Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
27s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 19:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22N.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22N.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22N.exe
-
Size
96KB
-
MD5
8056a8e4dafe979aca8903ea8fde44e0
-
SHA1
1e60e7fc5ae7a2565563028463786e2c69ac65f0
-
SHA256
7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22
-
SHA512
9701b4d6dc36a514863b0c694f3aea106cfa966c77b5ceaf3070cd622f5ad9e1e84cf67438cf8b25e0261045c08e9657f0cd96b53656ca9c55e4695d3e4bc402
-
SSDEEP
1536:UQmEItOHsJUnWw2C4/M24M92LPsBMu/HCmiDcg3MZRP3cEW3Ac:kEItMSBP4MOPa6miEo
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://crutop.nu/index.php
http://crutop.ru/index.php
http://mazafaka.ru/index.php
http://color-bank.ru/index.php
http://asechka.ru/index.php
http://trojan.ru/index.php
http://fuck.ru/index.php
http://goldensand.ru/index.php
http://filesearch.ru/index.php
http://devx.nm.ru/index.php
http://ros-neftbank.ru/index.php
http://lovingod.host.sk/index.php
http://www.redline.ru/index.php
http://cvv.ru/index.php
http://hackers.lv/index.php
http://fethard.biz/index.php
http://ldark.nm.ru/index.htm
http://gaz-prom.ru/index.htm
http://promo.ru/index.htm
http://potleaf.chat.ru/index.htm
http://kadet.ru/index.htm
http://cvv.ru/index.htm
http://crutop.nu/index.htm
http://crutop.ru/index.htm
http://mazafaka.ru/index.htm
http://xware.cjb.net/index.htm
http://konfiskat.org/index.htm
http://parex-bank.ru/index.htm
http://kidos-bank.ru/index.htm
http://kavkaz.ru/index.htm
http://fethard.biz/index.htm
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlofgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fapeic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khgkpl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ahgofi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgnbnpkp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhjlli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eojlbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kkeecogo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jjnhhjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pjleclph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cogfqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Folhgbid.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjeglh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ngealejo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbfbnddq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fmdbnnlj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Keioca32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aficjnpm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hmlkfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iaegpaao.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdgdji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncnmane.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Opqoge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aficjnpm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cegoqlof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mqehjecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njgpij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Libjncnc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plgolf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdghaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnfddp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcojam32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jajmjcoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbeedh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbjlhpkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhbpkh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lfhhjklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iocgfhhc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cbppnbhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckhdggom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnleiipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbllnlfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lnhgim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elcpbigl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eabepp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hinbppna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgingm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaagcpdl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbmome32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mmbmeifk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Abpcooea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bbbpenco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmpgpond.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeiheo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njpihk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Klngkfge.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ompefj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgdgcfmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fhgppnan.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jacfidem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lonibk32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2052 Hnjbeh32.exe 2556 Hcgjmo32.exe 2716 Hjacjifm.exe 2760 Hakkgc32.exe 2844 Hifpke32.exe 484 Hboddk32.exe 2628 Hihlqeib.exe 3032 Iflmjihl.exe 1672 Ihniaa32.exe 1372 Iafnjg32.exe 1228 Iimfld32.exe 1496 Injndk32.exe 1676 Iedfqeka.exe 1100 Ijqoilii.exe 2088 Iakgefqe.exe 2588 Ifgpnmom.exe 652 Iamdkfnc.exe 1400 Ippdgc32.exe 1328 Ifjlcmmj.exe 2924 Iihiphln.exe 1944 Jaoqqflp.exe 2168 Jdnmma32.exe 2996 Jfliim32.exe 2420 Jkhejkcq.exe 1388 Jbcjnnpl.exe 2900 Jfofol32.exe 2204 Jlkngc32.exe 2868 Jedcpi32.exe 2948 Jhbold32.exe 2456 Jefpeh32.exe 1692 Jialfgcc.exe 2728 Jbjpom32.exe 2388 Jehlkhig.exe 600 Kkeecogo.exe 2112 Kncaojfb.exe 1900 Knfndjdp.exe 1760 Kpdjaecc.exe 1384 Kgnbnpkp.exe 2856 Kjmnjkjd.exe 2076 Kadfkhkf.exe 2920 Kklkcn32.exe 2916 Kjokokha.exe 1896 Klngkfge.exe 1520 Kffldlne.exe 2288 Kpkpadnl.exe 2480 Lfhhjklc.exe 3004 Ljddjj32.exe 2100 Lpnmgdli.exe 2544 Loqmba32.exe 2508 Lfkeokjp.exe 2816 Lhiakf32.exe 2768 Lkgngb32.exe 2636 Lbafdlod.exe 2604 Lfmbek32.exe 2864 Llgjaeoj.exe 1592 Lkjjma32.exe 1232 Lnhgim32.exe 1252 Lbcbjlmb.exe 1660 Lfoojj32.exe 1980 Lhnkffeo.exe 608 Lklgbadb.exe 1976 Lohccp32.exe 1928 Lbfook32.exe 2504 Lqipkhbj.exe -
Loads dropped DLL 64 IoCs
pid Process 2264 7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22N.exe 2264 7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22N.exe 2052 Hnjbeh32.exe 2052 Hnjbeh32.exe 2556 Hcgjmo32.exe 2556 Hcgjmo32.exe 2716 Hjacjifm.exe 2716 Hjacjifm.exe 2760 Hakkgc32.exe 2760 Hakkgc32.exe 2844 Hifpke32.exe 2844 Hifpke32.exe 484 Hboddk32.exe 484 Hboddk32.exe 2628 Hihlqeib.exe 2628 Hihlqeib.exe 3032 Iflmjihl.exe 3032 Iflmjihl.exe 1672 Ihniaa32.exe 1672 Ihniaa32.exe 1372 Iafnjg32.exe 1372 Iafnjg32.exe 1228 Iimfld32.exe 1228 Iimfld32.exe 1496 Injndk32.exe 1496 Injndk32.exe 1676 Iedfqeka.exe 1676 Iedfqeka.exe 1100 Ijqoilii.exe 1100 Ijqoilii.exe 2088 Iakgefqe.exe 2088 Iakgefqe.exe 2588 Ifgpnmom.exe 2588 Ifgpnmom.exe 652 Iamdkfnc.exe 652 Iamdkfnc.exe 1400 Ippdgc32.exe 1400 Ippdgc32.exe 1328 Ifjlcmmj.exe 1328 Ifjlcmmj.exe 2924 Iihiphln.exe 2924 Iihiphln.exe 1944 Jaoqqflp.exe 1944 Jaoqqflp.exe 2168 Jdnmma32.exe 2168 Jdnmma32.exe 2996 Jfliim32.exe 2996 Jfliim32.exe 2420 Jkhejkcq.exe 2420 Jkhejkcq.exe 1388 Jbcjnnpl.exe 1388 Jbcjnnpl.exe 2900 Jfofol32.exe 2900 Jfofol32.exe 2204 Jlkngc32.exe 2204 Jlkngc32.exe 2868 Jedcpi32.exe 2868 Jedcpi32.exe 2948 Jhbold32.exe 2948 Jhbold32.exe 2456 Jefpeh32.exe 2456 Jefpeh32.exe 1692 Jialfgcc.exe 1692 Jialfgcc.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Fckhhgcf.exe Fplllkdc.exe File opened for modification C:\Windows\SysWOW64\Plgolf32.exe Oemgplgo.exe File created C:\Windows\SysWOW64\Ekhmcelc.exe Egmabg32.exe File created C:\Windows\SysWOW64\Opfmmcec.dll Fgdgcfmb.exe File created C:\Windows\SysWOW64\Fkhibino.exe Fleifl32.exe File opened for modification C:\Windows\SysWOW64\Klmqapci.exe Khadpa32.exe File created C:\Windows\SysWOW64\Njfaognh.dll Fooembgb.exe File created C:\Windows\SysWOW64\Pcdapknb.dll Keioca32.exe File opened for modification C:\Windows\SysWOW64\Allefimb.exe Ahpifj32.exe File opened for modification C:\Windows\SysWOW64\Ckjamgmk.exe Cileqlmg.exe File created C:\Windows\SysWOW64\Gdcjpncm.exe Fnibcd32.exe File created C:\Windows\SysWOW64\Ijnkifgp.exe Igoomk32.exe File opened for modification C:\Windows\SysWOW64\Njpihk32.exe Ngbmlo32.exe File created C:\Windows\SysWOW64\Nfcakjoj.dll Nfdddm32.exe File created C:\Windows\SysWOW64\Pkdhln32.dll Achjibcl.exe File created C:\Windows\SysWOW64\Cillnojb.dll Fhljkm32.exe File created C:\Windows\SysWOW64\Hnnhngjf.exe Hkolakkb.exe File created C:\Windows\SysWOW64\Obgnhkkh.exe Onlahm32.exe File opened for modification C:\Windows\SysWOW64\Gamnhq32.exe Gonale32.exe File created C:\Windows\SysWOW64\Hjacjifm.exe Hcgjmo32.exe File opened for modification C:\Windows\SysWOW64\Hfepod32.exe Hnnhngjf.exe File created C:\Windows\SysWOW64\Lbjofi32.exe Lplbjm32.exe File opened for modification C:\Windows\SysWOW64\Cbppnbhm.exe Bigkel32.exe File created C:\Windows\SysWOW64\Dcbnpgkh.exe Dadbdkld.exe File created C:\Windows\SysWOW64\Kqmidcdi.dll Khohkamc.exe File created C:\Windows\SysWOW64\Dlofgj32.exe Dhckfkbh.exe File created C:\Windows\SysWOW64\Lncfcgeb.exe Lgingm32.exe File created C:\Windows\SysWOW64\Hailie32.dll Qemldifo.exe File created C:\Windows\SysWOW64\Kobgmfjh.dll Iamfdo32.exe File opened for modification C:\Windows\SysWOW64\Dfmeccao.exe Dcohghbk.exe File created C:\Windows\SysWOW64\Dnpciaef.exe Djdgic32.exe File created C:\Windows\SysWOW64\Dcohghbk.exe Daplkmbg.exe File opened for modification C:\Windows\SysWOW64\Elibpg32.exe Eikfdl32.exe File opened for modification C:\Windows\SysWOW64\Jfmkbebl.exe Jcnoejch.exe File opened for modification C:\Windows\SysWOW64\Iafnjg32.exe Ihniaa32.exe File created C:\Windows\SysWOW64\Ngpqfp32.exe Mqehjecl.exe File created C:\Windows\SysWOW64\Dociji32.dll Onlahm32.exe File opened for modification C:\Windows\SysWOW64\Efljhq32.exe Eoebgcol.exe File opened for modification C:\Windows\SysWOW64\Jajmjcoe.exe Jokqnhpa.exe File opened for modification C:\Windows\SysWOW64\Khadpa32.exe Kechdf32.exe File created C:\Windows\SysWOW64\Dhmcaf32.dll Lkggmldl.exe File opened for modification C:\Windows\SysWOW64\Mlafkb32.exe Mfgnnhkc.exe File created C:\Windows\SysWOW64\Kjkfeo32.dll Mqpflg32.exe File created C:\Windows\SysWOW64\Dbiocd32.exe Domccejd.exe File created C:\Windows\SysWOW64\Makpje32.dll Jacfidem.exe File opened for modification C:\Windows\SysWOW64\Ebckmaec.exe Epeoaffo.exe File created C:\Windows\SysWOW64\Gfnafi32.dll Aoagccfn.exe File created C:\Windows\SysWOW64\Jhebgh32.dll Jehlkhig.exe File created C:\Windows\SysWOW64\Cjakccop.exe Cgcnghpl.exe File opened for modification C:\Windows\SysWOW64\Iahceq32.exe Imlhebfc.exe File created C:\Windows\SysWOW64\Pdjiflem.dll Dlifadkk.exe File created C:\Windows\SysWOW64\Eicpcm32.exe Efedga32.exe File created C:\Windows\SysWOW64\Hcenjk32.dll Jlkngc32.exe File created C:\Windows\SysWOW64\Ddjmnoki.dll Icdcllpc.exe File opened for modification C:\Windows\SysWOW64\Mloiec32.exe Mjqmig32.exe File created C:\Windows\SysWOW64\Mpbclcja.dll Fkcilc32.exe File created C:\Windows\SysWOW64\Fpdkpiik.exe Fijbco32.exe File created C:\Windows\SysWOW64\Hbpmap32.dll Ehlmljkm.exe File opened for modification C:\Windows\SysWOW64\Odchbe32.exe Oadkej32.exe File created C:\Windows\SysWOW64\Bibjaofg.dll Pkmlmbcd.exe File created C:\Windows\SysWOW64\Bkjdndjo.exe Bgoime32.exe File opened for modification C:\Windows\SysWOW64\Bkjdndjo.exe Bgoime32.exe File created C:\Windows\SysWOW64\Dlljaj32.exe Debadpeg.exe File opened for modification C:\Windows\SysWOW64\Jpepkk32.exe Jmfcop32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7644 6968 WerFault.exe 762 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iogpag32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkhejkcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbcbjlmb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdncmgbj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahpifj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgllgedi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eldiehbk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamdkfnc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqnifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phqmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figmjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjbkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplfkjbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lklgbadb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmgfqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Napbjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefqdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gglbfg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqoge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfieigio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmdapml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dadbdkld.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Difqji32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iamfdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcaimgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfdenafn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eegkpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jigbebhb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljldnhid.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceogcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkknac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqlmq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kipmhc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgbaml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjmnjkjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kffldlne.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nplimbka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dilapopb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ikfbbjdj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhahanie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejlnmkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkbdabog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dahkok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfmeccao.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eanldqgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndcapd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddjlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hifpke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbjpom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klngkfge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eibgpnjk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lanbdf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdeqfhjd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhdacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imlhebfc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jllqplnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jialfgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjqmig32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjkfeo32.dll" Mqpflg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dljmlj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epmadeed.dll" Dhckfkbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Heliepmn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emfenggg.dll" Nfigck32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnlcjk32.dll" Iaegpaao.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jjpdmi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpehmcmg.dll" Jedcpi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hannfn32.dll" Adaiee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnqlmq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fooembgb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pbonaedo.dll" Hmpaom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmhflfhh.dll" Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lgchgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mclebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hkahgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pehcij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Adfbpega.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Folhgbid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Loqmba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ijnkifgp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hfhfhbce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oaogognm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fccglehn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pnbojmmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oeaqig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dociji32.dll" Onlahm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cbjlhpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mjhjdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocamldcp.dll" Nckkgp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjdbf32.dll" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Olkifaen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ippdgc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ifjlcmmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qiioon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pmehdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jcfoeb32.dll" Pbemboof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gdecfn32.dll" Acicla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocimkc32.dll" Cmhjdiap.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmgamof.dll" Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hcenjk32.dll" Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iqpflded.dll" Lfmbek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aoapfe32.dll" Mpgobc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elcpbigl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjaaeimj.dll" Kpfplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hqgggnne.dll" Popgboae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfakep32.dll" Ciokijfd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eeagimdf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pdbmfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qiflohqk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Deakjjbk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fgglcg32.dll" Piliii32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aclpaali.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pofhpf32.dll" Cbjlhpkb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Icifjk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nlefhcnc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cqaiph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jedcpi32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2264 wrote to memory of 2052 2264 7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22N.exe 30 PID 2264 wrote to memory of 2052 2264 7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22N.exe 30 PID 2264 wrote to memory of 2052 2264 7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22N.exe 30 PID 2264 wrote to memory of 2052 2264 7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22N.exe 30 PID 2052 wrote to memory of 2556 2052 Hnjbeh32.exe 31 PID 2052 wrote to memory of 2556 2052 Hnjbeh32.exe 31 PID 2052 wrote to memory of 2556 2052 Hnjbeh32.exe 31 PID 2052 wrote to memory of 2556 2052 Hnjbeh32.exe 31 PID 2556 wrote to memory of 2716 2556 Hcgjmo32.exe 32 PID 2556 wrote to memory of 2716 2556 Hcgjmo32.exe 32 PID 2556 wrote to memory of 2716 2556 Hcgjmo32.exe 32 PID 2556 wrote to memory of 2716 2556 Hcgjmo32.exe 32 PID 2716 wrote to memory of 2760 2716 Hjacjifm.exe 33 PID 2716 wrote to memory of 2760 2716 Hjacjifm.exe 33 PID 2716 wrote to memory of 2760 2716 Hjacjifm.exe 33 PID 2716 wrote to memory of 2760 2716 Hjacjifm.exe 33 PID 2760 wrote to memory of 2844 2760 Hakkgc32.exe 34 PID 2760 wrote to memory of 2844 2760 Hakkgc32.exe 34 PID 2760 wrote to memory of 2844 2760 Hakkgc32.exe 34 PID 2760 wrote to memory of 2844 2760 Hakkgc32.exe 34 PID 2844 wrote to memory of 484 2844 Hifpke32.exe 35 PID 2844 wrote to memory of 484 2844 Hifpke32.exe 35 PID 2844 wrote to memory of 484 2844 Hifpke32.exe 35 PID 2844 wrote to memory of 484 2844 Hifpke32.exe 35 PID 484 wrote to memory of 2628 484 Hboddk32.exe 36 PID 484 wrote to memory of 2628 484 Hboddk32.exe 36 PID 484 wrote to memory of 2628 484 Hboddk32.exe 36 PID 484 wrote to memory of 2628 484 Hboddk32.exe 36 PID 2628 wrote to memory of 3032 2628 Hihlqeib.exe 37 PID 2628 wrote to memory of 3032 2628 Hihlqeib.exe 37 PID 2628 wrote to memory of 3032 2628 Hihlqeib.exe 37 PID 2628 wrote to memory of 3032 2628 Hihlqeib.exe 37 PID 3032 wrote to memory of 1672 3032 Iflmjihl.exe 38 PID 3032 wrote to memory of 1672 3032 Iflmjihl.exe 38 PID 3032 wrote to memory of 1672 3032 Iflmjihl.exe 38 PID 3032 wrote to memory of 1672 3032 Iflmjihl.exe 38 PID 1672 wrote to memory of 1372 1672 Ihniaa32.exe 39 PID 1672 wrote to memory of 1372 1672 Ihniaa32.exe 39 PID 1672 wrote to memory of 1372 1672 Ihniaa32.exe 39 PID 1672 wrote to memory of 1372 1672 Ihniaa32.exe 39 PID 1372 wrote to memory of 1228 1372 Iafnjg32.exe 40 PID 1372 wrote to memory of 1228 1372 Iafnjg32.exe 40 PID 1372 wrote to memory of 1228 1372 Iafnjg32.exe 40 PID 1372 wrote to memory of 1228 1372 Iafnjg32.exe 40 PID 1228 wrote to memory of 1496 1228 Iimfld32.exe 41 PID 1228 wrote to memory of 1496 1228 Iimfld32.exe 41 PID 1228 wrote to memory of 1496 1228 Iimfld32.exe 41 PID 1228 wrote to memory of 1496 1228 Iimfld32.exe 41 PID 1496 wrote to memory of 1676 1496 Injndk32.exe 42 PID 1496 wrote to memory of 1676 1496 Injndk32.exe 42 PID 1496 wrote to memory of 1676 1496 Injndk32.exe 42 PID 1496 wrote to memory of 1676 1496 Injndk32.exe 42 PID 1676 wrote to memory of 1100 1676 Iedfqeka.exe 43 PID 1676 wrote to memory of 1100 1676 Iedfqeka.exe 43 PID 1676 wrote to memory of 1100 1676 Iedfqeka.exe 43 PID 1676 wrote to memory of 1100 1676 Iedfqeka.exe 43 PID 1100 wrote to memory of 2088 1100 Ijqoilii.exe 44 PID 1100 wrote to memory of 2088 1100 Ijqoilii.exe 44 PID 1100 wrote to memory of 2088 1100 Ijqoilii.exe 44 PID 1100 wrote to memory of 2088 1100 Ijqoilii.exe 44 PID 2088 wrote to memory of 2588 2088 Iakgefqe.exe 45 PID 2088 wrote to memory of 2588 2088 Iakgefqe.exe 45 PID 2088 wrote to memory of 2588 2088 Iakgefqe.exe 45 PID 2088 wrote to memory of 2588 2088 Iakgefqe.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22N.exe"C:\Users\Admin\AppData\Local\Temp\7af366efd66aa90abffb4cbab6f7d95169c9b986578ce8cd42e99c7722198e22N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Hnjbeh32.exeC:\Windows\system32\Hnjbeh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Hjacjifm.exeC:\Windows\system32\Hjacjifm.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Hakkgc32.exeC:\Windows\system32\Hakkgc32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Hifpke32.exeC:\Windows\system32\Hifpke32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844 -
C:\Windows\SysWOW64\Hboddk32.exeC:\Windows\system32\Hboddk32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:484 -
C:\Windows\SysWOW64\Hihlqeib.exeC:\Windows\system32\Hihlqeib.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Iflmjihl.exeC:\Windows\system32\Iflmjihl.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Ihniaa32.exeC:\Windows\system32\Ihniaa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1672 -
C:\Windows\SysWOW64\Iafnjg32.exeC:\Windows\system32\Iafnjg32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Injndk32.exeC:\Windows\system32\Injndk32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Ifgpnmom.exeC:\Windows\system32\Ifgpnmom.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:652 -
C:\Windows\SysWOW64\Ippdgc32.exeC:\Windows\system32\Ippdgc32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1400 -
C:\Windows\SysWOW64\Ifjlcmmj.exeC:\Windows\system32\Ifjlcmmj.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1328 -
C:\Windows\SysWOW64\Iihiphln.exeC:\Windows\system32\Iihiphln.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2924 -
C:\Windows\SysWOW64\Jaoqqflp.exeC:\Windows\system32\Jaoqqflp.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1944 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2168 -
C:\Windows\SysWOW64\Jfliim32.exeC:\Windows\system32\Jfliim32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2996 -
C:\Windows\SysWOW64\Jkhejkcq.exeC:\Windows\system32\Jkhejkcq.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Jbcjnnpl.exeC:\Windows\system32\Jbcjnnpl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1388 -
C:\Windows\SysWOW64\Jfofol32.exeC:\Windows\system32\Jfofol32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Jlkngc32.exeC:\Windows\system32\Jlkngc32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Jedcpi32.exeC:\Windows\system32\Jedcpi32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2868 -
C:\Windows\SysWOW64\Jhbold32.exeC:\Windows\system32\Jhbold32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2948 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Jialfgcc.exeC:\Windows\system32\Jialfgcc.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1692 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Jehlkhig.exeC:\Windows\system32\Jehlkhig.exe34⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2388 -
C:\Windows\SysWOW64\Kkeecogo.exeC:\Windows\system32\Kkeecogo.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:600 -
C:\Windows\SysWOW64\Kncaojfb.exeC:\Windows\system32\Kncaojfb.exe36⤵
- Executes dropped EXE
PID:2112 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe37⤵
- Executes dropped EXE
PID:1900 -
C:\Windows\SysWOW64\Kpdjaecc.exeC:\Windows\system32\Kpdjaecc.exe38⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Kgnbnpkp.exeC:\Windows\system32\Kgnbnpkp.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1384 -
C:\Windows\SysWOW64\Kjmnjkjd.exeC:\Windows\system32\Kjmnjkjd.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2856 -
C:\Windows\SysWOW64\Kadfkhkf.exeC:\Windows\system32\Kadfkhkf.exe41⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe42⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Kjokokha.exeC:\Windows\system32\Kjokokha.exe43⤵
- Executes dropped EXE
PID:2916 -
C:\Windows\SysWOW64\Klngkfge.exeC:\Windows\system32\Klngkfge.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1896 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1520 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe46⤵
- Executes dropped EXE
PID:2288 -
C:\Windows\SysWOW64\Lfhhjklc.exeC:\Windows\system32\Lfhhjklc.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Ljddjj32.exeC:\Windows\system32\Ljddjj32.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3004 -
C:\Windows\SysWOW64\Lpnmgdli.exeC:\Windows\system32\Lpnmgdli.exe49⤵
- Executes dropped EXE
PID:2100 -
C:\Windows\SysWOW64\Loqmba32.exeC:\Windows\system32\Loqmba32.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2544 -
C:\Windows\SysWOW64\Lfkeokjp.exeC:\Windows\system32\Lfkeokjp.exe51⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Lhiakf32.exeC:\Windows\system32\Lhiakf32.exe52⤵
- Executes dropped EXE
PID:2816 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe53⤵
- Executes dropped EXE
PID:2768 -
C:\Windows\SysWOW64\Lbafdlod.exeC:\Windows\system32\Lbafdlod.exe54⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Lfmbek32.exeC:\Windows\system32\Lfmbek32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Llgjaeoj.exeC:\Windows\system32\Llgjaeoj.exe56⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe57⤵
- Executes dropped EXE
PID:1592 -
C:\Windows\SysWOW64\Lnhgim32.exeC:\Windows\system32\Lnhgim32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1232 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1252 -
C:\Windows\SysWOW64\Lfoojj32.exeC:\Windows\system32\Lfoojj32.exe60⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Lhnkffeo.exeC:\Windows\system32\Lhnkffeo.exe61⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:608 -
C:\Windows\SysWOW64\Lohccp32.exeC:\Windows\system32\Lohccp32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:1976 -
C:\Windows\SysWOW64\Lbfook32.exeC:\Windows\system32\Lbfook32.exe64⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe65⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Lgchgb32.exeC:\Windows\system32\Lgchgb32.exe66⤵
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Mkndhabp.exeC:\Windows\system32\Mkndhabp.exe67⤵PID:2448
-
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe68⤵PID:2096
-
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe69⤵PID:1620
-
C:\Windows\SysWOW64\Mdghaf32.exeC:\Windows\system32\Mdghaf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2700 -
C:\Windows\SysWOW64\Mkqqnq32.exeC:\Windows\system32\Mkqqnq32.exe71⤵PID:2152
-
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe72⤵
- System Location Discovery: System Language Discovery
PID:2624 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2652 -
C:\Windows\SysWOW64\Mqnifg32.exeC:\Windows\system32\Mqnifg32.exe74⤵
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\Mclebc32.exeC:\Windows\system32\Mclebc32.exe75⤵
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Mjfnomde.exeC:\Windows\system32\Mjfnomde.exe76⤵PID:784
-
C:\Windows\SysWOW64\Mqpflg32.exeC:\Windows\system32\Mqpflg32.exe77⤵
- Drops file in System32 directory
- Modifies registry class
PID:1652 -
C:\Windows\SysWOW64\Mcnbhb32.exeC:\Windows\system32\Mcnbhb32.exe78⤵PID:2068
-
C:\Windows\SysWOW64\Mfmndn32.exeC:\Windows\system32\Mfmndn32.exe79⤵PID:408
-
C:\Windows\SysWOW64\Mjhjdm32.exeC:\Windows\system32\Mjhjdm32.exe80⤵
- Modifies registry class
PID:1960 -
C:\Windows\SysWOW64\Mmgfqh32.exeC:\Windows\system32\Mmgfqh32.exe81⤵
- System Location Discovery: System Language Discovery
PID:1656 -
C:\Windows\SysWOW64\Mcqombic.exeC:\Windows\system32\Mcqombic.exe82⤵PID:1028
-
C:\Windows\SysWOW64\Mbcoio32.exeC:\Windows\system32\Mbcoio32.exe83⤵PID:1824
-
C:\Windows\SysWOW64\Mimgeigj.exeC:\Windows\system32\Mimgeigj.exe84⤵PID:2364
-
C:\Windows\SysWOW64\Mmicfh32.exeC:\Windows\system32\Mmicfh32.exe85⤵PID:2176
-
C:\Windows\SysWOW64\Mpgobc32.exeC:\Windows\system32\Mpgobc32.exe86⤵
- Modifies registry class
PID:2812 -
C:\Windows\SysWOW64\Nbflno32.exeC:\Windows\system32\Nbflno32.exe87⤵PID:2792
-
C:\Windows\SysWOW64\Nfahomfd.exeC:\Windows\system32\Nfahomfd.exe88⤵PID:568
-
C:\Windows\SysWOW64\Nmkplgnq.exeC:\Windows\system32\Nmkplgnq.exe89⤵PID:3020
-
C:\Windows\SysWOW64\Npjlhcmd.exeC:\Windows\system32\Npjlhcmd.exe90⤵PID:2356
-
C:\Windows\SysWOW64\Nfdddm32.exeC:\Windows\system32\Nfdddm32.exe91⤵
- Drops file in System32 directory
PID:2516 -
C:\Windows\SysWOW64\Ngealejo.exeC:\Windows\system32\Ngealejo.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1724 -
C:\Windows\SysWOW64\Nplimbka.exeC:\Windows\system32\Nplimbka.exe93⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Nbjeinje.exeC:\Windows\system32\Nbjeinje.exe94⤵PID:2496
-
C:\Windows\SysWOW64\Neiaeiii.exeC:\Windows\system32\Neiaeiii.exe95⤵PID:2160
-
C:\Windows\SysWOW64\Nhgnaehm.exeC:\Windows\system32\Nhgnaehm.exe96⤵PID:1004
-
C:\Windows\SysWOW64\Nlcibc32.exeC:\Windows\system32\Nlcibc32.exe97⤵PID:1596
-
C:\Windows\SysWOW64\Nnafnopi.exeC:\Windows\system32\Nnafnopi.exe98⤵PID:2548
-
C:\Windows\SysWOW64\Napbjjom.exeC:\Windows\system32\Napbjjom.exe99⤵
- System Location Discovery: System Language Discovery
PID:2832 -
C:\Windows\SysWOW64\Ncnngfna.exeC:\Windows\system32\Ncnngfna.exe100⤵PID:2884
-
C:\Windows\SysWOW64\Nlefhcnc.exeC:\Windows\system32\Nlefhcnc.exe101⤵
- Modifies registry class
PID:2608 -
C:\Windows\SysWOW64\Nncbdomg.exeC:\Windows\system32\Nncbdomg.exe102⤵PID:3068
-
C:\Windows\SysWOW64\Nenkqi32.exeC:\Windows\system32\Nenkqi32.exe103⤵PID:996
-
C:\Windows\SysWOW64\Nhlgmd32.exeC:\Windows\system32\Nhlgmd32.exe104⤵PID:1880
-
C:\Windows\SysWOW64\Nfoghakb.exeC:\Windows\system32\Nfoghakb.exe105⤵PID:1572
-
C:\Windows\SysWOW64\Onfoin32.exeC:\Windows\system32\Onfoin32.exe106⤵PID:448
-
C:\Windows\SysWOW64\Oadkej32.exeC:\Windows\system32\Oadkej32.exe107⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Odchbe32.exeC:\Windows\system32\Odchbe32.exe108⤵PID:1804
-
C:\Windows\SysWOW64\Ojmpooah.exeC:\Windows\system32\Ojmpooah.exe109⤵
- Modifies registry class
PID:2992 -
C:\Windows\SysWOW64\Oplelf32.exeC:\Windows\system32\Oplelf32.exe110⤵PID:344
-
C:\Windows\SysWOW64\Objaha32.exeC:\Windows\system32\Objaha32.exe111⤵PID:2836
-
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe112⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2740 -
C:\Windows\SysWOW64\Opnbbe32.exeC:\Windows\system32\Opnbbe32.exe113⤵PID:1220
-
C:\Windows\SysWOW64\Ofhjopbg.exeC:\Windows\system32\Ofhjopbg.exe114⤵PID:1768
-
C:\Windows\SysWOW64\Oiffkkbk.exeC:\Windows\system32\Oiffkkbk.exe115⤵PID:1784
-
C:\Windows\SysWOW64\Olebgfao.exeC:\Windows\system32\Olebgfao.exe116⤵PID:2008
-
C:\Windows\SysWOW64\Opqoge32.exeC:\Windows\system32\Opqoge32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2384 -
C:\Windows\SysWOW64\Oococb32.exeC:\Windows\system32\Oococb32.exe118⤵PID:912
-
C:\Windows\SysWOW64\Oabkom32.exeC:\Windows\system32\Oabkom32.exe119⤵PID:2328
-
C:\Windows\SysWOW64\Oemgplgo.exeC:\Windows\system32\Oemgplgo.exe120⤵
- Drops file in System32 directory
PID:3000 -
C:\Windows\SysWOW64\Plgolf32.exeC:\Windows\system32\Plgolf32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1168
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-