Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
07/12/2024, 21:52
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe
-
Size
55KB
-
MD5
ab27e4ad32224c3d2daaf3a04a9f2f30
-
SHA1
80db57f6a9f81db1a69fc6aa432f453d5db7aca3
-
SHA256
4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6
-
SHA512
e22165efb2581d969e2452e71b1f8124ca2c0a1a140e059b957f0709191ca2db806b1143b6e1b089c15fda75463e20cbd424a195dd256a858d5e83d98531546b
-
SSDEEP
768:kaGiaEFEPesJARVCXNy9Rb8zlItO6WutIk/6DSoM24ZH2dP31WPI2p/1H5QXdnh:KINsJiCXNgR4zlI4rut4uWdtj2Lg
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjkhdacm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Edibhmml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmmfaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghdgfbkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aknlofim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfognic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bckjhl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Daofpchf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mjkgjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njhfcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cjlheehe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bhjlli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ofhjopbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbpeoc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adfqgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dfphcj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fqalaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffaaoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Emagacdm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Odjdmjgo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkibcg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjlmpfhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmhglq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elipgofb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggicgopd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkcpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bckjhl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phqmgg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajcdjca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Acfdnihk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cnnnnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flhmfbim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgpjhn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpdjaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnjofo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qobbofgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cacclpae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Doecog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fcnkhmdp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idkpganf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bigkel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndkhngdd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgbeiiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bfdenafn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ciohqa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Klngkfge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aqjdgmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbbgod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ddpobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flfpabkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Neknki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oalhqohl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbhbdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhjblpa.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2512 Nfdkoc32.exe 2292 Nnkcpq32.exe 2456 Najpll32.exe 2816 Ndhlhg32.exe 2460 Nfghdcfj.exe 2616 Niedqnen.exe 2588 Npolmh32.exe 2312 Ndkhngdd.exe 1256 Nfidjbdg.exe 1972 Nigafnck.exe 2644 Nlfmbibo.exe 1200 Npaich32.exe 1724 Nbpeoc32.exe 2680 Nijnln32.exe 2360 Nmejllia.exe 1548 Npdfhhhe.exe 2784 Nbbbdcgi.exe 2212 Nfnneb32.exe 1664 Neqnqofm.exe 2568 Oiljam32.exe 1940 Olkfmi32.exe 1448 Opfbngfb.exe 488 Obdojcef.exe 2528 Oagoep32.exe 2124 Ohagbj32.exe 2908 Okpcoe32.exe 2748 Ookpodkj.exe 2924 Oeehln32.exe 2592 Okbpde32.exe 2788 Oalhqohl.exe 2004 Odjdmjgo.exe 1716 Ogiaif32.exe 2232 Oopijc32.exe 2256 Oanefo32.exe 2864 Oijjka32.exe 2852 Ppcbgkka.exe 2980 Pgnjde32.exe 2968 Pmgbao32.exe 772 Pljcllqe.exe 2976 Pdakniag.exe 1284 Pnjofo32.exe 1296 Pphkbj32.exe 892 Poklngnf.exe 2112 Piqpkpml.exe 2628 Ppkhhjei.exe 904 Pciddedl.exe 2800 Palepb32.exe 2304 Pegqpacp.exe 2704 Phfmllbd.exe 3012 Pkdihhag.exe 2088 Pckajebj.exe 1816 Panaeb32.exe 1232 Pejmfqan.exe 2248 Phhjblpa.exe 984 Pldebkhj.exe 2496 Qobbofgn.exe 2948 Qaqnkafa.exe 2180 Qfljkp32.exe 948 Qhjfgl32.exe 2972 Qgmfchei.exe 2208 Qkibcg32.exe 2148 Qododfek.exe 2740 Qackpado.exe 2620 Qqfkln32.exe -
Loads dropped DLL 64 IoCs
pid Process 1776 4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe 1776 4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe 2512 Nfdkoc32.exe 2512 Nfdkoc32.exe 2292 Nnkcpq32.exe 2292 Nnkcpq32.exe 2456 Najpll32.exe 2456 Najpll32.exe 2816 Ndhlhg32.exe 2816 Ndhlhg32.exe 2460 Nfghdcfj.exe 2460 Nfghdcfj.exe 2616 Niedqnen.exe 2616 Niedqnen.exe 2588 Npolmh32.exe 2588 Npolmh32.exe 2312 Ndkhngdd.exe 2312 Ndkhngdd.exe 1256 Nfidjbdg.exe 1256 Nfidjbdg.exe 1972 Nigafnck.exe 1972 Nigafnck.exe 2644 Nlfmbibo.exe 2644 Nlfmbibo.exe 1200 Npaich32.exe 1200 Npaich32.exe 1724 Nbpeoc32.exe 1724 Nbpeoc32.exe 2680 Nijnln32.exe 2680 Nijnln32.exe 2360 Nmejllia.exe 2360 Nmejllia.exe 1548 Npdfhhhe.exe 1548 Npdfhhhe.exe 2784 Nbbbdcgi.exe 2784 Nbbbdcgi.exe 2212 Nfnneb32.exe 2212 Nfnneb32.exe 1664 Neqnqofm.exe 1664 Neqnqofm.exe 2568 Oiljam32.exe 2568 Oiljam32.exe 1940 Olkfmi32.exe 1940 Olkfmi32.exe 1448 Opfbngfb.exe 1448 Opfbngfb.exe 488 Obdojcef.exe 488 Obdojcef.exe 2528 Oagoep32.exe 2528 Oagoep32.exe 2124 Ohagbj32.exe 2124 Ohagbj32.exe 2908 Okpcoe32.exe 2908 Okpcoe32.exe 2748 Ookpodkj.exe 2748 Ookpodkj.exe 2924 Oeehln32.exe 2924 Oeehln32.exe 2592 Okbpde32.exe 2592 Okbpde32.exe 2788 Oalhqohl.exe 2788 Oalhqohl.exe 2004 Odjdmjgo.exe 2004 Odjdmjgo.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ccbphk32.exe Cacclpae.exe File created C:\Windows\SysWOW64\Miidam32.dll Cacclpae.exe File created C:\Windows\SysWOW64\Ddfebnoo.exe Dpkibo32.exe File created C:\Windows\SysWOW64\Mjfnomde.exe Mggabaea.exe File created C:\Windows\SysWOW64\Fdakoaln.dll Pplaki32.exe File created C:\Windows\SysWOW64\Daajeb32.dll Nfghdcfj.exe File created C:\Windows\SysWOW64\Alacdcjm.dll Panaeb32.exe File created C:\Windows\SysWOW64\Dgbeiiqe.exe Dhpemm32.exe File created C:\Windows\SysWOW64\Eiekpd32.exe Eejopecj.exe File created C:\Windows\SysWOW64\Feglhlfm.dll Eejopecj.exe File created C:\Windows\SysWOW64\Ikmpacaf.dll Eacljf32.exe File created C:\Windows\SysWOW64\Hldlga32.exe Hifpke32.exe File created C:\Windows\SysWOW64\Jampjian.exe Jkchmo32.exe File created C:\Windows\SysWOW64\Icehdl32.dll Kkjnnn32.exe File created C:\Windows\SysWOW64\Qqfdfdee.dll Bgffhkoj.exe File created C:\Windows\SysWOW64\Ojefcohi.dll Dbncjf32.exe File opened for modification C:\Windows\SysWOW64\Kfnpea32.dll Golbnm32.exe File created C:\Windows\SysWOW64\Gblkoham.exe Gnaooi32.exe File opened for modification C:\Windows\SysWOW64\Gneijien.exe Gjjmijme.exe File opened for modification C:\Windows\SysWOW64\Jliaac32.exe Jbqmhnbo.exe File created C:\Windows\SysWOW64\Ojefmknj.dll Pbagipfi.exe File opened for modification C:\Windows\SysWOW64\Alqnah32.exe Afffenbp.exe File created C:\Windows\SysWOW64\Eejnebko.dll Adcdbl32.exe File opened for modification C:\Windows\SysWOW64\Aihfap32.exe Afjjed32.exe File created C:\Windows\SysWOW64\Bammlq32.exe Bbjmpcab.exe File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe Ofhjopbg.exe File created C:\Windows\SysWOW64\Ankojf32.dll Oagoep32.exe File opened for modification C:\Windows\SysWOW64\Abegfa32.exe Ajnpecbj.exe File created C:\Windows\SysWOW64\Ddpobo32.exe Daacecfc.exe File created C:\Windows\SysWOW64\Iajfhi32.dll Gneijien.exe File created C:\Windows\SysWOW64\Cbkipjbh.dll Inhanl32.exe File created C:\Windows\SysWOW64\Cgekkhbb.dll Obdojcef.exe File created C:\Windows\SysWOW64\Jaknfc32.dll Ohagbj32.exe File created C:\Windows\SysWOW64\Fanppopl.dll Qkibcg32.exe File created C:\Windows\SysWOW64\Golnjpio.dll Bofgii32.exe File created C:\Windows\SysWOW64\Gmmfaa32.exe Gmmfaa32.exe File opened for modification C:\Windows\SysWOW64\Cbppnbhm.exe Coacbfii.exe File created C:\Windows\SysWOW64\Eikgge32.dll Fnacpffh.exe File created C:\Windows\SysWOW64\Kfmmfimm.dll Famope32.exe File opened for modification C:\Windows\SysWOW64\Fjhcegll.exe Fkecij32.exe File opened for modification C:\Windows\SysWOW64\Hihlqeib.exe Hpphhp32.exe File created C:\Windows\SysWOW64\Nfdkoc32.exe 4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe File opened for modification C:\Windows\SysWOW64\Becpap32.exe Bbeded32.exe File created C:\Windows\SysWOW64\Mggljj32.dll Gbohehoj.exe File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe Njhfcp32.exe File opened for modification C:\Windows\SysWOW64\Pnjofo32.exe Pdakniag.exe File created C:\Windows\SysWOW64\Ijmkqhaf.dll Aobnniji.exe File opened for modification C:\Windows\SysWOW64\Elajgpmj.exe Dmojkc32.exe File opened for modification C:\Windows\SysWOW64\Fmkilb32.exe Fhomkcoa.exe File created C:\Windows\SysWOW64\Jeecim32.dll Ghdgfbkl.exe File created C:\Windows\SysWOW64\Qeeheknp.dll Nfahomfd.exe File created C:\Windows\SysWOW64\Pfpemp32.dll Nmejllia.exe File created C:\Windows\SysWOW64\Pgnjde32.exe Ppcbgkka.exe File opened for modification C:\Windows\SysWOW64\Eejopecj.exe Eggndi32.exe File opened for modification C:\Windows\SysWOW64\Hgmamfed.dll Goiehm32.exe File created C:\Windows\SysWOW64\Dklqidif.dll Baojapfj.exe File created C:\Windows\SysWOW64\Lhlchh32.dll Copjdhib.exe File created C:\Windows\SysWOW64\Pahoec32.dll Dejbqb32.exe File created C:\Windows\SysWOW64\Imcpdkff.dll Dobgihgp.exe File opened for modification C:\Windows\SysWOW64\Dpkibo32.exe Dahifbpk.exe File created C:\Windows\SysWOW64\Epgfma32.dll Goiehm32.exe File opened for modification C:\Windows\SysWOW64\Gbadjg32.exe Gneijien.exe File created C:\Windows\SysWOW64\Lgpgbj32.dll Aaimopli.exe File created C:\Windows\SysWOW64\Niedqnen.exe Nfghdcfj.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6100 6068 WerFault.exe 475 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dacpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbhbdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ackmih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpdgbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnheohcl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odchbe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcogbdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niedqnen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbadjg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ioohokoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldbofgme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhomkcoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llgjaeoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njhfcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqgmfkhg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eelkeeah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehkhaqpk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqalaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfejjgli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paknelgk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndkhngdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elipgofb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfidjbdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adfqgl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecnoijbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqahqd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpganf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pphkbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Copjdhib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfncpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bflbigdb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfghdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baojapfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeindm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfoghakb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cocphf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Befmfpbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gceailog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aohdmdoh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfnneb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgbfnngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmmfaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihpfgalh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmdeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lddlkg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mggabaea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qobbofgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeladm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pleofj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnkbpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmmeon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pciddedl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pldebkhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbjojh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gifclb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdojcef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdakniag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfbngfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bcmfmlen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kklkcn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnpgd32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npaich32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fqdiga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gbjojh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pbagipfi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljfapjbi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bgoime32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoepnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gfejjgli.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbqmhnbo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dimkiekk.dll" Ljddjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cbppnbhm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohagbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idppjg32.dll" Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iihiphln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Neknki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njhfcp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cgkocj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldikdp32.dll" Dldkmlhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gdhkfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihniaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkkcoogp.dll" Nlfmbibo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Picion32.dll" Hnheohcl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mggabaea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbafegj.dll" Ackmih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjlcglnk.dll" Fdkklp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cpdgbm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dafmqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ddfebnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Knmdeioh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfidjbdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpmjhk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dhpemm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdhln32.dll" Aomnhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ndhlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iakgefqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjlioj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hpnkbpdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpdjaecc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Famope32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fdmhbplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfcjdkpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hjcppidk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Klngkfge.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdeqfhjd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aqjdgmgd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ejgccq32.dll" Afjjed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lkfalipj.dll" Edfbaabj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fcbecl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lklgbadb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opnbbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjceldap.dll" Opfbngfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ogiaif32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anlhkbhq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhkkbmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Damocb32.dll" Pejmfqan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aflfjc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1776 wrote to memory of 2512 1776 4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe 30 PID 1776 wrote to memory of 2512 1776 4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe 30 PID 1776 wrote to memory of 2512 1776 4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe 30 PID 1776 wrote to memory of 2512 1776 4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe 30 PID 2512 wrote to memory of 2292 2512 Nfdkoc32.exe 31 PID 2512 wrote to memory of 2292 2512 Nfdkoc32.exe 31 PID 2512 wrote to memory of 2292 2512 Nfdkoc32.exe 31 PID 2512 wrote to memory of 2292 2512 Nfdkoc32.exe 31 PID 2292 wrote to memory of 2456 2292 Nnkcpq32.exe 32 PID 2292 wrote to memory of 2456 2292 Nnkcpq32.exe 32 PID 2292 wrote to memory of 2456 2292 Nnkcpq32.exe 32 PID 2292 wrote to memory of 2456 2292 Nnkcpq32.exe 32 PID 2456 wrote to memory of 2816 2456 Najpll32.exe 33 PID 2456 wrote to memory of 2816 2456 Najpll32.exe 33 PID 2456 wrote to memory of 2816 2456 Najpll32.exe 33 PID 2456 wrote to memory of 2816 2456 Najpll32.exe 33 PID 2816 wrote to memory of 2460 2816 Ndhlhg32.exe 34 PID 2816 wrote to memory of 2460 2816 Ndhlhg32.exe 34 PID 2816 wrote to memory of 2460 2816 Ndhlhg32.exe 34 PID 2816 wrote to memory of 2460 2816 Ndhlhg32.exe 34 PID 2460 wrote to memory of 2616 2460 Nfghdcfj.exe 35 PID 2460 wrote to memory of 2616 2460 Nfghdcfj.exe 35 PID 2460 wrote to memory of 2616 2460 Nfghdcfj.exe 35 PID 2460 wrote to memory of 2616 2460 Nfghdcfj.exe 35 PID 2616 wrote to memory of 2588 2616 Niedqnen.exe 36 PID 2616 wrote to memory of 2588 2616 Niedqnen.exe 36 PID 2616 wrote to memory of 2588 2616 Niedqnen.exe 36 PID 2616 wrote to memory of 2588 2616 Niedqnen.exe 36 PID 2588 wrote to memory of 2312 2588 Npolmh32.exe 37 PID 2588 wrote to memory of 2312 2588 Npolmh32.exe 37 PID 2588 wrote to memory of 2312 2588 Npolmh32.exe 37 PID 2588 wrote to memory of 2312 2588 Npolmh32.exe 37 PID 2312 wrote to memory of 1256 2312 Ndkhngdd.exe 38 PID 2312 wrote to memory of 1256 2312 Ndkhngdd.exe 38 PID 2312 wrote to memory of 1256 2312 Ndkhngdd.exe 38 PID 2312 wrote to memory of 1256 2312 Ndkhngdd.exe 38 PID 1256 wrote to memory of 1972 1256 Nfidjbdg.exe 39 PID 1256 wrote to memory of 1972 1256 Nfidjbdg.exe 39 PID 1256 wrote to memory of 1972 1256 Nfidjbdg.exe 39 PID 1256 wrote to memory of 1972 1256 Nfidjbdg.exe 39 PID 1972 wrote to memory of 2644 1972 Nigafnck.exe 40 PID 1972 wrote to memory of 2644 1972 Nigafnck.exe 40 PID 1972 wrote to memory of 2644 1972 Nigafnck.exe 40 PID 1972 wrote to memory of 2644 1972 Nigafnck.exe 40 PID 2644 wrote to memory of 1200 2644 Nlfmbibo.exe 41 PID 2644 wrote to memory of 1200 2644 Nlfmbibo.exe 41 PID 2644 wrote to memory of 1200 2644 Nlfmbibo.exe 41 PID 2644 wrote to memory of 1200 2644 Nlfmbibo.exe 41 PID 1200 wrote to memory of 1724 1200 Npaich32.exe 42 PID 1200 wrote to memory of 1724 1200 Npaich32.exe 42 PID 1200 wrote to memory of 1724 1200 Npaich32.exe 42 PID 1200 wrote to memory of 1724 1200 Npaich32.exe 42 PID 1724 wrote to memory of 2680 1724 Nbpeoc32.exe 43 PID 1724 wrote to memory of 2680 1724 Nbpeoc32.exe 43 PID 1724 wrote to memory of 2680 1724 Nbpeoc32.exe 43 PID 1724 wrote to memory of 2680 1724 Nbpeoc32.exe 43 PID 2680 wrote to memory of 2360 2680 Nijnln32.exe 44 PID 2680 wrote to memory of 2360 2680 Nijnln32.exe 44 PID 2680 wrote to memory of 2360 2680 Nijnln32.exe 44 PID 2680 wrote to memory of 2360 2680 Nijnln32.exe 44 PID 2360 wrote to memory of 1548 2360 Nmejllia.exe 45 PID 2360 wrote to memory of 1548 2360 Nmejllia.exe 45 PID 2360 wrote to memory of 1548 2360 Nmejllia.exe 45 PID 2360 wrote to memory of 1548 2360 Nmejllia.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe"C:\Users\Admin\AppData\Local\Temp\4209ebcf9162ce406dc9b70c1352e0585c82daaecd54d22a67cded39ef0e89c6.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\SysWOW64\Nfdkoc32.exeC:\Windows\system32\Nfdkoc32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\Nnkcpq32.exeC:\Windows\system32\Nnkcpq32.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Windows\SysWOW64\Najpll32.exeC:\Windows\system32\Najpll32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\SysWOW64\Ndhlhg32.exeC:\Windows\system32\Ndhlhg32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Nfghdcfj.exeC:\Windows\system32\Nfghdcfj.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Niedqnen.exeC:\Windows\system32\Niedqnen.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\Npolmh32.exeC:\Windows\system32\Npolmh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\Nfidjbdg.exeC:\Windows\system32\Nfidjbdg.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1256 -
C:\Windows\SysWOW64\Nigafnck.exeC:\Windows\system32\Nigafnck.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\Nlfmbibo.exeC:\Windows\system32\Nlfmbibo.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Npaich32.exeC:\Windows\system32\Npaich32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\SysWOW64\Nbpeoc32.exeC:\Windows\system32\Nbpeoc32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Nijnln32.exeC:\Windows\system32\Nijnln32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Npdfhhhe.exeC:\Windows\system32\Npdfhhhe.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1548 -
C:\Windows\SysWOW64\Nbbbdcgi.exeC:\Windows\system32\Nbbbdcgi.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Neqnqofm.exeC:\Windows\system32\Neqnqofm.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1664 -
C:\Windows\SysWOW64\Oiljam32.exeC:\Windows\system32\Oiljam32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2568 -
C:\Windows\SysWOW64\Olkfmi32.exeC:\Windows\system32\Olkfmi32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1940 -
C:\Windows\SysWOW64\Opfbngfb.exeC:\Windows\system32\Opfbngfb.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Obdojcef.exeC:\Windows\system32\Obdojcef.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:488 -
C:\Windows\SysWOW64\Oagoep32.exeC:\Windows\system32\Oagoep32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Ohagbj32.exeC:\Windows\system32\Ohagbj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2124 -
C:\Windows\SysWOW64\Okpcoe32.exeC:\Windows\system32\Okpcoe32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2908 -
C:\Windows\SysWOW64\Ookpodkj.exeC:\Windows\system32\Ookpodkj.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2748 -
C:\Windows\SysWOW64\Oeehln32.exeC:\Windows\system32\Oeehln32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Okbpde32.exeC:\Windows\system32\Okbpde32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Oalhqohl.exeC:\Windows\system32\Oalhqohl.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2788 -
C:\Windows\SysWOW64\Odjdmjgo.exeC:\Windows\system32\Odjdmjgo.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2004 -
C:\Windows\SysWOW64\Ogiaif32.exeC:\Windows\system32\Ogiaif32.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1716 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe34⤵
- Executes dropped EXE
PID:2232 -
C:\Windows\SysWOW64\Oanefo32.exeC:\Windows\system32\Oanefo32.exe35⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Oijjka32.exeC:\Windows\system32\Oijjka32.exe36⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Ppcbgkka.exeC:\Windows\system32\Ppcbgkka.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2852 -
C:\Windows\SysWOW64\Pgnjde32.exeC:\Windows\system32\Pgnjde32.exe38⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Pmgbao32.exeC:\Windows\system32\Pmgbao32.exe39⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Pljcllqe.exeC:\Windows\system32\Pljcllqe.exe40⤵
- Executes dropped EXE
PID:772 -
C:\Windows\SysWOW64\Pdakniag.exeC:\Windows\system32\Pdakniag.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2976 -
C:\Windows\SysWOW64\Pnjofo32.exeC:\Windows\system32\Pnjofo32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Pphkbj32.exeC:\Windows\system32\Pphkbj32.exe43⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1296 -
C:\Windows\SysWOW64\Poklngnf.exeC:\Windows\system32\Poklngnf.exe44⤵
- Executes dropped EXE
PID:892 -
C:\Windows\SysWOW64\Piqpkpml.exeC:\Windows\system32\Piqpkpml.exe45⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Ppkhhjei.exeC:\Windows\system32\Ppkhhjei.exe46⤵
- Executes dropped EXE
PID:2628 -
C:\Windows\SysWOW64\Pciddedl.exeC:\Windows\system32\Pciddedl.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:904 -
C:\Windows\SysWOW64\Palepb32.exeC:\Windows\system32\Palepb32.exe48⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe49⤵
- Executes dropped EXE
PID:2304 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe50⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Pkdihhag.exeC:\Windows\system32\Pkdihhag.exe51⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Pckajebj.exeC:\Windows\system32\Pckajebj.exe52⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1816 -
C:\Windows\SysWOW64\Pejmfqan.exeC:\Windows\system32\Pejmfqan.exe54⤵
- Executes dropped EXE
- Modifies registry class
PID:1232 -
C:\Windows\SysWOW64\Phhjblpa.exeC:\Windows\system32\Phhjblpa.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Pldebkhj.exeC:\Windows\system32\Pldebkhj.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:984 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Qaqnkafa.exeC:\Windows\system32\Qaqnkafa.exe58⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Qfljkp32.exeC:\Windows\system32\Qfljkp32.exe59⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe60⤵
- Executes dropped EXE
PID:948 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe61⤵
- Executes dropped EXE
PID:2972 -
C:\Windows\SysWOW64\Qkibcg32.exeC:\Windows\system32\Qkibcg32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:2208 -
C:\Windows\SysWOW64\Qododfek.exeC:\Windows\system32\Qododfek.exe63⤵
- Executes dropped EXE
PID:2148 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe64⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Qqfkln32.exeC:\Windows\system32\Qqfkln32.exe65⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe66⤵PID:2708
-
C:\Windows\SysWOW64\Agpcihcf.exeC:\Windows\system32\Agpcihcf.exe67⤵PID:2744
-
C:\Windows\SysWOW64\Akkoig32.exeC:\Windows\system32\Akkoig32.exe68⤵PID:1176
-
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe69⤵
- Drops file in System32 directory
PID:1908 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe70⤵PID:1180
-
C:\Windows\SysWOW64\Aqhhanig.exeC:\Windows\system32\Aqhhanig.exe71⤵PID:1440
-
C:\Windows\SysWOW64\Adcdbl32.exeC:\Windows\system32\Adcdbl32.exe72⤵
- Drops file in System32 directory
PID:2776 -
C:\Windows\SysWOW64\Acfdnihk.exeC:\Windows\system32\Acfdnihk.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1568 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe74⤵PID:2768
-
C:\Windows\SysWOW64\Aknlofim.exeC:\Windows\system32\Aknlofim.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1992 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe76⤵
- Modifies registry class
PID:2824 -
C:\Windows\SysWOW64\Amohfo32.exeC:\Windows\system32\Amohfo32.exe77⤵PID:1460
-
C:\Windows\SysWOW64\Aqjdgmgd.exeC:\Windows\system32\Aqjdgmgd.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1836 -
C:\Windows\SysWOW64\Adfqgl32.exeC:\Windows\system32\Adfqgl32.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:3008 -
C:\Windows\SysWOW64\Agdmdg32.exeC:\Windows\system32\Agdmdg32.exe80⤵PID:2428
-
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe81⤵PID:1924
-
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe82⤵PID:2876
-
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe83⤵PID:2140
-
C:\Windows\SysWOW64\Aqmamm32.exeC:\Windows\system32\Aqmamm32.exe84⤵PID:1616
-
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe85⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:340 -
C:\Windows\SysWOW64\Aggiigmn.exeC:\Windows\system32\Aggiigmn.exe86⤵PID:1728
-
C:\Windows\SysWOW64\Afjjed32.exeC:\Windows\system32\Afjjed32.exe87⤵
- Drops file in System32 directory
- Modifies registry class
PID:2904 -
C:\Windows\SysWOW64\Aihfap32.exeC:\Windows\system32\Aihfap32.exe88⤵PID:2692
-
C:\Windows\SysWOW64\Amcbankf.exeC:\Windows\system32\Amcbankf.exe89⤵PID:2964
-
C:\Windows\SysWOW64\Aobnniji.exeC:\Windows\system32\Aobnniji.exe90⤵
- Drops file in System32 directory
PID:1404 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe91⤵PID:2172
-
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1420 -
C:\Windows\SysWOW64\Aflfjc32.exeC:\Windows\system32\Aflfjc32.exe93⤵
- Modifies registry class
PID:2916 -
C:\Windows\SysWOW64\Ajgbkbjp.exeC:\Windows\system32\Ajgbkbjp.exe94⤵PID:2072
-
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe95⤵PID:1020
-
C:\Windows\SysWOW64\Amfognic.exeC:\Windows\system32\Amfognic.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2648 -
C:\Windows\SysWOW64\Aodkci32.exeC:\Windows\system32\Aodkci32.exe97⤵PID:1660
-
C:\Windows\SysWOW64\Bbbgod32.exeC:\Windows\system32\Bbbgod32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1704 -
C:\Windows\SysWOW64\Bfncpcoc.exeC:\Windows\system32\Bfncpcoc.exe99⤵
- System Location Discovery: System Language Discovery
PID:3052 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe100⤵PID:1720
-
C:\Windows\SysWOW64\Bmhkmm32.exeC:\Windows\system32\Bmhkmm32.exe101⤵PID:2632
-
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe102⤵PID:448
-
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe103⤵
- Drops file in System32 directory
PID:1208 -
C:\Windows\SysWOW64\Bnihdemo.exeC:\Windows\system32\Bnihdemo.exe104⤵PID:756
-
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe105⤵
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe106⤵PID:600
-
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1740 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe108⤵PID:1196
-
C:\Windows\SysWOW64\Bnldjekl.exeC:\Windows\system32\Bnldjekl.exe109⤵PID:2992
-
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe110⤵PID:2676
-
C:\Windows\SysWOW64\Befmfpbi.exeC:\Windows\system32\Befmfpbi.exe111⤵
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe112⤵PID:1780
-
C:\Windows\SysWOW64\Bkpeci32.exeC:\Windows\system32\Bkpeci32.exe113⤵PID:1124
-
C:\Windows\SysWOW64\Bnnaoe32.exeC:\Windows\system32\Bnnaoe32.exe114⤵PID:2756
-
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe115⤵
- Drops file in System32 directory
PID:2792 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe116⤵PID:1340
-
C:\Windows\SysWOW64\Bckjhl32.exeC:\Windows\system32\Bckjhl32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:944 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe118⤵
- Drops file in System32 directory
PID:1832 -
C:\Windows\SysWOW64\Bkbaii32.exeC:\Windows\system32\Bkbaii32.exe119⤵PID:2176
-
C:\Windows\SysWOW64\Bnqned32.exeC:\Windows\system32\Bnqned32.exe120⤵PID:1300
-
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe121⤵PID:308
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-