Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
79s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27/09/2024, 19:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe
Resource
win7-20240903-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe
-
Size
80KB
-
MD5
4cedb04c35e083d9f17fa7a664bbd7f0
-
SHA1
2d28f5b50adec86f70df7d495b83d2ad28fdbf5c
-
SHA256
1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19a
-
SHA512
7cfeb4328d1de9de4296a01e6a717596f0806a994679db1af97ae0cb7f5574fb9868933edc754e2ba5c51cea64487d46324a792a265508db1af1412e1e290674
-
SSDEEP
1536:jec60wkvwR9jtkzk0ecbKnavmc75ZdMRQAsLRJJ5R2xOSC4BG:jeblqwPZyecUWmAdMeJrJ5wxO344
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfnoegaf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bpfebmia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cenmfbml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Egajnfoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kaholp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Odacbpee.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lkgngb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjkkbjln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dafoikjb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpcjeaad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aaklmhak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedfqeka.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhnkfpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklkcn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ebfqfpop.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Bikcbc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eegkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mndhnd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jmlfmn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jipcbidn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpicle32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Pnbojmmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Oqepgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdnkanfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgffe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpeiligo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpebidam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hfhfhbce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mdepmh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdipa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hneeilgj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipomlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpnladjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpdeoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmpkpbl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbjifgcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Gbadjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jojkco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mokilo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hcjldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Imbjcpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Opjkpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Peeoidik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lophacfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ngoleb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbblda32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feiddbbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eeojcmfi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchipb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohjkcile.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jacfidem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlieoqgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Knikfnih.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehkcpc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Icfbkded.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccqhdmbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lkgngb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgoelh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnpebj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgodcich.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bpfebmia.exe -
Executes dropped EXE 64 IoCs
pid Process 2016 Fdkklp32.exe 2360 Fncpef32.exe 2676 Fqalaa32.exe 2800 Fqdiga32.exe 2100 Ffaaoh32.exe 2756 Fqfemqod.exe 2660 Gjojef32.exe 1160 Gdhkfd32.exe 1076 Gonocmbi.exe 2320 Ggicgopd.exe 1904 Gdmdacnn.exe 2892 Gbadjg32.exe 2980 Hnheohcl.exe 2920 Hgpjhn32.exe 396 Hcgjmo32.exe 1732 Hidcef32.exe 1540 Hfhcoj32.exe 592 Hfjpdjjo.exe 1896 Hlgimqhf.exe 1188 Hneeilgj.exe 3048 Ieomef32.exe 2452 Ipeaco32.exe 1080 Iimfld32.exe 2548 Iedfqeka.exe 2464 Ijqoilii.exe 1628 Iakgefqe.exe 2784 Ihdpbq32.exe 2592 Iamdkfnc.exe 2740 Jmdepg32.exe 2972 Jdnmma32.exe 2640 Jikeeh32.exe 696 Jmhnkfpa.exe 1820 Jojkco32.exe 780 Jioopgef.exe 1972 Jpigma32.exe 2104 Jefpeh32.exe 2768 Jbjpom32.exe 2284 Kdklfe32.exe 2508 Koaqcn32.exe 1300 Kaompi32.exe 828 Knfndjdp.exe 2316 Kdpfadlm.exe 280 Kkjnnn32.exe 2672 Kpgffe32.exe 2132 Kklkcn32.exe 2408 Knkgpi32.exe 2532 Kpicle32.exe 580 Kffldlne.exe 2392 Kpkpadnl.exe 1376 Lgehno32.exe 2728 Llbqfe32.exe 2560 Lclicpkm.exe 1532 Ljfapjbi.exe 2876 Lkgngb32.exe 1968 Ldpbpgoh.exe 1772 Lkjjma32.exe 2644 Lbcbjlmb.exe 1940 Ldbofgme.exe 1660 Lklgbadb.exe 2076 Lqipkhbj.exe 1516 Mjaddn32.exe 2932 Mqklqhpg.exe 1920 Mjcaimgg.exe 1428 Mmbmeifk.exe -
Loads dropped DLL 64 IoCs
pid Process 2068 1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe 2068 1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe 2016 Fdkklp32.exe 2016 Fdkklp32.exe 2360 Fncpef32.exe 2360 Fncpef32.exe 2676 Fqalaa32.exe 2676 Fqalaa32.exe 2800 Fqdiga32.exe 2800 Fqdiga32.exe 2100 Ffaaoh32.exe 2100 Ffaaoh32.exe 2756 Fqfemqod.exe 2756 Fqfemqod.exe 2660 Gjojef32.exe 2660 Gjojef32.exe 1160 Gdhkfd32.exe 1160 Gdhkfd32.exe 1076 Gonocmbi.exe 1076 Gonocmbi.exe 2320 Ggicgopd.exe 2320 Ggicgopd.exe 1904 Gdmdacnn.exe 1904 Gdmdacnn.exe 2892 Gbadjg32.exe 2892 Gbadjg32.exe 2980 Hnheohcl.exe 2980 Hnheohcl.exe 2920 Hgpjhn32.exe 2920 Hgpjhn32.exe 396 Hcgjmo32.exe 396 Hcgjmo32.exe 1732 Hidcef32.exe 1732 Hidcef32.exe 1540 Hfhcoj32.exe 1540 Hfhcoj32.exe 592 Hfjpdjjo.exe 592 Hfjpdjjo.exe 1896 Hlgimqhf.exe 1896 Hlgimqhf.exe 1188 Hneeilgj.exe 1188 Hneeilgj.exe 3048 Ieomef32.exe 3048 Ieomef32.exe 2452 Ipeaco32.exe 2452 Ipeaco32.exe 1080 Iimfld32.exe 1080 Iimfld32.exe 2548 Iedfqeka.exe 2548 Iedfqeka.exe 2464 Ijqoilii.exe 2464 Ijqoilii.exe 1628 Iakgefqe.exe 1628 Iakgefqe.exe 2784 Ihdpbq32.exe 2784 Ihdpbq32.exe 2592 Iamdkfnc.exe 2592 Iamdkfnc.exe 2740 Jmdepg32.exe 2740 Jmdepg32.exe 2972 Jdnmma32.exe 2972 Jdnmma32.exe 2640 Jikeeh32.exe 2640 Jikeeh32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Ehlmljkm.exe Emgioakg.exe File created C:\Windows\SysWOW64\Jnlbgq32.exe Jmlfmn32.exe File opened for modification C:\Windows\SysWOW64\Bakaaepk.exe Blniinac.exe File created C:\Windows\SysWOW64\Egjeoijn.dll Boifga32.exe File created C:\Windows\SysWOW64\Bknfeege.exe Bdcnhk32.exe File opened for modification C:\Windows\SysWOW64\Cagienkb.exe Cpfmmf32.exe File opened for modification C:\Windows\SysWOW64\Hkahgk32.exe Ggkibhjf.exe File created C:\Windows\SysWOW64\Npepblac.dll Cqdfehii.exe File created C:\Windows\SysWOW64\Ohengmcf.exe Ojbnkp32.exe File created C:\Windows\SysWOW64\Almihjlj.exe Aebakp32.exe File opened for modification C:\Windows\SysWOW64\Fofbhgde.exe Fdqnkoep.exe File created C:\Windows\SysWOW64\Omiand32.exe Ncamen32.exe File opened for modification C:\Windows\SysWOW64\Lpoaheja.exe Lmpeljkm.exe File opened for modification C:\Windows\SysWOW64\Ohjkcile.exe Nndgeplo.exe File opened for modification C:\Windows\SysWOW64\Kdklfe32.exe Jbjpom32.exe File created C:\Windows\SysWOW64\Ompefj32.exe Mfjann32.exe File created C:\Windows\SysWOW64\Ajaclncd.dll Ciihklpj.exe File created C:\Windows\SysWOW64\Olqhfa32.dll Pbdfgilj.exe File opened for modification C:\Windows\SysWOW64\Heqimm32.exe Hofqpc32.exe File created C:\Windows\SysWOW64\Mnidgd32.dll Hjggap32.exe File created C:\Windows\SysWOW64\Cnmbihjf.dll Icabeo32.exe File created C:\Windows\SysWOW64\Aphgbo32.dll Negeln32.exe File created C:\Windows\SysWOW64\Aebakp32.exe Apfici32.exe File created C:\Windows\SysWOW64\Lkdjglfo.exe Legaoehg.exe File created C:\Windows\SysWOW64\Hmdkjmip.exe Hqnjek32.exe File created C:\Windows\SysWOW64\Klfgipmk.dll Ifbaapfk.exe File opened for modification C:\Windows\SysWOW64\Qaqlbmbn.exe Qjgcecja.exe File created C:\Windows\SysWOW64\Kbfcnc32.dll Pghfnc32.exe File created C:\Windows\SysWOW64\Bnfddp32.exe Bgllgedi.exe File created C:\Windows\SysWOW64\Fcahif32.dll Dfbnoc32.exe File created C:\Windows\SysWOW64\Ldhgnk32.exe Klmbjh32.exe File opened for modification C:\Windows\SysWOW64\Jmdepg32.exe Iamdkfnc.exe File opened for modification C:\Windows\SysWOW64\Phehko32.exe Pmpdmfff.exe File created C:\Windows\SysWOW64\Nloachkf.exe Nedifo32.exe File created C:\Windows\SysWOW64\Ojbnkp32.exe Ochenfdn.exe File opened for modification C:\Windows\SysWOW64\Cgoelh32.exe Cepipm32.exe File created C:\Windows\SysWOW64\Pmjaohol.exe Pdbmfb32.exe File created C:\Windows\SysWOW64\Occlcg32.exe Oqepgk32.exe File created C:\Windows\SysWOW64\Ipeaco32.exe Ieomef32.exe File created C:\Windows\SysWOW64\Conobqhi.dll Ggkibhjf.exe File opened for modification C:\Windows\SysWOW64\Fkkhpadq.exe Facdgl32.exe File created C:\Windows\SysWOW64\Lgbhffog.dll Knaeeo32.exe File opened for modification C:\Windows\SysWOW64\Iedfqeka.exe Iimfld32.exe File created C:\Windows\SysWOW64\Dmijfmfi.exe Dbdehdfc.exe File opened for modification C:\Windows\SysWOW64\Bigkel32.exe Bfioia32.exe File created C:\Windows\SysWOW64\Cbffoabe.exe Ckmnbg32.exe File created C:\Windows\SysWOW64\Bfjpjn32.dll Gckfpc32.exe File created C:\Windows\SysWOW64\Bongfjgo.dll Cbkgog32.exe File created C:\Windows\SysWOW64\Oeaqig32.exe Npdhaq32.exe File opened for modification C:\Windows\SysWOW64\Lljipmdl.exe Lcadghnk.exe File created C:\Windows\SysWOW64\Ohjkcile.exe Nndgeplo.exe File opened for modification C:\Windows\SysWOW64\Lclicpkm.exe Llbqfe32.exe File created C:\Windows\SysWOW64\Pplqiiqb.dll Flocfmnl.exe File opened for modification C:\Windows\SysWOW64\Omcngamh.exe Ockinl32.exe File created C:\Windows\SysWOW64\Pkaehb32.exe Phcilf32.exe File created C:\Windows\SysWOW64\Godonkii.dll Bfdenafn.exe File opened for modification C:\Windows\SysWOW64\Fiebnjbg.exe Fpmned32.exe File created C:\Windows\SysWOW64\Hhchpk32.dll Pcnfdl32.exe File created C:\Windows\SysWOW64\Dnhefh32.exe Dhklna32.exe File opened for modification C:\Windows\SysWOW64\Bgddam32.exe Bnlphh32.exe File opened for modification C:\Windows\SysWOW64\Mlmoilni.exe Lgpfpe32.exe File opened for modification C:\Windows\SysWOW64\Apfici32.exe Amglgn32.exe File created C:\Windows\SysWOW64\Hneeilgj.exe Hlgimqhf.exe File created C:\Windows\SysWOW64\Achjibcl.exe Alnalh32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjggap32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Immjnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgehno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbqfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iichjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akadpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bklpjlmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgocid32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iedfqeka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppddpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnfnajed.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpamoa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfagemej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aicfgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aojabdlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phledp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpcfcddp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khojcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmpkqklh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlbgq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaojnq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aiaqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eifobe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkbnibq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnpciaef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emgioakg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlmljkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcedad32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieomef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flapkmlj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imbjcpnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcandb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifpelq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlfmn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aejnfe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apfici32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfapjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egajnfoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpqlemaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgmnpn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fobkfqpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgaahh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pfnhkq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimfld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mdendpbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcdifa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jacfidem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmnqje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idbnmgll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiqpigl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alihaioe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fiqibj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcgjmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdqnkoep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nllbdp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkkpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkghgpfi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iclbpj32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdgmbhgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkddnqcm.dll" Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jbphgpfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dmgmpnhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlqmdnof.dll" Bfoeil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hnmacpfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Namefclq.dll" Mpnkopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fipbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkkbcl32.dll" Iocioq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kffldlne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pkaehb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cbkgog32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Objmgd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cnabffeo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kaggbihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Aejglo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Hfjpdjjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eioigi32.dll" Ghibjjnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jojloc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boifga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gaojnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchopn32.dll" Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobgmfjh.dll" Imbjcpnn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Negeln32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nndgeplo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nalmek32.dll" Bobleeef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Felajbpg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mhjcec32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eoebgcol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Qpamoa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbonbipa.dll" Dpeiligo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmqejl32.dll" Imaapa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aehlpleg.dll" Klhgfq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Mpnkopeh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Qaofgc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lalieb32.dll" Kjhfjpdd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" 1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pelnlcjj.dll" Gkoobhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkcmnk32.dll" Aadobccg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nkobpmlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lficmm32.dll" Amglgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pnfnajed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Omcngamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehfnim32.dll" Lfdpjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hfhcoj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ncmglp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhihii32.dll" Ckeqga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hidgoh32.dll" Enbogmnc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Aicmadmm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mdepmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ochenfdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Podpoffm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ppddpd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pmmneg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ogofkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dlmfbm32.dll" Bcflko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Paafmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Agolnbok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cjjnhnbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecinnn32.dll" Pofkha32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdaqnb32.dll" Figocipe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgpfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kllhoh32.dll" Nkclkl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gibbgmfe.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 2016 2068 1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe 30 PID 2068 wrote to memory of 2016 2068 1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe 30 PID 2068 wrote to memory of 2016 2068 1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe 30 PID 2068 wrote to memory of 2016 2068 1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe 30 PID 2016 wrote to memory of 2360 2016 Fdkklp32.exe 31 PID 2016 wrote to memory of 2360 2016 Fdkklp32.exe 31 PID 2016 wrote to memory of 2360 2016 Fdkklp32.exe 31 PID 2016 wrote to memory of 2360 2016 Fdkklp32.exe 31 PID 2360 wrote to memory of 2676 2360 Fncpef32.exe 32 PID 2360 wrote to memory of 2676 2360 Fncpef32.exe 32 PID 2360 wrote to memory of 2676 2360 Fncpef32.exe 32 PID 2360 wrote to memory of 2676 2360 Fncpef32.exe 32 PID 2676 wrote to memory of 2800 2676 Fqalaa32.exe 33 PID 2676 wrote to memory of 2800 2676 Fqalaa32.exe 33 PID 2676 wrote to memory of 2800 2676 Fqalaa32.exe 33 PID 2676 wrote to memory of 2800 2676 Fqalaa32.exe 33 PID 2800 wrote to memory of 2100 2800 Fqdiga32.exe 34 PID 2800 wrote to memory of 2100 2800 Fqdiga32.exe 34 PID 2800 wrote to memory of 2100 2800 Fqdiga32.exe 34 PID 2800 wrote to memory of 2100 2800 Fqdiga32.exe 34 PID 2100 wrote to memory of 2756 2100 Ffaaoh32.exe 35 PID 2100 wrote to memory of 2756 2100 Ffaaoh32.exe 35 PID 2100 wrote to memory of 2756 2100 Ffaaoh32.exe 35 PID 2100 wrote to memory of 2756 2100 Ffaaoh32.exe 35 PID 2756 wrote to memory of 2660 2756 Fqfemqod.exe 36 PID 2756 wrote to memory of 2660 2756 Fqfemqod.exe 36 PID 2756 wrote to memory of 2660 2756 Fqfemqod.exe 36 PID 2756 wrote to memory of 2660 2756 Fqfemqod.exe 36 PID 2660 wrote to memory of 1160 2660 Gjojef32.exe 37 PID 2660 wrote to memory of 1160 2660 Gjojef32.exe 37 PID 2660 wrote to memory of 1160 2660 Gjojef32.exe 37 PID 2660 wrote to memory of 1160 2660 Gjojef32.exe 37 PID 1160 wrote to memory of 1076 1160 Gdhkfd32.exe 38 PID 1160 wrote to memory of 1076 1160 Gdhkfd32.exe 38 PID 1160 wrote to memory of 1076 1160 Gdhkfd32.exe 38 PID 1160 wrote to memory of 1076 1160 Gdhkfd32.exe 38 PID 1076 wrote to memory of 2320 1076 Gonocmbi.exe 39 PID 1076 wrote to memory of 2320 1076 Gonocmbi.exe 39 PID 1076 wrote to memory of 2320 1076 Gonocmbi.exe 39 PID 1076 wrote to memory of 2320 1076 Gonocmbi.exe 39 PID 2320 wrote to memory of 1904 2320 Ggicgopd.exe 40 PID 2320 wrote to memory of 1904 2320 Ggicgopd.exe 40 PID 2320 wrote to memory of 1904 2320 Ggicgopd.exe 40 PID 2320 wrote to memory of 1904 2320 Ggicgopd.exe 40 PID 1904 wrote to memory of 2892 1904 Gdmdacnn.exe 41 PID 1904 wrote to memory of 2892 1904 Gdmdacnn.exe 41 PID 1904 wrote to memory of 2892 1904 Gdmdacnn.exe 41 PID 1904 wrote to memory of 2892 1904 Gdmdacnn.exe 41 PID 2892 wrote to memory of 2980 2892 Gbadjg32.exe 42 PID 2892 wrote to memory of 2980 2892 Gbadjg32.exe 42 PID 2892 wrote to memory of 2980 2892 Gbadjg32.exe 42 PID 2892 wrote to memory of 2980 2892 Gbadjg32.exe 42 PID 2980 wrote to memory of 2920 2980 Hnheohcl.exe 43 PID 2980 wrote to memory of 2920 2980 Hnheohcl.exe 43 PID 2980 wrote to memory of 2920 2980 Hnheohcl.exe 43 PID 2980 wrote to memory of 2920 2980 Hnheohcl.exe 43 PID 2920 wrote to memory of 396 2920 Hgpjhn32.exe 44 PID 2920 wrote to memory of 396 2920 Hgpjhn32.exe 44 PID 2920 wrote to memory of 396 2920 Hgpjhn32.exe 44 PID 2920 wrote to memory of 396 2920 Hgpjhn32.exe 44 PID 396 wrote to memory of 1732 396 Hcgjmo32.exe 45 PID 396 wrote to memory of 1732 396 Hcgjmo32.exe 45 PID 396 wrote to memory of 1732 396 Hcgjmo32.exe 45 PID 396 wrote to memory of 1732 396 Hcgjmo32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe"C:\Users\Admin\AppData\Local\Temp\1ed19987c07b81078ad9e99f12015a79b1415688df12923d4c0dd46fbb26d19aN.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Fdkklp32.exeC:\Windows\system32\Fdkklp32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Windows\SysWOW64\Fncpef32.exeC:\Windows\system32\Fncpef32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\Fqalaa32.exeC:\Windows\system32\Fqalaa32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Fqdiga32.exeC:\Windows\system32\Fqdiga32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\SysWOW64\Ffaaoh32.exeC:\Windows\system32\Ffaaoh32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Fqfemqod.exeC:\Windows\system32\Fqfemqod.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\Gjojef32.exeC:\Windows\system32\Gjojef32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Gdhkfd32.exeC:\Windows\system32\Gdhkfd32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\SysWOW64\Gonocmbi.exeC:\Windows\system32\Gonocmbi.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\Ggicgopd.exeC:\Windows\system32\Ggicgopd.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2320 -
C:\Windows\SysWOW64\Gdmdacnn.exeC:\Windows\system32\Gdmdacnn.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\SysWOW64\Gbadjg32.exeC:\Windows\system32\Gbadjg32.exe13⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Hnheohcl.exeC:\Windows\system32\Hnheohcl.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Hgpjhn32.exeC:\Windows\system32\Hgpjhn32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Hcgjmo32.exeC:\Windows\system32\Hcgjmo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:396 -
C:\Windows\SysWOW64\Hidcef32.exeC:\Windows\system32\Hidcef32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1732 -
C:\Windows\SysWOW64\Hfhcoj32.exeC:\Windows\system32\Hfhcoj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1540 -
C:\Windows\SysWOW64\Hfjpdjjo.exeC:\Windows\system32\Hfjpdjjo.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:592 -
C:\Windows\SysWOW64\Hlgimqhf.exeC:\Windows\system32\Hlgimqhf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Hneeilgj.exeC:\Windows\system32\Hneeilgj.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1188 -
C:\Windows\SysWOW64\Ieomef32.exeC:\Windows\system32\Ieomef32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3048 -
C:\Windows\SysWOW64\Ipeaco32.exeC:\Windows\system32\Ipeaco32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2452 -
C:\Windows\SysWOW64\Iimfld32.exeC:\Windows\system32\Iimfld32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1080 -
C:\Windows\SysWOW64\Iedfqeka.exeC:\Windows\system32\Iedfqeka.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Ijqoilii.exeC:\Windows\system32\Ijqoilii.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2464 -
C:\Windows\SysWOW64\Iakgefqe.exeC:\Windows\system32\Iakgefqe.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1628 -
C:\Windows\SysWOW64\Ihdpbq32.exeC:\Windows\system32\Ihdpbq32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2784 -
C:\Windows\SysWOW64\Iamdkfnc.exeC:\Windows\system32\Iamdkfnc.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2592 -
C:\Windows\SysWOW64\Jmdepg32.exeC:\Windows\system32\Jmdepg32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Jdnmma32.exeC:\Windows\system32\Jdnmma32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2972 -
C:\Windows\SysWOW64\Jikeeh32.exeC:\Windows\system32\Jikeeh32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2640 -
C:\Windows\SysWOW64\Jmhnkfpa.exeC:\Windows\system32\Jmhnkfpa.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Jojkco32.exeC:\Windows\system32\Jojkco32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1820 -
C:\Windows\SysWOW64\Jioopgef.exeC:\Windows\system32\Jioopgef.exe35⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Jpigma32.exeC:\Windows\system32\Jpigma32.exe36⤵
- Executes dropped EXE
PID:1972 -
C:\Windows\SysWOW64\Jefpeh32.exeC:\Windows\system32\Jefpeh32.exe37⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2104 -
C:\Windows\SysWOW64\Jbjpom32.exeC:\Windows\system32\Jbjpom32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2768 -
C:\Windows\SysWOW64\Kdklfe32.exeC:\Windows\system32\Kdklfe32.exe39⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Koaqcn32.exeC:\Windows\system32\Koaqcn32.exe40⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\Kaompi32.exeC:\Windows\system32\Kaompi32.exe41⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Knfndjdp.exeC:\Windows\system32\Knfndjdp.exe42⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Kdpfadlm.exeC:\Windows\system32\Kdpfadlm.exe43⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Kkjnnn32.exeC:\Windows\system32\Kkjnnn32.exe44⤵
- Executes dropped EXE
PID:280 -
C:\Windows\SysWOW64\Kpgffe32.exeC:\Windows\system32\Kpgffe32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Kklkcn32.exeC:\Windows\system32\Kklkcn32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Knkgpi32.exeC:\Windows\system32\Knkgpi32.exe47⤵
- Executes dropped EXE
PID:2408 -
C:\Windows\SysWOW64\Kpicle32.exeC:\Windows\system32\Kpicle32.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2532 -
C:\Windows\SysWOW64\Kffldlne.exeC:\Windows\system32\Kffldlne.exe49⤵
- Executes dropped EXE
- Modifies registry class
PID:580 -
C:\Windows\SysWOW64\Kpkpadnl.exeC:\Windows\system32\Kpkpadnl.exe50⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Lgehno32.exeC:\Windows\system32\Lgehno32.exe51⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Llbqfe32.exeC:\Windows\system32\Llbqfe32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Lclicpkm.exeC:\Windows\system32\Lclicpkm.exe53⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ljfapjbi.exeC:\Windows\system32\Ljfapjbi.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1532 -
C:\Windows\SysWOW64\Lkgngb32.exeC:\Windows\system32\Lkgngb32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2876 -
C:\Windows\SysWOW64\Ldpbpgoh.exeC:\Windows\system32\Ldpbpgoh.exe56⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Lkjjma32.exeC:\Windows\system32\Lkjjma32.exe57⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Lbcbjlmb.exeC:\Windows\system32\Lbcbjlmb.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Ldbofgme.exeC:\Windows\system32\Ldbofgme.exe59⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Lklgbadb.exeC:\Windows\system32\Lklgbadb.exe60⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Lqipkhbj.exeC:\Windows\system32\Lqipkhbj.exe61⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Mjaddn32.exeC:\Windows\system32\Mjaddn32.exe62⤵
- Executes dropped EXE
PID:1516 -
C:\Windows\SysWOW64\Mqklqhpg.exeC:\Windows\system32\Mqklqhpg.exe63⤵
- Executes dropped EXE
PID:2932 -
C:\Windows\SysWOW64\Mjcaimgg.exeC:\Windows\system32\Mjcaimgg.exe64⤵
- Executes dropped EXE
PID:1920 -
C:\Windows\SysWOW64\Mmbmeifk.exeC:\Windows\system32\Mmbmeifk.exe65⤵
- Executes dropped EXE
PID:1428 -
C:\Windows\SysWOW64\Mfjann32.exeC:\Windows\system32\Mfjann32.exe66⤵
- Drops file in System32 directory
PID:2380 -
C:\Windows\SysWOW64\Ompefj32.exeC:\Windows\system32\Ompefj32.exe67⤵PID:1908
-
C:\Windows\SysWOW64\Obokcqhk.exeC:\Windows\system32\Obokcqhk.exe68⤵PID:2536
-
C:\Windows\SysWOW64\Pofkha32.exeC:\Windows\system32\Pofkha32.exe69⤵
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Phnpagdp.exeC:\Windows\system32\Phnpagdp.exe70⤵PID:2788
-
C:\Windows\SysWOW64\Pohhna32.exeC:\Windows\system32\Pohhna32.exe71⤵PID:2716
-
C:\Windows\SysWOW64\Pojecajj.exeC:\Windows\system32\Pojecajj.exe72⤵PID:2616
-
C:\Windows\SysWOW64\Pplaki32.exeC:\Windows\system32\Pplaki32.exe73⤵PID:1544
-
C:\Windows\SysWOW64\Phcilf32.exeC:\Windows\system32\Phcilf32.exe74⤵
- Drops file in System32 directory
PID:2032 -
C:\Windows\SysWOW64\Pkaehb32.exeC:\Windows\system32\Pkaehb32.exe75⤵
- Modifies registry class
PID:2492 -
C:\Windows\SysWOW64\Paknelgk.exeC:\Windows\system32\Paknelgk.exe76⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2004 -
C:\Windows\SysWOW64\Pdjjag32.exeC:\Windows\system32\Pdjjag32.exe77⤵PID:472
-
C:\Windows\SysWOW64\Pghfnc32.exeC:\Windows\system32\Pghfnc32.exe78⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Pnbojmmp.exeC:\Windows\system32\Pnbojmmp.exe79⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2884 -
C:\Windows\SysWOW64\Qdlggg32.exeC:\Windows\system32\Qdlggg32.exe80⤵PID:860
-
C:\Windows\SysWOW64\Qgjccb32.exeC:\Windows\system32\Qgjccb32.exe81⤵PID:1812
-
C:\Windows\SysWOW64\Qiioon32.exeC:\Windows\system32\Qiioon32.exe82⤵PID:2916
-
C:\Windows\SysWOW64\Qlgkki32.exeC:\Windows\system32\Qlgkki32.exe83⤵PID:1824
-
C:\Windows\SysWOW64\Qcachc32.exeC:\Windows\system32\Qcachc32.exe84⤵PID:952
-
C:\Windows\SysWOW64\Qeppdo32.exeC:\Windows\system32\Qeppdo32.exe85⤵PID:2000
-
C:\Windows\SysWOW64\Alihaioe.exeC:\Windows\system32\Alihaioe.exe86⤵
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Windows\SysWOW64\Agolnbok.exeC:\Windows\system32\Agolnbok.exe87⤵
- Modifies registry class
PID:1744 -
C:\Windows\SysWOW64\Ajmijmnn.exeC:\Windows\system32\Ajmijmnn.exe88⤵PID:2856
-
C:\Windows\SysWOW64\Allefimb.exeC:\Windows\system32\Allefimb.exe89⤵PID:548
-
C:\Windows\SysWOW64\Aojabdlf.exeC:\Windows\system32\Aojabdlf.exe90⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Afdiondb.exeC:\Windows\system32\Afdiondb.exe91⤵PID:1680
-
C:\Windows\SysWOW64\Alnalh32.exeC:\Windows\system32\Alnalh32.exe92⤵
- Drops file in System32 directory
PID:2648 -
C:\Windows\SysWOW64\Achjibcl.exeC:\Windows\system32\Achjibcl.exe93⤵PID:1964
-
C:\Windows\SysWOW64\Afffenbp.exeC:\Windows\system32\Afffenbp.exe94⤵PID:2984
-
C:\Windows\SysWOW64\Alqnah32.exeC:\Windows\system32\Alqnah32.exe95⤵PID:2072
-
C:\Windows\SysWOW64\Anbkipok.exeC:\Windows\system32\Anbkipok.exe96⤵PID:1512
-
C:\Windows\SysWOW64\Adlcfjgh.exeC:\Windows\system32\Adlcfjgh.exe97⤵PID:1980
-
C:\Windows\SysWOW64\Akfkbd32.exeC:\Windows\system32\Akfkbd32.exe98⤵PID:2496
-
C:\Windows\SysWOW64\Aoagccfn.exeC:\Windows\system32\Aoagccfn.exe99⤵PID:1224
-
C:\Windows\SysWOW64\Aqbdkk32.exeC:\Windows\system32\Aqbdkk32.exe100⤵PID:588
-
C:\Windows\SysWOW64\Bgllgedi.exeC:\Windows\system32\Bgllgedi.exe101⤵
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Bnfddp32.exeC:\Windows\system32\Bnfddp32.exe102⤵PID:2820
-
C:\Windows\SysWOW64\Bdqlajbb.exeC:\Windows\system32\Bdqlajbb.exe103⤵PID:1756
-
C:\Windows\SysWOW64\Bkjdndjo.exeC:\Windows\system32\Bkjdndjo.exe104⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\Bniajoic.exeC:\Windows\system32\Bniajoic.exe105⤵PID:1720
-
C:\Windows\SysWOW64\Bdcifi32.exeC:\Windows\system32\Bdcifi32.exe106⤵PID:2604
-
C:\Windows\SysWOW64\Bfdenafn.exeC:\Windows\system32\Bfdenafn.exe107⤵
- Drops file in System32 directory
PID:2944 -
C:\Windows\SysWOW64\Bmnnkl32.exeC:\Windows\system32\Bmnnkl32.exe108⤵PID:2736
-
C:\Windows\SysWOW64\Boljgg32.exeC:\Windows\system32\Boljgg32.exe109⤵PID:1168
-
C:\Windows\SysWOW64\Bffbdadk.exeC:\Windows\system32\Bffbdadk.exe110⤵PID:1676
-
C:\Windows\SysWOW64\Bmpkqklh.exeC:\Windows\system32\Bmpkqklh.exe111⤵
- System Location Discovery: System Language Discovery
PID:1292 -
C:\Windows\SysWOW64\Boogmgkl.exeC:\Windows\system32\Boogmgkl.exe112⤵PID:2596
-
C:\Windows\SysWOW64\Bfioia32.exeC:\Windows\system32\Bfioia32.exe113⤵
- Drops file in System32 directory
PID:596 -
C:\Windows\SysWOW64\Bigkel32.exeC:\Windows\system32\Bigkel32.exe114⤵PID:640
-
C:\Windows\SysWOW64\Bkegah32.exeC:\Windows\system32\Bkegah32.exe115⤵PID:1880
-
C:\Windows\SysWOW64\Ccmpce32.exeC:\Windows\system32\Ccmpce32.exe116⤵PID:2208
-
C:\Windows\SysWOW64\Cfkloq32.exeC:\Windows\system32\Cfkloq32.exe117⤵PID:1456
-
C:\Windows\SysWOW64\Ciihklpj.exeC:\Windows\system32\Ciihklpj.exe118⤵
- Drops file in System32 directory
PID:2936 -
C:\Windows\SysWOW64\Ckhdggom.exeC:\Windows\system32\Ckhdggom.exe119⤵PID:2248
-
C:\Windows\SysWOW64\Cbblda32.exeC:\Windows\system32\Cbblda32.exe120⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Cepipm32.exeC:\Windows\system32\Cepipm32.exe121⤵
- Drops file in System32 directory
PID:3044
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-