Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
39s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
01/10/2024, 21:15
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3dN.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3dN.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3dN.exe
-
Size
1000KB
-
MD5
f8ad292a08fa7c2e020ed6d9d91cf390
-
SHA1
6f5f927bc3aa234ba6f01381332a83dd8f130d7e
-
SHA256
7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3d
-
SHA512
14d7f298d4bd7500e0efa2e002c558e1468211744390c568fbf9273bee0ade7c8944e55614a7787b73717948f8f5a37b0eaa9fc9c55cce4b4ac84523ce056216
-
SSDEEP
12288:qYnCBCtHBFLPj3TmLnWrOxNuxC97hFq9o7:qRCtHBFLPj368MoC9Dq9o7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Demaoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eogolc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mabphn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjnjjbbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aopahjll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpmmfp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kijkje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldjpbign.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hinbppna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohipla32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odgodl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Daacecfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnofjfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jfjolf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ajnpecbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdbbgdjj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfoojj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Acnlgajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epecbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dphfbiem.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmmpolof.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pafbadcm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bleeioil.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddblgn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggkibhjf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pmjaohol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmogmjmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdojgmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjojef32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cebeem32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmipn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Haqnea32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bagkmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkmcldj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Knkgpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pplaki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggfnopfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ahebaiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Caifjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhiomn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nidmfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbofmcij.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Caidaeak.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Foccjood.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hndlem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ohhmcinf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmkilb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnkcpq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedhjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Paocnkph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbafjlaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ecfldoph.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhdegn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajcipc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jfofol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kpieengb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjallg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Piqpkpml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncnngfna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbeedh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qldhkc32.exe -
Executes dropped EXE 64 IoCs
pid Process 2404 Mhilph32.exe 2124 Mfllkece.exe 2708 Mabphn32.exe 2916 Mpdqdkie.exe 2716 Naopaa32.exe 2772 Ohnaik32.exe 2432 Odebolpe.exe 756 Olpgconp.exe 2976 Odgodl32.exe 2944 Ocjophem.exe 1080 Pafbadcm.exe 624 Pddnnp32.exe 2060 Pqkobqhd.exe 948 Phbgcnig.exe 2980 Pjcckf32.exe 408 Pakllc32.exe 1772 Pdihiook.exe 1600 Pggdejno.exe 1684 Ajjfkh32.exe 2224 Bnfblgca.exe 2276 Badnhbce.exe 3068 Bgnfdm32.exe 604 Bjmbqhif.exe 2180 Bagkmb32.exe 2392 Bjoofhgc.exe 1904 Bcgdom32.exe 1872 Bjallg32.exe 2864 Blchcpko.exe 2328 Bbmapj32.exe 2860 Bleeioil.exe 2992 Bpqain32.exe 2760 Bbonei32.exe 2160 Ciifbchf.exe 2952 Cadjgf32.exe 2700 Cikbhc32.exe 268 Cohkpj32.exe 2292 Cafgle32.exe 1208 Caidaeak.exe 876 Ckahkk32.exe 3044 Cmpdgf32.exe 2024 Cdjmcpnl.exe 2120 Ckcepj32.exe 2428 Dpqnhadq.exe 1508 Dgjfek32.exe 2068 Dmdnbecj.exe 700 Dpcjnabn.exe 1660 Dbafjlaa.exe 292 Dgmbkk32.exe 2248 Dikogf32.exe 1652 Dmgkgeah.exe 2704 Dpegcq32.exe 3012 Dcccpl32.exe 1272 Dgoopkgh.exe 2748 Dhplhc32.exe 1472 Dpgcip32.exe 1304 Diphbfdi.exe 2784 Dhbhmb32.exe 2056 Dkadjn32.exe 1892 Dchmkkkj.exe 1528 Degiggjm.exe 2188 Elqaca32.exe 2344 Enbnkigh.exe 2444 Edlfhc32.exe 2580 Ekfndmfb.exe -
Loads dropped DLL 64 IoCs
pid Process 2520 7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3dN.exe 2520 7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3dN.exe 2404 Mhilph32.exe 2404 Mhilph32.exe 2124 Mfllkece.exe 2124 Mfllkece.exe 2708 Mabphn32.exe 2708 Mabphn32.exe 2916 Mpdqdkie.exe 2916 Mpdqdkie.exe 2716 Naopaa32.exe 2716 Naopaa32.exe 2772 Ohnaik32.exe 2772 Ohnaik32.exe 2432 Odebolpe.exe 2432 Odebolpe.exe 756 Olpgconp.exe 756 Olpgconp.exe 2976 Odgodl32.exe 2976 Odgodl32.exe 2944 Ocjophem.exe 2944 Ocjophem.exe 1080 Pafbadcm.exe 1080 Pafbadcm.exe 624 Pddnnp32.exe 624 Pddnnp32.exe 2060 Pqkobqhd.exe 2060 Pqkobqhd.exe 948 Phbgcnig.exe 948 Phbgcnig.exe 2980 Pjcckf32.exe 2980 Pjcckf32.exe 408 Pakllc32.exe 408 Pakllc32.exe 1772 Pdihiook.exe 1772 Pdihiook.exe 1600 Pggdejno.exe 1600 Pggdejno.exe 1684 Ajjfkh32.exe 1684 Ajjfkh32.exe 2224 Bnfblgca.exe 2224 Bnfblgca.exe 2276 Badnhbce.exe 2276 Badnhbce.exe 3068 Bgnfdm32.exe 3068 Bgnfdm32.exe 604 Bjmbqhif.exe 604 Bjmbqhif.exe 2180 Bagkmb32.exe 2180 Bagkmb32.exe 2392 Bjoofhgc.exe 2392 Bjoofhgc.exe 1904 Bcgdom32.exe 1904 Bcgdom32.exe 1872 Bjallg32.exe 1872 Bjallg32.exe 2864 Blchcpko.exe 2864 Blchcpko.exe 2328 Bbmapj32.exe 2328 Bbmapj32.exe 2860 Bleeioil.exe 2860 Bleeioil.exe 2992 Bpqain32.exe 2992 Bpqain32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Qdojgmfe.exe Qfljkp32.exe File created C:\Windows\SysWOW64\Cljoegei.dll Lqipkhbj.exe File created C:\Windows\SysWOW64\Nfnidhlj.dll Fabaocfl.exe File created C:\Windows\SysWOW64\Glchpp32.exe Ggfpgi32.exe File opened for modification C:\Windows\SysWOW64\Cqfbjhgf.exe Cmkfji32.exe File opened for modification C:\Windows\SysWOW64\Jnnnalph.exe Jkpbdq32.exe File created C:\Windows\SysWOW64\Knkgpi32.exe Kklkcn32.exe File opened for modification C:\Windows\SysWOW64\Kbbobkol.exe Kmegjdad.exe File created C:\Windows\SysWOW64\Hjcaha32.exe Hfhfhbce.exe File created C:\Windows\SysWOW64\Poeofkoh.dll Joiappkp.exe File created C:\Windows\SysWOW64\Jdbfnoac.dll Lcaiiejc.exe File opened for modification C:\Windows\SysWOW64\Dobgihgp.exe Dhiomn32.exe File opened for modification C:\Windows\SysWOW64\Gbjojh32.exe Golbnm32.exe File opened for modification C:\Windows\SysWOW64\Agbbgqhh.exe Addfkeid.exe File opened for modification C:\Windows\SysWOW64\Khabghdl.exe Kdefgj32.exe File created C:\Windows\SysWOW64\Hafimk32.dll Ppfomk32.exe File created C:\Windows\SysWOW64\Ojefmknj.dll Pkjphcff.exe File created C:\Windows\SysWOW64\Kbfcnc32.dll Pghfnc32.exe File created C:\Windows\SysWOW64\Iahghfmb.dll Hmjoqo32.exe File opened for modification C:\Windows\SysWOW64\Mphiqbon.exe Lfbdci32.exe File opened for modification C:\Windows\SysWOW64\Abmgjo32.exe Aoojnc32.exe File created C:\Windows\SysWOW64\Mdceqkca.dll Mgbaml32.exe File opened for modification C:\Windows\SysWOW64\Efdhpjok.exe Ecfldoph.exe File created C:\Windows\SysWOW64\Ocaeoe32.dll Ijklknbn.exe File created C:\Windows\SysWOW64\Ncfefh32.dll Nmqpam32.exe File created C:\Windows\SysWOW64\Odjdmjgo.exe Oehdan32.exe File opened for modification C:\Windows\SysWOW64\Cpkmcldj.exe Cmmagpef.exe File opened for modification C:\Windows\SysWOW64\Eejopecj.exe Epmfgo32.exe File created C:\Windows\SysWOW64\Nknimnap.exe Ndcapd32.exe File created C:\Windows\SysWOW64\Egpbbn32.dll Jlhhndno.exe File opened for modification C:\Windows\SysWOW64\Ecbhdi32.exe Eogmcjef.exe File created C:\Windows\SysWOW64\Chpenm32.dll Hegpjaac.exe File created C:\Windows\SysWOW64\Ofqmcj32.exe Obeacl32.exe File opened for modification C:\Windows\SysWOW64\Iakino32.exe Inmmbc32.exe File created C:\Windows\SysWOW64\Pomhcg32.exe Piqpkpml.exe File opened for modification C:\Windows\SysWOW64\Dkqnoh32.exe Dmmmfc32.exe File created C:\Windows\SysWOW64\Bleoal32.dll Hjofdi32.exe File created C:\Windows\SysWOW64\Icmongda.dll Ieajkfmd.exe File created C:\Windows\SysWOW64\Emfbap32.dll Dbabho32.exe File created C:\Windows\SysWOW64\Onffhdlh.dll Pecgea32.exe File opened for modification C:\Windows\SysWOW64\Kdphjm32.exe Kablnadm.exe File created C:\Windows\SysWOW64\Pihbeaea.dll Kageia32.exe File created C:\Windows\SysWOW64\Dikogf32.exe Dgmbkk32.exe File created C:\Windows\SysWOW64\Phhjblpa.exe Palepb32.exe File created C:\Windows\SysWOW64\Qqfkbadh.dll Lnhgim32.exe File created C:\Windows\SysWOW64\Qiflohqk.exe Paocnkph.exe File created C:\Windows\SysWOW64\Deondj32.exe Dbabho32.exe File created C:\Windows\SysWOW64\Kbclpfop.dll Ijcngenj.exe File opened for modification C:\Windows\SysWOW64\Pjcckf32.exe Phbgcnig.exe File opened for modification C:\Windows\SysWOW64\Oeehln32.exe Nlfmbibo.exe File created C:\Windows\SysWOW64\Afgmodel.exe Aciqcifh.exe File created C:\Windows\SysWOW64\Apoldh32.dll Gdkgkcpq.exe File created C:\Windows\SysWOW64\Ncinap32.exe Ndfnecgp.exe File created C:\Windows\SysWOW64\Aiaoclgl.exe Aknngo32.exe File opened for modification C:\Windows\SysWOW64\Knnkpobc.exe Khabghdl.exe File opened for modification C:\Windows\SysWOW64\Dmmmfc32.exe Diaaeepi.exe File created C:\Windows\SysWOW64\Fdekgjno.exe Flocfmnl.exe File opened for modification C:\Windows\SysWOW64\Goqnae32.exe Gehiioaj.exe File created C:\Windows\SysWOW64\Ijcngenj.exe Ikqnlh32.exe File created C:\Windows\SysWOW64\Qiioon32.exe Qkfocaki.exe File created C:\Windows\SysWOW64\Oabhggjd.dll Bkjdndjo.exe File created C:\Windows\SysWOW64\Endjaief.exe Ekfndmfb.exe File created C:\Windows\SysWOW64\Bgaebe32.exe Bkjdndjo.exe File opened for modification C:\Windows\SysWOW64\Lpcoeb32.exe Laqojfli.exe -
Program crash 1 IoCs
pid pid_target Process 1256 2968 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjogcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnhgha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iplnnd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlckbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jikeeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkjdndjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjljnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lbafdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjedmo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iaeegh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pilfpqaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hakkgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaghki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckahkk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdnild32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohipla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggcaiqhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giipab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dncibp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoqjqhjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcoeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bajqfq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dacpkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfhgpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfofol32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hieiqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekfndmfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfmndn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fheabelm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmfkfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elkmmodo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odgodl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eolmip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aknlofim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbncjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebqngb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apkgpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbafjlaa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqfaldbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omnipjni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alqnah32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kajiigba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbnmienj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdhleh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqdfehii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmdkjmip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpoolael.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpdaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpmmfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blinefnd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcepqh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeeje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbnpgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlccdboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbflno32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncnngfna.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pakllc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhmfbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flocfmnl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flclam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldjpbign.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gfnjne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Geoghd32.dll" Igmbgk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iabhah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ibkkjp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cefkjiak.dll" Gbjojh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkmlmbcd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ehhdaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gconbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bkedkm32.dll" Oejcpf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gekfnoog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kjpndcho.dll" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kodhamlk.dll" Cmfkfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pahoec32.dll" Difnaqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbhlek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eekogb32.dll" Jpajbl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pblcbn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phblkn32.dll" Kdbepm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnoldn32.dll" Lqqpgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mqbbagjo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaihob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bknjfb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bgghac32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eogolc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjogcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hffibceh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kneino32.dll" Bjoofhgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdonhj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abpjjeim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bgibnj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obecdjcn.dll" Oemgplgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hilcfe32.dll" Dpcmgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnnikfij.dll" Kablnadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hckmla32.dll" Biolanld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elkofg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mpbclcja.dll" Fhdmph32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnfkba32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Naopaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cmmagpef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Diaaeepi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kdklfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lloeec32.dll" Bbmcibjp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fchkbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epecbd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phhjblpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bleoal32.dll" Hjofdi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdekgjno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enoopc32.dll" Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edlfhc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aciqcifh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nakpkfka.dll" Hcdgmimg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhjphfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Micklk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjipagod.dll" Emifeqid.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ccpeld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kablnadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pggdejno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppfafcpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pbgjgomc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjhcag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpcoeb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mlfacfpc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hofngkga.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2520 wrote to memory of 2404 2520 7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3dN.exe 30 PID 2520 wrote to memory of 2404 2520 7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3dN.exe 30 PID 2520 wrote to memory of 2404 2520 7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3dN.exe 30 PID 2520 wrote to memory of 2404 2520 7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3dN.exe 30 PID 2404 wrote to memory of 2124 2404 Mhilph32.exe 31 PID 2404 wrote to memory of 2124 2404 Mhilph32.exe 31 PID 2404 wrote to memory of 2124 2404 Mhilph32.exe 31 PID 2404 wrote to memory of 2124 2404 Mhilph32.exe 31 PID 2124 wrote to memory of 2708 2124 Mfllkece.exe 32 PID 2124 wrote to memory of 2708 2124 Mfllkece.exe 32 PID 2124 wrote to memory of 2708 2124 Mfllkece.exe 32 PID 2124 wrote to memory of 2708 2124 Mfllkece.exe 32 PID 2708 wrote to memory of 2916 2708 Mabphn32.exe 33 PID 2708 wrote to memory of 2916 2708 Mabphn32.exe 33 PID 2708 wrote to memory of 2916 2708 Mabphn32.exe 33 PID 2708 wrote to memory of 2916 2708 Mabphn32.exe 33 PID 2916 wrote to memory of 2716 2916 Mpdqdkie.exe 793 PID 2916 wrote to memory of 2716 2916 Mpdqdkie.exe 793 PID 2916 wrote to memory of 2716 2916 Mpdqdkie.exe 793 PID 2916 wrote to memory of 2716 2916 Mpdqdkie.exe 793 PID 2716 wrote to memory of 2772 2716 Naopaa32.exe 35 PID 2716 wrote to memory of 2772 2716 Naopaa32.exe 35 PID 2716 wrote to memory of 2772 2716 Naopaa32.exe 35 PID 2716 wrote to memory of 2772 2716 Naopaa32.exe 35 PID 2772 wrote to memory of 2432 2772 Ohnaik32.exe 36 PID 2772 wrote to memory of 2432 2772 Ohnaik32.exe 36 PID 2772 wrote to memory of 2432 2772 Ohnaik32.exe 36 PID 2772 wrote to memory of 2432 2772 Ohnaik32.exe 36 PID 2432 wrote to memory of 756 2432 Odebolpe.exe 37 PID 2432 wrote to memory of 756 2432 Odebolpe.exe 37 PID 2432 wrote to memory of 756 2432 Odebolpe.exe 37 PID 2432 wrote to memory of 756 2432 Odebolpe.exe 37 PID 756 wrote to memory of 2976 756 Olpgconp.exe 803 PID 756 wrote to memory of 2976 756 Olpgconp.exe 803 PID 756 wrote to memory of 2976 756 Olpgconp.exe 803 PID 756 wrote to memory of 2976 756 Olpgconp.exe 803 PID 2976 wrote to memory of 2944 2976 Odgodl32.exe 39 PID 2976 wrote to memory of 2944 2976 Odgodl32.exe 39 PID 2976 wrote to memory of 2944 2976 Odgodl32.exe 39 PID 2976 wrote to memory of 2944 2976 Odgodl32.exe 39 PID 2944 wrote to memory of 1080 2944 Ocjophem.exe 40 PID 2944 wrote to memory of 1080 2944 Ocjophem.exe 40 PID 2944 wrote to memory of 1080 2944 Ocjophem.exe 40 PID 2944 wrote to memory of 1080 2944 Ocjophem.exe 40 PID 1080 wrote to memory of 624 1080 Pafbadcm.exe 41 PID 1080 wrote to memory of 624 1080 Pafbadcm.exe 41 PID 1080 wrote to memory of 624 1080 Pafbadcm.exe 41 PID 1080 wrote to memory of 624 1080 Pafbadcm.exe 41 PID 624 wrote to memory of 2060 624 Pddnnp32.exe 42 PID 624 wrote to memory of 2060 624 Pddnnp32.exe 42 PID 624 wrote to memory of 2060 624 Pddnnp32.exe 42 PID 624 wrote to memory of 2060 624 Pddnnp32.exe 42 PID 2060 wrote to memory of 948 2060 Pqkobqhd.exe 43 PID 2060 wrote to memory of 948 2060 Pqkobqhd.exe 43 PID 2060 wrote to memory of 948 2060 Pqkobqhd.exe 43 PID 2060 wrote to memory of 948 2060 Pqkobqhd.exe 43 PID 948 wrote to memory of 2980 948 Phbgcnig.exe 795 PID 948 wrote to memory of 2980 948 Phbgcnig.exe 795 PID 948 wrote to memory of 2980 948 Phbgcnig.exe 795 PID 948 wrote to memory of 2980 948 Phbgcnig.exe 795 PID 2980 wrote to memory of 408 2980 Pjcckf32.exe 45 PID 2980 wrote to memory of 408 2980 Pjcckf32.exe 45 PID 2980 wrote to memory of 408 2980 Pjcckf32.exe 45 PID 2980 wrote to memory of 408 2980 Pjcckf32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3dN.exe"C:\Users\Admin\AppData\Local\Temp\7ffb49e1fdd92c552fd24585848dcbe6abcaaf61347ac753397f81df88f78d3dN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Mhilph32.exeC:\Windows\system32\Mhilph32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\Mfllkece.exeC:\Windows\system32\Mfllkece.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\Mabphn32.exeC:\Windows\system32\Mabphn32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Mpdqdkie.exeC:\Windows\system32\Mpdqdkie.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:756 -
C:\Windows\SysWOW64\Odgodl32.exeC:\Windows\system32\Odgodl32.exe10⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ocjophem.exeC:\Windows\system32\Ocjophem.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2944 -
C:\Windows\SysWOW64\Pafbadcm.exeC:\Windows\system32\Pafbadcm.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\Pddnnp32.exeC:\Windows\system32\Pddnnp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:624 -
C:\Windows\SysWOW64\Pqkobqhd.exeC:\Windows\system32\Pqkobqhd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\Phbgcnig.exeC:\Windows\system32\Phbgcnig.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\Pakllc32.exeC:\Windows\system32\Pakllc32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:408 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772 -
C:\Windows\SysWOW64\Pggdejno.exeC:\Windows\system32\Pggdejno.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1684 -
C:\Windows\SysWOW64\Bnfblgca.exeC:\Windows\system32\Bnfblgca.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Badnhbce.exeC:\Windows\system32\Badnhbce.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2276 -
C:\Windows\SysWOW64\Bgnfdm32.exeC:\Windows\system32\Bgnfdm32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3068 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:604 -
C:\Windows\SysWOW64\Bagkmb32.exeC:\Windows\system32\Bagkmb32.exe25⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2180 -
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Bcgdom32.exeC:\Windows\system32\Bcgdom32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1904 -
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1872 -
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2864 -
C:\Windows\SysWOW64\Bbmapj32.exeC:\Windows\system32\Bbmapj32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2328 -
C:\Windows\SysWOW64\Bleeioil.exeC:\Windows\system32\Bleeioil.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2992 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe33⤵
- Executes dropped EXE
PID:2760 -
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe34⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe35⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Cikbhc32.exeC:\Windows\system32\Cikbhc32.exe36⤵
- Executes dropped EXE
PID:2700 -
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe37⤵
- Executes dropped EXE
PID:268 -
C:\Windows\SysWOW64\Cafgle32.exeC:\Windows\system32\Cafgle32.exe38⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1208 -
C:\Windows\SysWOW64\Ckahkk32.exeC:\Windows\system32\Ckahkk32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:876 -
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe41⤵
- Executes dropped EXE
PID:3044 -
C:\Windows\SysWOW64\Cdjmcpnl.exeC:\Windows\system32\Cdjmcpnl.exe42⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Ckcepj32.exeC:\Windows\system32\Ckcepj32.exe43⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Dpqnhadq.exeC:\Windows\system32\Dpqnhadq.exe44⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe45⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe46⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Dpcjnabn.exeC:\Windows\system32\Dpcjnabn.exe47⤵
- Executes dropped EXE
PID:700 -
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1660 -
C:\Windows\SysWOW64\Dgmbkk32.exeC:\Windows\system32\Dgmbkk32.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:292 -
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe50⤵
- Executes dropped EXE
PID:2248 -
C:\Windows\SysWOW64\Dmgkgeah.exeC:\Windows\system32\Dmgkgeah.exe51⤵
- Executes dropped EXE
PID:1652 -
C:\Windows\SysWOW64\Dpegcq32.exeC:\Windows\system32\Dpegcq32.exe52⤵
- Executes dropped EXE
PID:2704 -
C:\Windows\SysWOW64\Dcccpl32.exeC:\Windows\system32\Dcccpl32.exe53⤵
- Executes dropped EXE
PID:3012 -
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe54⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\Dhplhc32.exeC:\Windows\system32\Dhplhc32.exe55⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe56⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe57⤵
- Executes dropped EXE
PID:1304 -
C:\Windows\SysWOW64\Dhbhmb32.exeC:\Windows\system32\Dhbhmb32.exe58⤵
- Executes dropped EXE
PID:2784 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe59⤵
- Executes dropped EXE
PID:2056 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe60⤵
- Executes dropped EXE
PID:1892 -
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe61⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Elqaca32.exeC:\Windows\system32\Elqaca32.exe62⤵
- Executes dropped EXE
PID:2188 -
C:\Windows\SysWOW64\Enbnkigh.exeC:\Windows\system32\Enbnkigh.exe63⤵
- Executes dropped EXE
PID:2344 -
C:\Windows\SysWOW64\Edlfhc32.exeC:\Windows\system32\Edlfhc32.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2444 -
C:\Windows\SysWOW64\Ekfndmfb.exeC:\Windows\system32\Ekfndmfb.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Endjaief.exeC:\Windows\system32\Endjaief.exe66⤵PID:1748
-
C:\Windows\SysWOW64\Epbfmd32.exeC:\Windows\system32\Epbfmd32.exe67⤵PID:1664
-
C:\Windows\SysWOW64\Ehjona32.exeC:\Windows\system32\Ehjona32.exe68⤵PID:2728
-
C:\Windows\SysWOW64\Epecbd32.exeC:\Windows\system32\Epecbd32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1900 -
C:\Windows\SysWOW64\Eccpoo32.exeC:\Windows\system32\Eccpoo32.exe70⤵PID:1328
-
C:\Windows\SysWOW64\Ekjgpm32.exeC:\Windows\system32\Ekjgpm32.exe71⤵PID:2972
-
C:\Windows\SysWOW64\Ejmhkiig.exeC:\Windows\system32\Ejmhkiig.exe72⤵PID:1040
-
C:\Windows\SysWOW64\Ecfldoph.exeC:\Windows\system32\Ecfldoph.exe73⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1896 -
C:\Windows\SysWOW64\Efdhpjok.exeC:\Windows\system32\Efdhpjok.exe74⤵PID:1828
-
C:\Windows\SysWOW64\Eqjmncna.exeC:\Windows\system32\Eqjmncna.exe75⤵PID:2584
-
C:\Windows\SysWOW64\Eolmip32.exeC:\Windows\system32\Eolmip32.exe76⤵
- System Location Discovery: System Language Discovery
PID:2956 -
C:\Windows\SysWOW64\Fgcejm32.exeC:\Windows\system32\Fgcejm32.exe77⤵PID:1740
-
C:\Windows\SysWOW64\Fheabelm.exeC:\Windows\system32\Fheabelm.exe78⤵
- System Location Discovery: System Language Discovery
PID:1760 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe79⤵PID:1404
-
C:\Windows\SysWOW64\Fbmfkkbm.exeC:\Windows\system32\Fbmfkkbm.exe80⤵PID:1704
-
C:\Windows\SysWOW64\Ffibkj32.exeC:\Windows\system32\Ffibkj32.exe81⤵PID:1436
-
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe82⤵PID:872
-
C:\Windows\SysWOW64\Fbpbpkpj.exeC:\Windows\system32\Fbpbpkpj.exe83⤵PID:1728
-
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2384 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe85⤵PID:2892
-
C:\Windows\SysWOW64\Ffmkfifa.exeC:\Windows\system32\Ffmkfifa.exe86⤵PID:2204
-
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe87⤵PID:2808
-
C:\Windows\SysWOW64\Fofpoo32.exeC:\Windows\system32\Fofpoo32.exe88⤵PID:1416
-
C:\Windows\SysWOW64\Gcheib32.exeC:\Windows\system32\Gcheib32.exe89⤵PID:1700
-
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe90⤵
- System Location Discovery: System Language Discovery
PID:2672 -
C:\Windows\SysWOW64\Gjbmelgm.exeC:\Windows\system32\Gjbmelgm.exe91⤵PID:1096
-
C:\Windows\SysWOW64\Gmpjagfa.exeC:\Windows\system32\Gmpjagfa.exe92⤵PID:2196
-
C:\Windows\SysWOW64\Ggfnopfg.exeC:\Windows\system32\Ggfnopfg.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2148 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe94⤵PID:3048
-
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe95⤵PID:2684
-
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe96⤵PID:1792
-
C:\Windows\SysWOW64\Giiglhjb.exeC:\Windows\system32\Giiglhjb.exe97⤵PID:880
-
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe98⤵PID:468
-
C:\Windows\SysWOW64\Gfmgelil.exeC:\Windows\system32\Gfmgelil.exe99⤵PID:2736
-
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe100⤵PID:2304
-
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe101⤵PID:1308
-
C:\Windows\SysWOW64\Gpelnb32.exeC:\Windows\system32\Gpelnb32.exe102⤵PID:1596
-
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe103⤵PID:2460
-
C:\Windows\SysWOW64\Hfpdkl32.exeC:\Windows\system32\Hfpdkl32.exe104⤵PID:3056
-
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe105⤵PID:1768
-
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe106⤵PID:2172
-
C:\Windows\SysWOW64\Hbfepmmn.exeC:\Windows\system32\Hbfepmmn.exe107⤵PID:984
-
C:\Windows\SysWOW64\Hfbaql32.exeC:\Windows\system32\Hfbaql32.exe108⤵PID:1348
-
C:\Windows\SysWOW64\Hipmmg32.exeC:\Windows\system32\Hipmmg32.exe109⤵PID:2732
-
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe110⤵PID:2820
-
C:\Windows\SysWOW64\Hpjeialg.exeC:\Windows\system32\Hpjeialg.exe111⤵PID:2212
-
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe112⤵PID:2640
-
C:\Windows\SysWOW64\Heikgh32.exeC:\Windows\system32\Heikgh32.exe113⤵PID:1176
-
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe114⤵
- System Location Discovery: System Language Discovery
PID:1136 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe115⤵PID:1680
-
C:\Windows\SysWOW64\Helgmg32.exeC:\Windows\system32\Helgmg32.exe116⤵PID:896
-
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe117⤵PID:2000
-
C:\Windows\SysWOW64\Hndlem32.exeC:\Windows\system32\Hndlem32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2904 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe119⤵
- Modifies registry class
PID:2884 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe120⤵PID:2208
-
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe121⤵
- Drops file in System32 directory
PID:3028
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-