Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
07/12/2024, 23:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6fN.exe
Resource
win7-20240708-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6fN.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6fN.exe
-
Size
344KB
-
MD5
c32191d15e803984fdf7f1549577d0b0
-
SHA1
88338b4bfc280663ee77ee618e69b7abcfe5dc00
-
SHA256
ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6f
-
SHA512
cf280f0057f7098cfd08be0e67164c0780efa1b932ce59aae00c34d77354c7fcca24bd4eb878245aee8b297f484c05640cf635977d97fb081380df823ebd070a
-
SSDEEP
6144:B2q1j+lCpX2/mnbzvdLaD6OkPgl6bmIjlQFn:Jp4CpXImbzQD6OkPgl6bmIjKn
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://tat-neftbank.ru/kkq.php
http://tat-neftbank.ru/wcmd.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epbbkf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mblbnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njbfnjeg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbhccm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dgnjqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmkcil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Efjmbaba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdphjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kcdlhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pbemboof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kablnadm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qhilkege.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dncibp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjbmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikjhki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opfegp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plbkfdba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhkipdeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbhccm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djlfma32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcqlkjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nppofado.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djlfma32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojlbb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klcgpkhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpieengb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkkmgncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfebnmcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Qemldifo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bbjpil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimoiopk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kipmhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mnglnj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eifmimch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikgkei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jfjolf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmimcbja.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Modlbmmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Adaiee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fpbnjjkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekfnoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hgeelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jcnoejch.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iieepbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agglbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccpeld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dblhmoio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefqdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fhgifgnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iieepbje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pdppqbkn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dlgjldnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ifolhann.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2988 Iieepbje.exe 2644 Inbnhihl.exe 2760 Jelfdc32.exe 1832 Jlfnangf.exe 2656 Jhoklnkg.exe 2552 Jhdegn32.exe 3044 Kmqmod32.exe 2004 Kgkonj32.exe 1476 Kmegjdad.exe 1912 Kcdlhj32.exe 1796 Kindeddf.exe 572 Kokmmkcm.exe 2248 Lhhkapeh.exe 2844 Lgngbmjp.exe 780 Lngpog32.exe 896 Mloiec32.exe 824 Mblbnj32.exe 1088 Mhfjjdjf.exe 668 Mbnocipg.exe 1360 Mmccqbpm.exe 112 Mneohj32.exe 2056 Modlbmmn.exe 1784 Mnglnj32.exe 2976 Mimpkcdn.exe 1588 Nkkmgncb.exe 2736 Nbeedh32.exe 2932 Nknimnap.exe 2712 Ngdjaofc.exe 2876 Njbfnjeg.exe 2668 Nppofado.exe 2676 Nmcopebh.exe 1684 Nlilqbgp.exe 2536 Ncpdbohb.exe 964 Omhhke32.exe 2020 Opfegp32.exe 2148 Ofqmcj32.exe 2064 Opialpld.exe 2948 Oajndh32.exe 2956 Onnnml32.exe 2848 Oehgjfhi.exe 940 Omckoi32.exe 1740 Ohipla32.exe 1712 Ojglhm32.exe 2448 Pmehdh32.exe 1732 Pdppqbkn.exe 2452 Pjihmmbk.exe 2496 Pacajg32.exe 2408 Pbemboof.exe 1928 Pioeoi32.exe 2696 Pmjaohol.exe 2928 Pfbfhm32.exe 496 Piabdiep.exe 2580 Plpopddd.exe 1836 Pfebnmcj.exe 2368 Picojhcm.exe 1624 Plbkfdba.exe 2648 Pblcbn32.exe 1604 Qhilkege.exe 3068 Qkghgpfi.exe 1316 Qemldifo.exe 1300 Qhkipdeb.exe 1532 Qlfdac32.exe 2096 Aacmij32.exe 352 Adaiee32.exe -
Loads dropped DLL 64 IoCs
pid Process 2288 ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6fN.exe 2288 ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6fN.exe 2988 Iieepbje.exe 2988 Iieepbje.exe 2644 Inbnhihl.exe 2644 Inbnhihl.exe 2760 Jelfdc32.exe 2760 Jelfdc32.exe 1832 Jlfnangf.exe 1832 Jlfnangf.exe 2656 Jhoklnkg.exe 2656 Jhoklnkg.exe 2552 Jhdegn32.exe 2552 Jhdegn32.exe 3044 Kmqmod32.exe 3044 Kmqmod32.exe 2004 Kgkonj32.exe 2004 Kgkonj32.exe 1476 Kmegjdad.exe 1476 Kmegjdad.exe 1912 Kcdlhj32.exe 1912 Kcdlhj32.exe 1796 Kindeddf.exe 1796 Kindeddf.exe 572 Kokmmkcm.exe 572 Kokmmkcm.exe 2248 Lhhkapeh.exe 2248 Lhhkapeh.exe 2844 Lgngbmjp.exe 2844 Lgngbmjp.exe 780 Lngpog32.exe 780 Lngpog32.exe 896 Mloiec32.exe 896 Mloiec32.exe 824 Mblbnj32.exe 824 Mblbnj32.exe 1088 Mhfjjdjf.exe 1088 Mhfjjdjf.exe 668 Mbnocipg.exe 668 Mbnocipg.exe 1360 Mmccqbpm.exe 1360 Mmccqbpm.exe 112 Mneohj32.exe 112 Mneohj32.exe 2056 Modlbmmn.exe 2056 Modlbmmn.exe 1784 Mnglnj32.exe 1784 Mnglnj32.exe 2976 Mimpkcdn.exe 2976 Mimpkcdn.exe 1588 Nkkmgncb.exe 1588 Nkkmgncb.exe 2736 Nbeedh32.exe 2736 Nbeedh32.exe 2932 Nknimnap.exe 2932 Nknimnap.exe 2712 Ngdjaofc.exe 2712 Ngdjaofc.exe 2876 Njbfnjeg.exe 2876 Njbfnjeg.exe 2668 Nppofado.exe 2668 Nppofado.exe 2676 Nmcopebh.exe 2676 Nmcopebh.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Aamhcmdo.dll Boifga32.exe File opened for modification C:\Windows\SysWOW64\Jfjolf32.exe Ieibdnnp.exe File created C:\Windows\SysWOW64\Ofqmcj32.exe Opfegp32.exe File created C:\Windows\SysWOW64\Bgikembl.dll Picojhcm.exe File opened for modification C:\Windows\SysWOW64\Qemldifo.exe Qkghgpfi.exe File opened for modification C:\Windows\SysWOW64\Bfoeil32.exe Bcpimq32.exe File created C:\Windows\SysWOW64\Ghdjfq32.dll Cmmcpi32.exe File created C:\Windows\SysWOW64\Ocfqdk32.dll Fefqdl32.exe File created C:\Windows\SysWOW64\Fmdpgmhn.dll Mneohj32.exe File created C:\Windows\SysWOW64\Onepbd32.dll Dpklkgoj.exe File created C:\Windows\SysWOW64\Fhgifgnb.exe Famaimfe.exe File opened for modification C:\Windows\SysWOW64\Jbhebfck.exe Jipaip32.exe File created C:\Windows\SysWOW64\Bfoeil32.exe Bcpimq32.exe File created C:\Windows\SysWOW64\Ocimkc32.dll Cnejim32.exe File created C:\Windows\SysWOW64\Dnjoco32.exe Dfcgbb32.exe File opened for modification C:\Windows\SysWOW64\Eldiehbk.exe Eifmimch.exe File opened for modification C:\Windows\SysWOW64\Gefmcp32.exe Gcgqgd32.exe File created C:\Windows\SysWOW64\Hnbbcale.dll Gcgqgd32.exe File created C:\Windows\SysWOW64\Pblmdj32.dll Gamnhq32.exe File created C:\Windows\SysWOW64\Kdnkdmec.exe Kbmome32.exe File opened for modification C:\Windows\SysWOW64\Kmimcbja.exe Kdphjm32.exe File opened for modification C:\Windows\SysWOW64\Ojglhm32.exe Ohipla32.exe File created C:\Windows\SysWOW64\Ccpeld32.exe Cncmcm32.exe File created C:\Windows\SysWOW64\Adiijqhm.dll Pdppqbkn.exe File created C:\Windows\SysWOW64\Bfabnl32.exe Bcbfbp32.exe File created C:\Windows\SysWOW64\Qhihii32.dll Cncmcm32.exe File created C:\Windows\SysWOW64\Fhohnoea.dll Eldiehbk.exe File opened for modification C:\Windows\SysWOW64\Eogolc32.exe Elibpg32.exe File opened for modification C:\Windows\SysWOW64\Kbmome32.exe Klcgpkhh.exe File created C:\Windows\SysWOW64\Pblcbn32.exe Plbkfdba.exe File created C:\Windows\SysWOW64\Cbgobp32.exe Coicfd32.exe File opened for modification C:\Windows\SysWOW64\Eoebgcol.exe Epbbkf32.exe File created C:\Windows\SysWOW64\Mdmckc32.dll Gglbfg32.exe File opened for modification C:\Windows\SysWOW64\Kbhbai32.exe Kpieengb.exe File opened for modification C:\Windows\SysWOW64\Iipejmko.exe Ibfmmb32.exe File opened for modification C:\Windows\SysWOW64\Nknimnap.exe Nbeedh32.exe File created C:\Windows\SysWOW64\Nlilqbgp.exe Nmcopebh.exe File created C:\Windows\SysWOW64\Klcjnl32.dll Ofqmcj32.exe File created C:\Windows\SysWOW64\Dekdikhc.exe Dblhmoio.exe File opened for modification C:\Windows\SysWOW64\Hclfag32.exe Hifbdnbi.exe File created C:\Windows\SysWOW64\Hfjbmb32.exe Hclfag32.exe File opened for modification C:\Windows\SysWOW64\Ibacbcgg.exe Ikgkei32.exe File created C:\Windows\SysWOW64\Nmcopebh.exe Nppofado.exe File created C:\Windows\SysWOW64\Jdilhpcp.dll Pfebnmcj.exe File created C:\Windows\SysWOW64\Ccgnbk32.dll Plbkfdba.exe File created C:\Windows\SysWOW64\Fooembgb.exe Fggmldfp.exe File created C:\Windows\SysWOW64\Gekfnoog.exe Gncnmane.exe File created C:\Windows\SysWOW64\Epnhpglg.exe Emoldlmc.exe File opened for modification C:\Windows\SysWOW64\Hfjbmb32.exe Hclfag32.exe File created C:\Windows\SysWOW64\Ipafocdg.dll Lmmfnb32.exe File created C:\Windows\SysWOW64\Cmehhn32.dll Cogfqe32.exe File created C:\Windows\SysWOW64\Hccadd32.dll Ciokijfd.exe File opened for modification C:\Windows\SysWOW64\Eojlbb32.exe Ehpcehcj.exe File created C:\Windows\SysWOW64\Pnalcc32.dll Hddmjk32.exe File created C:\Windows\SysWOW64\Ifolhann.exe Ikjhki32.exe File opened for modification C:\Windows\SysWOW64\Mnglnj32.exe Modlbmmn.exe File opened for modification C:\Windows\SysWOW64\Pmehdh32.exe Ojglhm32.exe File opened for modification C:\Windows\SysWOW64\Pbemboof.exe Pacajg32.exe File created C:\Windows\SysWOW64\Qemldifo.exe Qkghgpfi.exe File created C:\Windows\SysWOW64\Ellqil32.dll Dcdkef32.exe File created C:\Windows\SysWOW64\Eihjolae.exe Efjmbaba.exe File opened for modification C:\Windows\SysWOW64\Jcciqi32.exe Jimdcqom.exe File created C:\Windows\SysWOW64\Anogijnb.exe Ageompfe.exe File opened for modification C:\Windows\SysWOW64\Cfanmogq.exe Cogfqe32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3436 3448 WerFault.exe 238 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nknimnap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adaiee32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbnjjkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncnmane.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfjbmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gamnhq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpdbohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldiehbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elibpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjcaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jipaip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jelfdc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjihmmbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emoldlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epbbkf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Modlbmmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omckoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojglhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjaohol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehpcehcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimoiopk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igebkiof.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhhkapeh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgngbmjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gpggei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inbnhihl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdppqbkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhbdleol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fccglehn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiioin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aacmij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lngpog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hadcipbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikjhki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdphjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hclfag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmegjdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonale32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gekfnoog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibacbcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlfdac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeqga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eafkhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qhilkege.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhgifgnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgkonj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pacajg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbnocipg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemldifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefqdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikgkei32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iieepbje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpeld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eoebgcol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jimdcqom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjhcag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omhhke32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njfaognh.dll" Fooembgb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Opialpld.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dmkcil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Addfkeid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nedmma32.dll" Agglbp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocimkc32.dll" Cnejim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jipaip32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojgidcjn.dll" Omhhke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Plbkfdba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll" Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kmimcbja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpjqdl32.dll" Kcdlhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlilqbgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hmpaom32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kdnkdmec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmdpgmhn.dll" Mneohj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ibacbcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dhnhab32.dll" Dhbdleol.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Efjmbaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hellqgnm.dll" Gkebafoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ncpdbohb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Picojhcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iecbnqcj.dll" Eojlbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gonale32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gncnmane.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Djdhoc32.dll" Nlilqbgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bbhccm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egmhoeom.dll" Mnglnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mimpkcdn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coicfd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdjiflem.dll" Djlfma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gamnhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Leoebflm.dll" Ibhicbao.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mbnocipg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Anogijnb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kndkfpje.dll" Igqhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjjhc32.dll" Mimpkcdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bcbfbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aahfdihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cmehhn32.dll" Cogfqe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iafklo32.dll" Dfcgbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnbbcale.dll" Gcgqgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhdegn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aiaoclgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgngbmjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njbfnjeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jimdcqom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmihbe32.dll" Jelfdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acejfl32.dll" Kmegjdad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gamnhq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Igebkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dlgjldnm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fpdkpiik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdbpekam.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2988 2288 ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6fN.exe 31 PID 2288 wrote to memory of 2988 2288 ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6fN.exe 31 PID 2288 wrote to memory of 2988 2288 ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6fN.exe 31 PID 2288 wrote to memory of 2988 2288 ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6fN.exe 31 PID 2988 wrote to memory of 2644 2988 Iieepbje.exe 32 PID 2988 wrote to memory of 2644 2988 Iieepbje.exe 32 PID 2988 wrote to memory of 2644 2988 Iieepbje.exe 32 PID 2988 wrote to memory of 2644 2988 Iieepbje.exe 32 PID 2644 wrote to memory of 2760 2644 Inbnhihl.exe 33 PID 2644 wrote to memory of 2760 2644 Inbnhihl.exe 33 PID 2644 wrote to memory of 2760 2644 Inbnhihl.exe 33 PID 2644 wrote to memory of 2760 2644 Inbnhihl.exe 33 PID 2760 wrote to memory of 1832 2760 Jelfdc32.exe 34 PID 2760 wrote to memory of 1832 2760 Jelfdc32.exe 34 PID 2760 wrote to memory of 1832 2760 Jelfdc32.exe 34 PID 2760 wrote to memory of 1832 2760 Jelfdc32.exe 34 PID 1832 wrote to memory of 2656 1832 Jlfnangf.exe 35 PID 1832 wrote to memory of 2656 1832 Jlfnangf.exe 35 PID 1832 wrote to memory of 2656 1832 Jlfnangf.exe 35 PID 1832 wrote to memory of 2656 1832 Jlfnangf.exe 35 PID 2656 wrote to memory of 2552 2656 Jhoklnkg.exe 36 PID 2656 wrote to memory of 2552 2656 Jhoklnkg.exe 36 PID 2656 wrote to memory of 2552 2656 Jhoklnkg.exe 36 PID 2656 wrote to memory of 2552 2656 Jhoklnkg.exe 36 PID 2552 wrote to memory of 3044 2552 Jhdegn32.exe 37 PID 2552 wrote to memory of 3044 2552 Jhdegn32.exe 37 PID 2552 wrote to memory of 3044 2552 Jhdegn32.exe 37 PID 2552 wrote to memory of 3044 2552 Jhdegn32.exe 37 PID 3044 wrote to memory of 2004 3044 Kmqmod32.exe 38 PID 3044 wrote to memory of 2004 3044 Kmqmod32.exe 38 PID 3044 wrote to memory of 2004 3044 Kmqmod32.exe 38 PID 3044 wrote to memory of 2004 3044 Kmqmod32.exe 38 PID 2004 wrote to memory of 1476 2004 Kgkonj32.exe 39 PID 2004 wrote to memory of 1476 2004 Kgkonj32.exe 39 PID 2004 wrote to memory of 1476 2004 Kgkonj32.exe 39 PID 2004 wrote to memory of 1476 2004 Kgkonj32.exe 39 PID 1476 wrote to memory of 1912 1476 Kmegjdad.exe 40 PID 1476 wrote to memory of 1912 1476 Kmegjdad.exe 40 PID 1476 wrote to memory of 1912 1476 Kmegjdad.exe 40 PID 1476 wrote to memory of 1912 1476 Kmegjdad.exe 40 PID 1912 wrote to memory of 1796 1912 Kcdlhj32.exe 41 PID 1912 wrote to memory of 1796 1912 Kcdlhj32.exe 41 PID 1912 wrote to memory of 1796 1912 Kcdlhj32.exe 41 PID 1912 wrote to memory of 1796 1912 Kcdlhj32.exe 41 PID 1796 wrote to memory of 572 1796 Kindeddf.exe 42 PID 1796 wrote to memory of 572 1796 Kindeddf.exe 42 PID 1796 wrote to memory of 572 1796 Kindeddf.exe 42 PID 1796 wrote to memory of 572 1796 Kindeddf.exe 42 PID 572 wrote to memory of 2248 572 Kokmmkcm.exe 43 PID 572 wrote to memory of 2248 572 Kokmmkcm.exe 43 PID 572 wrote to memory of 2248 572 Kokmmkcm.exe 43 PID 572 wrote to memory of 2248 572 Kokmmkcm.exe 43 PID 2248 wrote to memory of 2844 2248 Lhhkapeh.exe 44 PID 2248 wrote to memory of 2844 2248 Lhhkapeh.exe 44 PID 2248 wrote to memory of 2844 2248 Lhhkapeh.exe 44 PID 2248 wrote to memory of 2844 2248 Lhhkapeh.exe 44 PID 2844 wrote to memory of 780 2844 Lgngbmjp.exe 45 PID 2844 wrote to memory of 780 2844 Lgngbmjp.exe 45 PID 2844 wrote to memory of 780 2844 Lgngbmjp.exe 45 PID 2844 wrote to memory of 780 2844 Lgngbmjp.exe 45 PID 780 wrote to memory of 896 780 Lngpog32.exe 46 PID 780 wrote to memory of 896 780 Lngpog32.exe 46 PID 780 wrote to memory of 896 780 Lngpog32.exe 46 PID 780 wrote to memory of 896 780 Lngpog32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6fN.exe"C:\Users\Admin\AppData\Local\Temp\ad47356ed7eb3241024951ce30fe8c1ffade3b34d5c3d9a0db0938211dc55b6fN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Windows\SysWOW64\Jelfdc32.exeC:\Windows\system32\Jelfdc32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Jlfnangf.exeC:\Windows\system32\Jlfnangf.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\Jhdegn32.exeC:\Windows\system32\Jhdegn32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\Kgkonj32.exeC:\Windows\system32\Kgkonj32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\SysWOW64\Kmegjdad.exeC:\Windows\system32\Kmegjdad.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Windows\SysWOW64\Kcdlhj32.exeC:\Windows\system32\Kcdlhj32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912 -
C:\Windows\SysWOW64\Kindeddf.exeC:\Windows\system32\Kindeddf.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1796 -
C:\Windows\SysWOW64\Kokmmkcm.exeC:\Windows\system32\Kokmmkcm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Lhhkapeh.exeC:\Windows\system32\Lhhkapeh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Lgngbmjp.exeC:\Windows\system32\Lgngbmjp.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Lngpog32.exeC:\Windows\system32\Lngpog32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Windows\SysWOW64\Mloiec32.exeC:\Windows\system32\Mloiec32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:896 -
C:\Windows\SysWOW64\Mblbnj32.exeC:\Windows\system32\Mblbnj32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:824 -
C:\Windows\SysWOW64\Mhfjjdjf.exeC:\Windows\system32\Mhfjjdjf.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1088 -
C:\Windows\SysWOW64\Mbnocipg.exeC:\Windows\system32\Mbnocipg.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:668 -
C:\Windows\SysWOW64\Mmccqbpm.exeC:\Windows\system32\Mmccqbpm.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1360 -
C:\Windows\SysWOW64\Mneohj32.exeC:\Windows\system32\Mneohj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:112 -
C:\Windows\SysWOW64\Modlbmmn.exeC:\Windows\system32\Modlbmmn.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2056 -
C:\Windows\SysWOW64\Mnglnj32.exeC:\Windows\system32\Mnglnj32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1784 -
C:\Windows\SysWOW64\Mimpkcdn.exeC:\Windows\system32\Mimpkcdn.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Nkkmgncb.exeC:\Windows\system32\Nkkmgncb.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1588 -
C:\Windows\SysWOW64\Nbeedh32.exeC:\Windows\system32\Nbeedh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2736 -
C:\Windows\SysWOW64\Nknimnap.exeC:\Windows\system32\Nknimnap.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2932 -
C:\Windows\SysWOW64\Ngdjaofc.exeC:\Windows\system32\Ngdjaofc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2712 -
C:\Windows\SysWOW64\Njbfnjeg.exeC:\Windows\system32\Njbfnjeg.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Nppofado.exeC:\Windows\system32\Nppofado.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2668 -
C:\Windows\SysWOW64\Nmcopebh.exeC:\Windows\system32\Nmcopebh.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2676 -
C:\Windows\SysWOW64\Nlilqbgp.exeC:\Windows\system32\Nlilqbgp.exe33⤵
- Executes dropped EXE
- Modifies registry class
PID:1684 -
C:\Windows\SysWOW64\Ncpdbohb.exeC:\Windows\system32\Ncpdbohb.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Omhhke32.exeC:\Windows\system32\Omhhke32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Opfegp32.exeC:\Windows\system32\Opfegp32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2020 -
C:\Windows\SysWOW64\Ofqmcj32.exeC:\Windows\system32\Ofqmcj32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2148 -
C:\Windows\SysWOW64\Opialpld.exeC:\Windows\system32\Opialpld.exe38⤵
- Executes dropped EXE
- Modifies registry class
PID:2064 -
C:\Windows\SysWOW64\Oajndh32.exeC:\Windows\system32\Oajndh32.exe39⤵
- Executes dropped EXE
PID:2948 -
C:\Windows\SysWOW64\Onnnml32.exeC:\Windows\system32\Onnnml32.exe40⤵
- Executes dropped EXE
PID:2956 -
C:\Windows\SysWOW64\Oehgjfhi.exeC:\Windows\system32\Oehgjfhi.exe41⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Omckoi32.exeC:\Windows\system32\Omckoi32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:940 -
C:\Windows\SysWOW64\Ohipla32.exeC:\Windows\system32\Ohipla32.exe43⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Ojglhm32.exeC:\Windows\system32\Ojglhm32.exe44⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1712 -
C:\Windows\SysWOW64\Pmehdh32.exeC:\Windows\system32\Pmehdh32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2448 -
C:\Windows\SysWOW64\Pdppqbkn.exeC:\Windows\system32\Pdppqbkn.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1732 -
C:\Windows\SysWOW64\Pjihmmbk.exeC:\Windows\system32\Pjihmmbk.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Pacajg32.exeC:\Windows\system32\Pacajg32.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Pbemboof.exeC:\Windows\system32\Pbemboof.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Pioeoi32.exeC:\Windows\system32\Pioeoi32.exe50⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Pmjaohol.exeC:\Windows\system32\Pmjaohol.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Pfbfhm32.exeC:\Windows\system32\Pfbfhm32.exe52⤵
- Executes dropped EXE
PID:2928 -
C:\Windows\SysWOW64\Piabdiep.exeC:\Windows\system32\Piabdiep.exe53⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\Plpopddd.exeC:\Windows\system32\Plpopddd.exe54⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Pfebnmcj.exeC:\Windows\system32\Pfebnmcj.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Picojhcm.exeC:\Windows\system32\Picojhcm.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2368 -
C:\Windows\SysWOW64\Plbkfdba.exeC:\Windows\system32\Plbkfdba.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Pblcbn32.exeC:\Windows\system32\Pblcbn32.exe58⤵
- Executes dropped EXE
PID:2648 -
C:\Windows\SysWOW64\Qhilkege.exeC:\Windows\system32\Qhilkege.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1604 -
C:\Windows\SysWOW64\Qkghgpfi.exeC:\Windows\system32\Qkghgpfi.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3068 -
C:\Windows\SysWOW64\Qemldifo.exeC:\Windows\system32\Qemldifo.exe61⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1316 -
C:\Windows\SysWOW64\Qhkipdeb.exeC:\Windows\system32\Qhkipdeb.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Qlfdac32.exeC:\Windows\system32\Qlfdac32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Aacmij32.exeC:\Windows\system32\Aacmij32.exe64⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\Adaiee32.exeC:\Windows\system32\Adaiee32.exe65⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:352 -
C:\Windows\SysWOW64\Aklabp32.exeC:\Windows\system32\Aklabp32.exe66⤵PID:2204
-
C:\Windows\SysWOW64\Addfkeid.exeC:\Windows\system32\Addfkeid.exe67⤵
- Modifies registry class
PID:3020 -
C:\Windows\SysWOW64\Aknngo32.exeC:\Windows\system32\Aknngo32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3008 -
C:\Windows\SysWOW64\Aiaoclgl.exeC:\Windows\system32\Aiaoclgl.exe69⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Aahfdihn.exeC:\Windows\system32\Aahfdihn.exe70⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Ageompfe.exeC:\Windows\system32\Ageompfe.exe71⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Anogijnb.exeC:\Windows\system32\Anogijnb.exe72⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Agglbp32.exeC:\Windows\system32\Agglbp32.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Anadojlo.exeC:\Windows\system32\Anadojlo.exe74⤵PID:2816
-
C:\Windows\SysWOW64\Agihgp32.exeC:\Windows\system32\Agihgp32.exe75⤵PID:1900
-
C:\Windows\SysWOW64\Blfapfpg.exeC:\Windows\system32\Blfapfpg.exe76⤵PID:2392
-
C:\Windows\SysWOW64\Bcpimq32.exeC:\Windows\system32\Bcpimq32.exe77⤵
- Drops file in System32 directory
PID:1072 -
C:\Windows\SysWOW64\Bfoeil32.exeC:\Windows\system32\Bfoeil32.exe78⤵PID:1620
-
C:\Windows\SysWOW64\Bkknac32.exeC:\Windows\system32\Bkknac32.exe79⤵PID:1680
-
C:\Windows\SysWOW64\Bcbfbp32.exeC:\Windows\system32\Bcbfbp32.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:2344 -
C:\Windows\SysWOW64\Bfabnl32.exeC:\Windows\system32\Bfabnl32.exe81⤵PID:2188
-
C:\Windows\SysWOW64\Blkjkflb.exeC:\Windows\system32\Blkjkflb.exe82⤵PID:2088
-
C:\Windows\SysWOW64\Boifga32.exeC:\Windows\system32\Boifga32.exe83⤵
- Drops file in System32 directory
PID:876 -
C:\Windows\SysWOW64\Bbhccm32.exeC:\Windows\system32\Bbhccm32.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2060 -
C:\Windows\SysWOW64\Bolcma32.exeC:\Windows\system32\Bolcma32.exe85⤵PID:1596
-
C:\Windows\SysWOW64\Bbjpil32.exeC:\Windows\system32\Bbjpil32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Bgghac32.exeC:\Windows\system32\Bgghac32.exe87⤵PID:2440
-
C:\Windows\SysWOW64\Bjedmo32.exeC:\Windows\system32\Bjedmo32.exe88⤵PID:2692
-
C:\Windows\SysWOW64\Ckeqga32.exeC:\Windows\system32\Ckeqga32.exe89⤵
- System Location Discovery: System Language Discovery
PID:772 -
C:\Windows\SysWOW64\Cncmcm32.exeC:\Windows\system32\Cncmcm32.exe90⤵
- Drops file in System32 directory
PID:1824 -
C:\Windows\SysWOW64\Ccpeld32.exeC:\Windows\system32\Ccpeld32.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Cglalbbi.exeC:\Windows\system32\Cglalbbi.exe92⤵
- System Location Discovery: System Language Discovery
PID:2652 -
C:\Windows\SysWOW64\Cnejim32.exeC:\Windows\system32\Cnejim32.exe93⤵
- Drops file in System32 directory
- Modifies registry class
PID:928 -
C:\Windows\SysWOW64\Cogfqe32.exeC:\Windows\system32\Cogfqe32.exe94⤵
- Drops file in System32 directory
- Modifies registry class
PID:1780 -
C:\Windows\SysWOW64\Cfanmogq.exeC:\Windows\system32\Cfanmogq.exe95⤵PID:1756
-
C:\Windows\SysWOW64\Ciokijfd.exeC:\Windows\system32\Ciokijfd.exe96⤵
- Drops file in System32 directory
PID:2464 -
C:\Windows\SysWOW64\Coicfd32.exeC:\Windows\system32\Coicfd32.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:1348 -
C:\Windows\SysWOW64\Cbgobp32.exeC:\Windows\system32\Cbgobp32.exe98⤵PID:3032
-
C:\Windows\SysWOW64\Cmmcpi32.exeC:\Windows\system32\Cmmcpi32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2704 -
C:\Windows\SysWOW64\Ccgklc32.exeC:\Windows\system32\Ccgklc32.exe100⤵PID:2720
-
C:\Windows\SysWOW64\Cfehhn32.exeC:\Windows\system32\Cfehhn32.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1976 -
C:\Windows\SysWOW64\Cmppehkh.exeC:\Windows\system32\Cmppehkh.exe102⤵PID:2364
-
C:\Windows\SysWOW64\Dblhmoio.exeC:\Windows\system32\Dblhmoio.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Dekdikhc.exeC:\Windows\system32\Dekdikhc.exe104⤵PID:908
-
C:\Windows\SysWOW64\Dncibp32.exeC:\Windows\system32\Dncibp32.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1308 -
C:\Windows\SysWOW64\Dboeco32.exeC:\Windows\system32\Dboeco32.exe106⤵PID:1372
-
C:\Windows\SysWOW64\Dlgjldnm.exeC:\Windows\system32\Dlgjldnm.exe107⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2512 -
C:\Windows\SysWOW64\Dbabho32.exeC:\Windows\system32\Dbabho32.exe108⤵PID:1568
-
C:\Windows\SysWOW64\Dgnjqe32.exeC:\Windows\system32\Dgnjqe32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1472 -
C:\Windows\SysWOW64\Djlfma32.exeC:\Windows\system32\Djlfma32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2556 -
C:\Windows\SysWOW64\Dmkcil32.exeC:\Windows\system32\Dmkcil32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Dcdkef32.exeC:\Windows\system32\Dcdkef32.exe112⤵
- Drops file in System32 directory
PID:1096 -
C:\Windows\SysWOW64\Dfcgbb32.exeC:\Windows\system32\Dfcgbb32.exe113⤵
- Drops file in System32 directory
- Modifies registry class
PID:756 -
C:\Windows\SysWOW64\Dnjoco32.exeC:\Windows\system32\Dnjoco32.exe114⤵PID:988
-
C:\Windows\SysWOW64\Dpklkgoj.exeC:\Windows\system32\Dpklkgoj.exe115⤵
- Drops file in System32 directory
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Dhbdleol.exeC:\Windows\system32\Dhbdleol.exe116⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2432 -
C:\Windows\SysWOW64\Emoldlmc.exeC:\Windows\system32\Emoldlmc.exe117⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2940 -
C:\Windows\SysWOW64\Epnhpglg.exeC:\Windows\system32\Epnhpglg.exe118⤵PID:900
-
C:\Windows\SysWOW64\Eifmimch.exeC:\Windows\system32\Eifmimch.exe119⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2756 -
C:\Windows\SysWOW64\Eldiehbk.exeC:\Windows\system32\Eldiehbk.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2764 -
C:\Windows\SysWOW64\Edlafebn.exeC:\Windows\system32\Edlafebn.exe121⤵PID:2708
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-