Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
19/09/2024, 10:14
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe
-
Size
144KB
-
MD5
3559c069a4793e151d4b4a33f72af770
-
SHA1
e293b9506854db9f328363f6bc6c0bfb7f6a6e62
-
SHA256
9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4
-
SHA512
7f8259898982751f2796b58be139244c2d422e29ea3fa53b571639c06cba323b49d2bcdb3d60af372e41c4cd41aa91d98b3d8e7250e389438c3577d34f03f632
-
SSDEEP
3072:7nhTAgymzPggKJ7RUzgrgHq/Wp+YmKfxgQdxvH:9Tpymz17grUmKyIx/
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nagbgl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pecgea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eldglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kglehp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kopokehd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peanbblf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Anjlebjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjjpjgjj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihbcmaje.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmogmjmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oeckfndj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dklddhka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjegog32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kddomchg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfehan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gehhmkko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pahogc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kljabgnh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfpeeqig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhpglecl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ilnmdgkj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enkpahon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjpkqonj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohcdhi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdhkfd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Melifl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogiaif32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpkkjc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcmiod32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjngmmnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Accnekon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Achojp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlfmbibo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkiicmdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbjpom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfnmpn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Clbnhmjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Folfoj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gfhgpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blobjaba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olbchn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pgegok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhplhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkhgip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Demofaol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdpldi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpcjnabn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hifpke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found -
Executes dropped EXE 64 IoCs
pid Process 2272 Jjdmmdnh.exe 2632 Jmbiipml.exe 2740 Jfknbe32.exe 2744 Kocbkk32.exe 2436 Kjifhc32.exe 1376 Kmgbdo32.exe 788 Kbdklf32.exe 876 Kklpekno.exe 2596 Keednado.exe 2820 Kpjhkjde.exe 1608 Kegqdqbl.exe 2404 Kicmdo32.exe 2600 Knpemf32.exe 1748 Lanaiahq.exe 1848 Lnbbbffj.exe 3008 Lcojjmea.exe 2648 Lndohedg.exe 2112 Labkdack.exe 2372 Lfpclh32.exe 1084 Ljkomfjl.exe 688 Lbfdaigg.exe 1788 Lfbpag32.exe 2400 Lcfqkl32.exe 632 Lfdmggnm.exe 2224 Mpmapm32.exe 1532 Mbkmlh32.exe 2888 Mlcbenjb.exe 2560 Moanaiie.exe 2720 Mkhofjoj.exe 2592 Mbpgggol.exe 2000 Mabgcd32.exe 2996 Mlhkpm32.exe 936 Mmihhelk.exe 2684 Mdcpdp32.exe 2808 Mgalqkbk.exe 2864 Ndemjoae.exe 1944 Nhaikn32.exe 1572 Nmnace32.exe 2672 Nckjkl32.exe 1860 Nmpnhdfc.exe 3004 Nlcnda32.exe 2608 Nekbmgcn.exe 2124 Nodgel32.exe 2352 Ngkogj32.exe 2268 Npccpo32.exe 836 Nadpgggp.exe 1696 Nhohda32.exe 1452 Oohqqlei.exe 1976 Ocdmaj32.exe 2256 Odeiibdq.exe 2692 Ohaeia32.exe 2716 Ookmfk32.exe 2464 Odhfob32.exe 2520 Olonpp32.exe 2480 Oomjlk32.exe 1740 Oalfhf32.exe 2504 Ohendqhd.exe 2860 Okdkal32.exe 1596 Onbgmg32.exe 1620 Oqacic32.exe 1864 Ogkkfmml.exe 2188 Onecbg32.exe 2776 Oappcfmb.exe 3036 Ocalkn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2736 9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe 2736 9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe 2272 Jjdmmdnh.exe 2272 Jjdmmdnh.exe 2632 Jmbiipml.exe 2632 Jmbiipml.exe 2740 Jfknbe32.exe 2740 Jfknbe32.exe 2744 Kocbkk32.exe 2744 Kocbkk32.exe 2436 Kjifhc32.exe 2436 Kjifhc32.exe 1376 Kmgbdo32.exe 1376 Kmgbdo32.exe 788 Kbdklf32.exe 788 Kbdklf32.exe 876 Kklpekno.exe 876 Kklpekno.exe 2596 Keednado.exe 2596 Keednado.exe 2820 Kpjhkjde.exe 2820 Kpjhkjde.exe 1608 Kegqdqbl.exe 1608 Kegqdqbl.exe 2404 Kicmdo32.exe 2404 Kicmdo32.exe 2600 Knpemf32.exe 2600 Knpemf32.exe 1748 Lanaiahq.exe 1748 Lanaiahq.exe 1848 Lnbbbffj.exe 1848 Lnbbbffj.exe 3008 Lcojjmea.exe 3008 Lcojjmea.exe 2648 Lndohedg.exe 2648 Lndohedg.exe 2112 Labkdack.exe 2112 Labkdack.exe 2372 Lfpclh32.exe 2372 Lfpclh32.exe 1084 Ljkomfjl.exe 1084 Ljkomfjl.exe 688 Lbfdaigg.exe 688 Lbfdaigg.exe 1788 Lfbpag32.exe 1788 Lfbpag32.exe 2400 Lcfqkl32.exe 2400 Lcfqkl32.exe 632 Lfdmggnm.exe 632 Lfdmggnm.exe 2224 Mpmapm32.exe 2224 Mpmapm32.exe 1532 Mbkmlh32.exe 1532 Mbkmlh32.exe 2888 Mlcbenjb.exe 2888 Mlcbenjb.exe 2560 Moanaiie.exe 2560 Moanaiie.exe 2720 Mkhofjoj.exe 2720 Mkhofjoj.exe 2592 Mbpgggol.exe 2592 Mbpgggol.exe 2000 Mabgcd32.exe 2000 Mabgcd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ldoqge32.dll Kceqjhiq.exe File created C:\Windows\SysWOW64\Dfigpahm.dll Doecog32.exe File created C:\Windows\SysWOW64\Cfeihljf.dll Lbcpac32.exe File created C:\Windows\SysWOW64\Ofcqcp32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Padeldeo.exe Poeipifl.exe File created C:\Windows\SysWOW64\Fkbgckgd.exe Fhdjgoha.exe File created C:\Windows\SysWOW64\Blkioa32.exe Bmhideol.exe File created C:\Windows\SysWOW64\Iknpkd32.exe Ihpdoh32.exe File created C:\Windows\SysWOW64\Fajplnhf.dll Anolkh32.exe File created C:\Windows\SysWOW64\Jqojeand.dll Gfhnjm32.exe File created C:\Windows\SysWOW64\Cnnnnh32.exe Clpabm32.exe File opened for modification C:\Windows\SysWOW64\Oippjl32.exe Process not Found File created C:\Windows\SysWOW64\Fnbkfl32.dll Process not Found File created C:\Windows\SysWOW64\Cmpdgf32.exe Cffljlpc.exe File opened for modification C:\Windows\SysWOW64\Hjdfjo32.exe Hlafnbal.exe File created C:\Windows\SysWOW64\Imnbbi32.exe Iegjqk32.exe File opened for modification C:\Windows\SysWOW64\Oeindm32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Pljlbf32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ibehla32.exe Iknpkd32.exe File created C:\Windows\SysWOW64\Qdgpabaa.dll Odbeilbg.exe File opened for modification C:\Windows\SysWOW64\Cojhejbh.exe Cllkin32.exe File created C:\Windows\SysWOW64\Kcdlbgna.dll Cheido32.exe File created C:\Windows\SysWOW64\Hpomfdnk.dll Kdjccf32.exe File created C:\Windows\SysWOW64\Ldoimh32.exe Lmgalkcf.exe File created C:\Windows\SysWOW64\Ennlme32.dll Blkioa32.exe File created C:\Windows\SysWOW64\Ljghjpfe.exe Lhelbh32.exe File created C:\Windows\SysWOW64\Bqgmfkhg.exe Process not Found File opened for modification C:\Windows\SysWOW64\Ogkkfmml.exe Oqacic32.exe File created C:\Windows\SysWOW64\Mjhocpkj.dll Nocpkf32.exe File created C:\Windows\SysWOW64\Cjmopkla.exe Chnbcpmn.exe File opened for modification C:\Windows\SysWOW64\Ijnbcmkk.exe Ihpfgalh.exe File created C:\Windows\SysWOW64\Ocdneocc.dll Pjldghjm.exe File created C:\Windows\SysWOW64\Nbhfke32.exe Npijoj32.exe File opened for modification C:\Windows\SysWOW64\Iimcclni.exe Iaelanmg.exe File created C:\Windows\SysWOW64\Bggaoocn.dll Bnqned32.exe File opened for modification C:\Windows\SysWOW64\Fqdiga32.exe Flhmfbim.exe File opened for modification C:\Windows\SysWOW64\Ghajacmo.exe Gfcnegnk.exe File created C:\Windows\SysWOW64\Jhbcjo32.dll Process not Found File created C:\Windows\SysWOW64\Jidmcq32.dll Process not Found File created C:\Windows\SysWOW64\Oackeakj.dll Ngkogj32.exe File opened for modification C:\Windows\SysWOW64\Fpicodoj.exe Fiokbjgn.exe File opened for modification C:\Windows\SysWOW64\Hdiejfej.exe Hmomml32.exe File created C:\Windows\SysWOW64\Dllhoqlh.dll Ippbnjni.exe File created C:\Windows\SysWOW64\Ffbnkppp.dll Bgnfdm32.exe File created C:\Windows\SysWOW64\Hcelfiph.dll Process not Found File created C:\Windows\SysWOW64\Fkdaqa32.exe Fcmiod32.exe File created C:\Windows\SysWOW64\Lkgkoiqc.exe Lihobnap.exe File opened for modification C:\Windows\SysWOW64\Idadnd32.exe Ipehmebh.exe File created C:\Windows\SysWOW64\Hnmaip32.dll Hijgml32.exe File opened for modification C:\Windows\SysWOW64\Jehlkhig.exe Jbjpom32.exe File created C:\Windows\SysWOW64\Oncobd32.dll Kaajei32.exe File created C:\Windows\SysWOW64\Mmicfh32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Jmbiipml.exe Jjdmmdnh.exe File created C:\Windows\SysWOW64\Blkepk32.dll Oohqqlei.exe File opened for modification C:\Windows\SysWOW64\Qeaedd32.exe Qqeicede.exe File created C:\Windows\SysWOW64\Fcpfedki.exe Fqajihle.exe File created C:\Windows\SysWOW64\Jkcfcend.dll Giiglhjb.exe File created C:\Windows\SysWOW64\Ikmpacaf.dll Ecploipa.exe File created C:\Windows\SysWOW64\Emdpnb32.dll Pqkobqhd.exe File opened for modification C:\Windows\SysWOW64\Ffmkfifa.exe Foccjood.exe File opened for modification C:\Windows\SysWOW64\Cpfdhl32.exe Cacclpae.exe File created C:\Windows\SysWOW64\Pidfdofi.exe Process not Found File created C:\Windows\SysWOW64\Jmclfnqb.dll Process not Found File created C:\Windows\SysWOW64\Pdkefp32.dll Process not Found -
Program crash 1 IoCs
pid pid_target Process 800 10700 Process not Found -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmbiipml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gacbmk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjlgfaco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hloiib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggiigmn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlhkpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aqhhanig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqdhhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnpgeopa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbkmlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfdabino.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgfoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Liqoflfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfghdcfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeohkeoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glbqje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afajafoa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cojhejbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Foafdoag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcomce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjeefofk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbifnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naopaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hibjbgbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndmecgba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqfemqod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljkomfjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpgmijgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Olgmcmgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjfek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbefcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dobdqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbhkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdbahpec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gbdhjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdkklp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnaggcej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ndhlhg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjgoje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciaefa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idkpganf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpdnbbah.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apalea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aijpnfif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nmnclmoj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhfefgkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkdgpo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekknjcfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aibcba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eapfagno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffmkfifa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aodkci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdfhdfgl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lgilllcm.dll" Gbnflo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldoqge32.dll" Kceqjhiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acekjjmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idadnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhlchh32.dll" Copjdhib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hdkape32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljabkeaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbnbkbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gqahqd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipnlibhd.dll" Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Copjdhib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pgddfe32.dll" Lhknaf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjnie32.dll" Aijpnfif.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgfhjcgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npngheao.dll" Efqbglen.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmoofdea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nmlnjo32.dll" Acnjnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mchoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jegime32.dll" Ohojmjep.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfebambf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Egiiapci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ocbhagfe.dll" Hhbdee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffeganon.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pqnlhpfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbajkiof.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnnppecd.dll" Aodkci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghkndf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Giioglkn.dll" Gjlgfaco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aapemc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mnkgen32.dll" Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dglbkjbg.dll" Fncmmmma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhdihkcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdmhki32.dll" Cojhejbh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dchmkkkj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkmhnjlh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cgbfamff.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Leammn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Icblnd32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jcbhee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppkhhjei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ldfkhk32.dll" Dknajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgnph32.dll" Kjmnjkjd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Deojci32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Opkccm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bqlldigd.dll" Nbhfke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojiilami.dll" Oghhfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pddnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clmoej32.dll" Lfpeeqig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jpebhied.dll" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eebghjja.dll" Onecbg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgpdf32.dll" Jfcqgpfi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Inafbooe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfblih32.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Moanaiie.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2736 wrote to memory of 2272 2736 9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe 28 PID 2736 wrote to memory of 2272 2736 9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe 28 PID 2736 wrote to memory of 2272 2736 9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe 28 PID 2736 wrote to memory of 2272 2736 9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe 28 PID 2272 wrote to memory of 2632 2272 Jjdmmdnh.exe 29 PID 2272 wrote to memory of 2632 2272 Jjdmmdnh.exe 29 PID 2272 wrote to memory of 2632 2272 Jjdmmdnh.exe 29 PID 2272 wrote to memory of 2632 2272 Jjdmmdnh.exe 29 PID 2632 wrote to memory of 2740 2632 Jmbiipml.exe 30 PID 2632 wrote to memory of 2740 2632 Jmbiipml.exe 30 PID 2632 wrote to memory of 2740 2632 Jmbiipml.exe 30 PID 2632 wrote to memory of 2740 2632 Jmbiipml.exe 30 PID 2740 wrote to memory of 2744 2740 Jfknbe32.exe 31 PID 2740 wrote to memory of 2744 2740 Jfknbe32.exe 31 PID 2740 wrote to memory of 2744 2740 Jfknbe32.exe 31 PID 2740 wrote to memory of 2744 2740 Jfknbe32.exe 31 PID 2744 wrote to memory of 2436 2744 Kocbkk32.exe 32 PID 2744 wrote to memory of 2436 2744 Kocbkk32.exe 32 PID 2744 wrote to memory of 2436 2744 Kocbkk32.exe 32 PID 2744 wrote to memory of 2436 2744 Kocbkk32.exe 32 PID 2436 wrote to memory of 1376 2436 Kjifhc32.exe 33 PID 2436 wrote to memory of 1376 2436 Kjifhc32.exe 33 PID 2436 wrote to memory of 1376 2436 Kjifhc32.exe 33 PID 2436 wrote to memory of 1376 2436 Kjifhc32.exe 33 PID 1376 wrote to memory of 788 1376 Kmgbdo32.exe 34 PID 1376 wrote to memory of 788 1376 Kmgbdo32.exe 34 PID 1376 wrote to memory of 788 1376 Kmgbdo32.exe 34 PID 1376 wrote to memory of 788 1376 Kmgbdo32.exe 34 PID 788 wrote to memory of 876 788 Kbdklf32.exe 35 PID 788 wrote to memory of 876 788 Kbdklf32.exe 35 PID 788 wrote to memory of 876 788 Kbdklf32.exe 35 PID 788 wrote to memory of 876 788 Kbdklf32.exe 35 PID 876 wrote to memory of 2596 876 Kklpekno.exe 36 PID 876 wrote to memory of 2596 876 Kklpekno.exe 36 PID 876 wrote to memory of 2596 876 Kklpekno.exe 36 PID 876 wrote to memory of 2596 876 Kklpekno.exe 36 PID 2596 wrote to memory of 2820 2596 Keednado.exe 37 PID 2596 wrote to memory of 2820 2596 Keednado.exe 37 PID 2596 wrote to memory of 2820 2596 Keednado.exe 37 PID 2596 wrote to memory of 2820 2596 Keednado.exe 37 PID 2820 wrote to memory of 1608 2820 Kpjhkjde.exe 38 PID 2820 wrote to memory of 1608 2820 Kpjhkjde.exe 38 PID 2820 wrote to memory of 1608 2820 Kpjhkjde.exe 38 PID 2820 wrote to memory of 1608 2820 Kpjhkjde.exe 38 PID 1608 wrote to memory of 2404 1608 Kegqdqbl.exe 39 PID 1608 wrote to memory of 2404 1608 Kegqdqbl.exe 39 PID 1608 wrote to memory of 2404 1608 Kegqdqbl.exe 39 PID 1608 wrote to memory of 2404 1608 Kegqdqbl.exe 39 PID 2404 wrote to memory of 2600 2404 Kicmdo32.exe 40 PID 2404 wrote to memory of 2600 2404 Kicmdo32.exe 40 PID 2404 wrote to memory of 2600 2404 Kicmdo32.exe 40 PID 2404 wrote to memory of 2600 2404 Kicmdo32.exe 40 PID 2600 wrote to memory of 1748 2600 Knpemf32.exe 41 PID 2600 wrote to memory of 1748 2600 Knpemf32.exe 41 PID 2600 wrote to memory of 1748 2600 Knpemf32.exe 41 PID 2600 wrote to memory of 1748 2600 Knpemf32.exe 41 PID 1748 wrote to memory of 1848 1748 Lanaiahq.exe 42 PID 1748 wrote to memory of 1848 1748 Lanaiahq.exe 42 PID 1748 wrote to memory of 1848 1748 Lanaiahq.exe 42 PID 1748 wrote to memory of 1848 1748 Lanaiahq.exe 42 PID 1848 wrote to memory of 3008 1848 Lnbbbffj.exe 43 PID 1848 wrote to memory of 3008 1848 Lnbbbffj.exe 43 PID 1848 wrote to memory of 3008 1848 Lnbbbffj.exe 43 PID 1848 wrote to memory of 3008 1848 Lnbbbffj.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe"C:\Users\Admin\AppData\Local\Temp\9bf96ace25145f1a1cb7d1d88419ca354ea21b910b3347c307549e05904f21f4N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\Jjdmmdnh.exeC:\Windows\system32\Jjdmmdnh.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2272 -
C:\Windows\SysWOW64\Jmbiipml.exeC:\Windows\system32\Jmbiipml.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2632 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\Kocbkk32.exeC:\Windows\system32\Kocbkk32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\Kjifhc32.exeC:\Windows\system32\Kjifhc32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\Kmgbdo32.exeC:\Windows\system32\Kmgbdo32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\SysWOW64\Kbdklf32.exeC:\Windows\system32\Kbdklf32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\SysWOW64\Kklpekno.exeC:\Windows\system32\Kklpekno.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\Keednado.exeC:\Windows\system32\Keednado.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2820 -
C:\Windows\SysWOW64\Kegqdqbl.exeC:\Windows\system32\Kegqdqbl.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1608 -
C:\Windows\SysWOW64\Kicmdo32.exeC:\Windows\system32\Kicmdo32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Knpemf32.exeC:\Windows\system32\Knpemf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Lnbbbffj.exeC:\Windows\system32\Lnbbbffj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\SysWOW64\Lcojjmea.exeC:\Windows\system32\Lcojjmea.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Lndohedg.exeC:\Windows\system32\Lndohedg.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2648 -
C:\Windows\SysWOW64\Labkdack.exeC:\Windows\system32\Labkdack.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2112 -
C:\Windows\SysWOW64\Lfpclh32.exeC:\Windows\system32\Lfpclh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2372 -
C:\Windows\SysWOW64\Ljkomfjl.exeC:\Windows\system32\Ljkomfjl.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Lbfdaigg.exeC:\Windows\system32\Lbfdaigg.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Lcfqkl32.exeC:\Windows\system32\Lcfqkl32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Lfdmggnm.exeC:\Windows\system32\Lfdmggnm.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:632 -
C:\Windows\SysWOW64\Mpmapm32.exeC:\Windows\system32\Mpmapm32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Mlcbenjb.exeC:\Windows\system32\Mlcbenjb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Moanaiie.exeC:\Windows\system32\Moanaiie.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Mkhofjoj.exeC:\Windows\system32\Mkhofjoj.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2720 -
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2592 -
C:\Windows\SysWOW64\Mabgcd32.exeC:\Windows\system32\Mabgcd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2000 -
C:\Windows\SysWOW64\Mlhkpm32.exeC:\Windows\system32\Mlhkpm32.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2996 -
C:\Windows\SysWOW64\Mmihhelk.exeC:\Windows\system32\Mmihhelk.exe34⤵
- Executes dropped EXE
PID:936 -
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe35⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Mgalqkbk.exeC:\Windows\system32\Mgalqkbk.exe36⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\Ndemjoae.exeC:\Windows\system32\Ndemjoae.exe37⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Nhaikn32.exeC:\Windows\system32\Nhaikn32.exe38⤵
- Executes dropped EXE
PID:1944 -
C:\Windows\SysWOW64\Nmnace32.exeC:\Windows\system32\Nmnace32.exe39⤵
- Executes dropped EXE
PID:1572 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe40⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Nmpnhdfc.exeC:\Windows\system32\Nmpnhdfc.exe41⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Nlcnda32.exeC:\Windows\system32\Nlcnda32.exe42⤵
- Executes dropped EXE
PID:3004 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe43⤵
- Executes dropped EXE
PID:2608 -
C:\Windows\SysWOW64\Nodgel32.exeC:\Windows\system32\Nodgel32.exe44⤵
- Executes dropped EXE
PID:2124 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2352 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe46⤵
- Executes dropped EXE
PID:2268 -
C:\Windows\SysWOW64\Nadpgggp.exeC:\Windows\system32\Nadpgggp.exe47⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Nhohda32.exeC:\Windows\system32\Nhohda32.exe48⤵
- Executes dropped EXE
PID:1696 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1452 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe50⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe51⤵
- Executes dropped EXE
PID:2256 -
C:\Windows\SysWOW64\Ohaeia32.exeC:\Windows\system32\Ohaeia32.exe52⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe53⤵
- Executes dropped EXE
PID:2716 -
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe54⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Olonpp32.exeC:\Windows\system32\Olonpp32.exe55⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Oomjlk32.exeC:\Windows\system32\Oomjlk32.exe56⤵
- Executes dropped EXE
PID:2480 -
C:\Windows\SysWOW64\Oalfhf32.exeC:\Windows\system32\Oalfhf32.exe57⤵
- Executes dropped EXE
PID:1740 -
C:\Windows\SysWOW64\Ohendqhd.exeC:\Windows\system32\Ohendqhd.exe58⤵
- Executes dropped EXE
PID:2504 -
C:\Windows\SysWOW64\Okdkal32.exeC:\Windows\system32\Okdkal32.exe59⤵
- Executes dropped EXE
PID:2860 -
C:\Windows\SysWOW64\Onbgmg32.exeC:\Windows\system32\Onbgmg32.exe60⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1620 -
C:\Windows\SysWOW64\Ogkkfmml.exeC:\Windows\system32\Ogkkfmml.exe62⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2188 -
C:\Windows\SysWOW64\Oappcfmb.exeC:\Windows\system32\Oappcfmb.exe64⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe65⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Pjldghjm.exeC:\Windows\system32\Pjldghjm.exe66⤵
- Drops file in System32 directory
PID:1016 -
C:\Windows\SysWOW64\Pmjqcc32.exeC:\Windows\system32\Pmjqcc32.exe67⤵PID:2132
-
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe68⤵PID:340
-
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe69⤵PID:2216
-
C:\Windows\SysWOW64\Pmlmic32.exeC:\Windows\system32\Pmlmic32.exe70⤵PID:1964
-
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe71⤵PID:2552
-
C:\Windows\SysWOW64\Pfdabino.exeC:\Windows\system32\Pfdabino.exe72⤵
- System Location Discovery: System Language Discovery
PID:2440 -
C:\Windows\SysWOW64\Picnndmb.exeC:\Windows\system32\Picnndmb.exe73⤵PID:2416
-
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe74⤵PID:2984
-
C:\Windows\SysWOW64\Pomfkndo.exeC:\Windows\system32\Pomfkndo.exe75⤵PID:872
-
C:\Windows\SysWOW64\Pjbjhgde.exeC:\Windows\system32\Pjbjhgde.exe76⤵PID:2816
-
C:\Windows\SysWOW64\Piekcd32.exeC:\Windows\system32\Piekcd32.exe77⤵PID:1892
-
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe78⤵
- System Location Discovery: System Language Discovery
PID:1920 -
C:\Windows\SysWOW64\Pckoam32.exeC:\Windows\system32\Pckoam32.exe79⤵PID:2676
-
C:\Windows\SysWOW64\Pdlkiepd.exeC:\Windows\system32\Pdlkiepd.exe80⤵PID:1884
-
C:\Windows\SysWOW64\Pmccjbaf.exeC:\Windows\system32\Pmccjbaf.exe81⤵PID:3032
-
C:\Windows\SysWOW64\Poapfn32.exeC:\Windows\system32\Poapfn32.exe82⤵PID:2252
-
C:\Windows\SysWOW64\Qbplbi32.exeC:\Windows\system32\Qbplbi32.exe83⤵PID:1144
-
C:\Windows\SysWOW64\Qijdocfj.exeC:\Windows\system32\Qijdocfj.exe84⤵PID:1468
-
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe85⤵PID:2296
-
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe86⤵PID:2636
-
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe87⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Qeaedd32.exeC:\Windows\system32\Qeaedd32.exe88⤵PID:2540
-
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe89⤵PID:576
-
C:\Windows\SysWOW64\Qjnmlk32.exeC:\Windows\system32\Qjnmlk32.exe90⤵PID:2780
-
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe91⤵PID:640
-
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe92⤵PID:2652
-
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe93⤵PID:1912
-
C:\Windows\SysWOW64\Aajbne32.exeC:\Windows\system32\Aajbne32.exe94⤵PID:2784
-
C:\Windows\SysWOW64\Achojp32.exeC:\Windows\system32\Achojp32.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1108 -
C:\Windows\SysWOW64\Ajbggjfq.exeC:\Windows\system32\Ajbggjfq.exe96⤵PID:2308
-
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe97⤵PID:1552
-
C:\Windows\SysWOW64\Aaloddnn.exeC:\Windows\system32\Aaloddnn.exe98⤵PID:2200
-
C:\Windows\SysWOW64\Agfgqo32.exeC:\Windows\system32\Agfgqo32.exe99⤵PID:1232
-
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe100⤵PID:2848
-
C:\Windows\SysWOW64\Amcpie32.exeC:\Windows\system32\Amcpie32.exe101⤵PID:2468
-
C:\Windows\SysWOW64\Apalea32.exeC:\Windows\system32\Apalea32.exe102⤵
- System Location Discovery: System Language Discovery
PID:476 -
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe103⤵PID:1000
-
C:\Windows\SysWOW64\Aijpnfif.exeC:\Windows\system32\Aijpnfif.exe104⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2840 -
C:\Windows\SysWOW64\Amelne32.exeC:\Windows\system32\Amelne32.exe105⤵PID:2836
-
C:\Windows\SysWOW64\Acpdko32.exeC:\Windows\system32\Acpdko32.exe106⤵PID:2660
-
C:\Windows\SysWOW64\Afnagk32.exeC:\Windows\system32\Afnagk32.exe107⤵PID:1888
-
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe108⤵
- Drops file in System32 directory
PID:1772 -
C:\Windows\SysWOW64\Blkioa32.exeC:\Windows\system32\Blkioa32.exe109⤵
- Drops file in System32 directory
PID:1360 -
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe110⤵PID:1028
-
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe111⤵PID:3048
-
C:\Windows\SysWOW64\Bhajdblk.exeC:\Windows\system32\Bhajdblk.exe112⤵PID:2564
-
C:\Windows\SysWOW64\Bphbeplm.exeC:\Windows\system32\Bphbeplm.exe113⤵PID:2456
-
C:\Windows\SysWOW64\Bajomhbl.exeC:\Windows\system32\Bajomhbl.exe114⤵PID:1408
-
C:\Windows\SysWOW64\Beejng32.exeC:\Windows\system32\Beejng32.exe115⤵PID:2244
-
C:\Windows\SysWOW64\Blobjaba.exeC:\Windows\system32\Blobjaba.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2668 -
C:\Windows\SysWOW64\Bjbcfn32.exeC:\Windows\system32\Bjbcfn32.exe117⤵PID:1264
-
C:\Windows\SysWOW64\Balkchpi.exeC:\Windows\system32\Balkchpi.exe118⤵PID:448
-
C:\Windows\SysWOW64\Behgcf32.exeC:\Windows\system32\Behgcf32.exe119⤵PID:2236
-
C:\Windows\SysWOW64\Blaopqpo.exeC:\Windows\system32\Blaopqpo.exe120⤵PID:2312
-
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe121⤵PID:2584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-