlm.exe33⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe34⤵
- Executes dropped EXE
PID:2892 -
C:\Windows\SysWOW64\Qdofep32.exeC:\Windows\system32\Qdofep32.exe35⤵
- Executes dropped EXE
PID:1344 -
C:\Windows\SysWOW64\Aepbmhpl.exeC:\Windows\system32\Aepbmhpl.exe36⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe37⤵
- Executes dropped EXE
PID:1188 -
C:\Windows\SysWOW64\Abdbflnf.exeC:\Windows\system32\Abdbflnf.exe38⤵
- Executes dropped EXE
PID:1624 -
C:\Windows\SysWOW64\Allgoa32.exeC:\Windows\system32\Allgoa32.exe39⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Aphcppmo.exeC:\Windows\system32\Aphcppmo.exe40⤵
- Executes dropped EXE
PID:2220 -
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe41⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Alodeacc.exeC:\Windows\system32\Alodeacc.exe42⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Adjhicpo.exeC:\Windows\system32\Adjhicpo.exe43⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Ahedjb32.exeC:\Windows\system32\Ahedjb32.exe44⤵
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Aoomflpd.exeC:\Windows\system32\Aoomflpd.exe45⤵
- Executes dropped EXE
PID:3024 -
C:\Windows\SysWOW64\Anbmbi32.exeC:\Windows\system32\Anbmbi32.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2396 -
C:\Windows\SysWOW64\Adleoc32.exeC:\Windows\system32\Adleoc32.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2264 -
C:\Windows\SysWOW64\Ahhaobfe.exeC:\Windows\system32\Ahhaobfe.exe48⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Agkako32.exeC:\Windows\system32\Agkako32.exe49⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe50⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Andjgidl.exeC:\Windows\system32\Andjgidl.exe51⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Bapfhg32.exeC:\Windows\system32\Bapfhg32.exe52⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Bpcfcddp.exeC:\Windows\system32\Bpcfcddp.exe53⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Bhjneadb.exeC:\Windows\system32\Bhjneadb.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2196 -
C:\Windows\SysWOW64\Bgmnpn32.exeC:\Windows\system32\Bgmnpn32.exe55⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe57⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe58⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1144 -
C:\Windows\SysWOW64\Bnicbh32.exeC:\Windows\system32\Bnicbh32.exe60⤵
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2476 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe62⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Bcflko32.exeC:\Windows\system32\Bcflko32.exe63⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Bedhgj32.exeC:\Windows\system32\Bedhgj32.exe64⤵
- Executes dropped EXE
PID:328 -
C:\Windows\SysWOW64\Bpjldc32.exeC:\Windows\system32\Bpjldc32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1984 -
C:\Windows\SysWOW64\Bchhqo32.exeC:\Windows\system32\Bchhqo32.exe66⤵PID:2464
-
C:\Windows\SysWOW64\Bgddam32.exeC:\Windows\system32\Bgddam32.exe67⤵PID:2180
-
C:\Windows\SysWOW64\Bfgdmjlp.exeC:\Windows\system32\Bfgdmjlp.exe68⤵PID:2672
-
C:\Windows\SysWOW64\Bjbqmi32.exeC:\Windows\system32\Bjbqmi32.exe69⤵PID:2704
-
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Windows\SysWOW64\Blqmid32.exeC:\Windows\system32\Blqmid32.exe71⤵PID:1460
-
C:\Windows\SysWOW64\Booiep32.exeC:\Windows\system32\Booiep32.exe72⤵PID:2368
-
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe73⤵PID:1508
-
C:\Windows\SysWOW64\Bfiabjjm.exeC:\Windows\system32\Bfiabjjm.exe74⤵PID:2504
-
C:\Windows\SysWOW64\Chgnneiq.exeC:\Windows\system32\Chgnneiq.exe75⤵
- System Location Discovery: System Language Discovery
PID:1612 -
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe76⤵PID:264
-
C:\Windows\SysWOW64\Coafko32.exeC:\Windows\system32\Coafko32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:2316 -
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe78⤵
- System Location Discovery: System Language Discovery
PID:3016 -
C:\Windows\SysWOW64\Cbpbgk32.exeC:\Windows\system32\Cbpbgk32.exe79⤵PID:2404
-
C:\Windows\SysWOW64\Cdnncfoe.exeC:\Windows\system32\Cdnncfoe.exe80⤵PID:820
-
C:\Windows\SysWOW64\Chjjde32.exeC:\Windows\system32\Chjjde32.exe81⤵PID:1540
-
C:\Windows\SysWOW64\Clefdcog.exeC:\Windows\system32\Clefdcog.exe82⤵
- System Location Discovery: System Language Discovery
PID:2416 -
C:\Windows\SysWOW64\Codbqonk.exeC:\Windows\system32\Codbqonk.exe83⤵PID:1960
-
C:\Windows\SysWOW64\Cngcll32.exeC:\Windows\system32\Cngcll32.exe84⤵
- Modifies registry class
PID:2200 -
C:\Windows\SysWOW64\Cfnkmi32.exeC:\Windows\system32\Cfnkmi32.exe85⤵PID:2640
-
C:\Windows\SysWOW64\Cdqkifmb.exeC:\Windows\system32\Cdqkifmb.exe86⤵PID:2700
-
C:\Windows\SysWOW64\Chlgid32.exeC:\Windows\system32\Chlgid32.exe87⤵PID:1416
-
C:\Windows\SysWOW64\Cofofolh.exeC:\Windows\system32\Cofofolh.exe88⤵
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe89⤵PID:1092
-
C:\Windows\SysWOW64\Cqglng32.exeC:\Windows\system32\Cqglng32.exe90⤵PID:2060
-
C:\Windows\SysWOW64\Cdchneko.exeC:\Windows\system32\Cdchneko.exe91⤵PID:2160
-
C:\Windows\SysWOW64\Cgadja32.exeC:\Windows\system32\Cgadja32.exe92⤵PID:2172
-
C:\Windows\SysWOW64\Ckmpkpbl.exeC:\Windows\system32\Ckmpkpbl.exe93⤵PID:2720
-
C:\Windows\SysWOW64\Cjppfl32.exeC:\Windows\system32\Cjppfl32.exe94⤵
- Drops file in System32 directory
PID:2000 -
C:\Windows\SysWOW64\Cbghhj32.exeC:\Windows\system32\Cbghhj32.exe95⤵PID:1336
-
C:\Windows\SysWOW64\Cqjhcfpc.exeC:\Windows\system32\Cqjhcfpc.exe96⤵PID:2684
-
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe97⤵
- Modifies registry class
PID:2360 -
C:\Windows\SysWOW64\Cjbmll32.exeC:\Windows\system32\Cjbmll32.exe98⤵PID:1380
-
C:\Windows\SysWOW64\Cmqihg32.exeC:\Windows\system32\Cmqihg32.exe99⤵PID:2516
-
C:\Windows\SysWOW64\Ddhaie32.exeC:\Windows\system32\Ddhaie32.exe100⤵
- Modifies registry class
PID:588 -
C:\Windows\SysWOW64\Dcjaeamd.exeC:\Windows\system32\Dcjaeamd.exe101⤵PID:2808
-
C:\Windows\SysWOW64\Djdjalea.exeC:\Windows\system32\Djdjalea.exe102⤵PID:992
-
C:\Windows\SysWOW64\Dmcfngde.exeC:\Windows\system32\Dmcfngde.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1648 -
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe104⤵PID:948
-
C:\Windows\SysWOW64\Dfkjgm32.exeC:\Windows\system32\Dfkjgm32.exe105⤵PID:1948
-
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3036 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe107⤵PID:1580
-
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe108⤵PID:2832
-
C:\Windows\SysWOW64\Dcokpa32.exeC:\Windows\system32\Dcokpa32.exe109⤵PID:2564
-
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe110⤵PID:2520
-
C:\Windows\SysWOW64\Dilchhgg.exeC:\Windows\system32\Dilchhgg.exe111⤵PID:1964
-
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe112⤵PID:2952
-
C:\Windows\SysWOW64\Dbdham32.exeC:\Windows\system32\Dbdham32.exe113⤵PID:2240
-
C:\Windows\SysWOW64\Decdmi32.exeC:\Windows\system32\Decdmi32.exe114⤵PID:2084
-
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe115⤵PID:1076
-
C:\Windows\SysWOW64\Dkmljcdh.exeC:\Windows\system32\Dkmljcdh.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1980 -
C:\Windows\SysWOW64\Dbgdgm32.exeC:\Windows\system32\Dbgdgm32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1812 -
C:\Windows\SysWOW64\Dfbqgldn.exeC:\Windows\system32\Dfbqgldn.exe118⤵PID:2600
-
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe119⤵PID:2980
-
C:\Windows\SysWOW64\Epkepakn.exeC:\Windows\system32\Epkepakn.exe120⤵PID:1420
-
C:\Windows\SysWOW64\Enneln32.exeC:\Windows\system32\Enneln32.exe121⤵PID:808
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-