Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
63s -
max time network
22s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 08:23
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24N.exe
Resource
win7-20240708-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24N.exe
-
Size
2.5MB
-
MD5
66f09c5828943547bd0998d44c3ab270
-
SHA1
f7d011a6cf0e4c5dc848af4dc47d558f5e3964e4
-
SHA256
bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24
-
SHA512
04294d751e5528b8520e9e9c233bf30e027be26ace8159e2295ca8f243fd53eba573f808978b148545a6af5e8da818866cf4bbbabafde0a871136af7286c1749
-
SSDEEP
12288:0z5Vifq9kY660JVaw0HBHOehl0oDL/eToo5Li2:0z6q9gdVaw0HBFhWof/0o8
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdljjplb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qhgbibgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgcbja32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fdlqjf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahmehqna.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmmcae32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gjcekj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfcadq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Olehbh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Plildb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifiilp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npkaei32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dedkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdpfbd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnomkloi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefeaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcekkkmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmjgkpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbbkabdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nnkekfkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eaoaafli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gjcekj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ifniaeqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idbjkj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnfbmgcj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Njcibgcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Obakli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Adppdckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aqgqid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Amnanefa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmljnfll.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehonebqq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfedlb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nilpmo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpdefh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mginjnnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oiifcdhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkkmln32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Heqfdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mcknjidn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aagfffbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dckdio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcbjon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpfggeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lamkllea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iocdmccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dhjdjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Echoepmo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imcaijia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkkpjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dmopge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fejjah32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meidib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqgqid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcajjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iigehk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcfhpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mqoocmcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iocdmccp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhpopk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lflklaoc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iceiibef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhdcbjal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbaafocg.exe -
Executes dropped EXE 64 IoCs
pid Process 1996 Bcoffd32.exe 2348 Baecehhh.exe 2916 Cldnqe32.exe 2880 Cbpcbo32.exe 2836 Dmajdl32.exe 2728 Dpdpkfga.exe 2068 Dilddl32.exe 584 Eaooin32.exe 2232 Enepnoji.exe 1924 Edohki32.exe 3056 Fnhlcn32.exe 1660 Fdaephpc.exe 1144 Fgpalcog.exe 2764 Fjomhonj.exe 860 Fgbnbcmd.exe 892 Fonbff32.exe 1860 Fmacpj32.exe 2136 Fdmgdl32.exe 1136 Fnelmb32.exe 1988 Ggnqfgce.exe 2340 Gngiba32.exe 2596 Gqfeom32.exe 2156 Ggpmkgab.exe 1492 Gjnigb32.exe 1592 Gqhadmhc.exe 2540 Ggbjag32.exe 2888 Gjqfmb32.exe 2808 Gefjjk32.exe 2796 Ggdfff32.exe 884 Gjccbb32.exe 1356 Gmaoomld.exe 760 Gppkkikh.exe 476 Gggclfkj.exe 3032 Gjephakn.exe 680 Hmdldmja.exe 2364 Hpbhphie.exe 1956 Hbqdldhi.exe 492 Hijmin32.exe 2184 Hpdefh32.exe 1472 Hbcabc32.exe 2324 Himionmc.exe 1688 Hlkekilg.exe 2168 Hbengc32.exe 2972 Hiofdmkq.exe 2128 Hpinagbm.exe 1976 Hnlnmd32.exe 940 Hefginae.exe 264 Hhdcejph.exe 1368 Hnnkbd32.exe 276 Hehconob.exe 968 Ihgpkinf.exe 1968 Inqhhc32.exe 2000 Iaoddodf.exe 2672 Idnppjcj.exe 2216 Iflmlfcn.exe 3088 Iocdmccp.exe 3148 Ipdaek32.exe 3200 Ifniaeqk.exe 3252 Iimenapo.exe 3304 Iadnon32.exe 3356 Idbjkj32.exe 3408 Ifqfge32.exe 3460 Iiobcq32.exe 3516 Ipijpkei.exe -
Loads dropped DLL 64 IoCs
pid Process 2024 bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24N.exe 2024 bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24N.exe 1996 Bcoffd32.exe 1996 Bcoffd32.exe 2348 Baecehhh.exe 2348 Baecehhh.exe 2916 Cldnqe32.exe 2916 Cldnqe32.exe 2880 Cbpcbo32.exe 2880 Cbpcbo32.exe 2836 Dmajdl32.exe 2836 Dmajdl32.exe 2728 Dpdpkfga.exe 2728 Dpdpkfga.exe 2068 Dilddl32.exe 2068 Dilddl32.exe 584 Eaooin32.exe 584 Eaooin32.exe 2232 Enepnoji.exe 2232 Enepnoji.exe 1924 Edohki32.exe 1924 Edohki32.exe 3056 Fnhlcn32.exe 3056 Fnhlcn32.exe 1660 Fdaephpc.exe 1660 Fdaephpc.exe 1144 Fgpalcog.exe 1144 Fgpalcog.exe 2764 Fjomhonj.exe 2764 Fjomhonj.exe 860 Fgbnbcmd.exe 860 Fgbnbcmd.exe 892 Fonbff32.exe 892 Fonbff32.exe 1860 Fmacpj32.exe 1860 Fmacpj32.exe 2136 Fdmgdl32.exe 2136 Fdmgdl32.exe 1136 Fnelmb32.exe 1136 Fnelmb32.exe 1988 Ggnqfgce.exe 1988 Ggnqfgce.exe 2340 Gngiba32.exe 2340 Gngiba32.exe 2596 Gqfeom32.exe 2596 Gqfeom32.exe 2156 Ggpmkgab.exe 2156 Ggpmkgab.exe 1492 Gjnigb32.exe 1492 Gjnigb32.exe 1592 Gqhadmhc.exe 1592 Gqhadmhc.exe 2540 Ggbjag32.exe 2540 Ggbjag32.exe 2888 Gjqfmb32.exe 2888 Gjqfmb32.exe 2808 Gefjjk32.exe 2808 Gefjjk32.exe 2796 Ggdfff32.exe 2796 Ggdfff32.exe 884 Gjccbb32.exe 884 Gjccbb32.exe 1356 Gmaoomld.exe 1356 Gmaoomld.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ldcenn32.dll Mhdcbjal.exe File created C:\Windows\SysWOW64\Cjkamk32.exe Cbcikn32.exe File created C:\Windows\SysWOW64\Alqmcb32.dll Naokbq32.exe File created C:\Windows\SysWOW64\Jejina32.dll Ojnelefl.exe File opened for modification C:\Windows\SysWOW64\Ihlbih32.exe Ienfml32.exe File opened for modification C:\Windows\SysWOW64\Hmdldmja.exe Gjephakn.exe File created C:\Windows\SysWOW64\Hnnkbd32.exe Hhdcejph.exe File opened for modification C:\Windows\SysWOW64\Emkfmioh.exe Ekmjanpd.exe File opened for modification C:\Windows\SysWOW64\Oepianef.exe Ofmiea32.exe File opened for modification C:\Windows\SysWOW64\Hmnhnk32.exe Hjplao32.exe File opened for modification C:\Windows\SysWOW64\Jepoao32.exe Jbbbed32.exe File created C:\Windows\SysWOW64\Kloqiijm.exe Kiqdmm32.exe File created C:\Windows\SysWOW64\Olmpij32.dll Aaeiqf32.exe File created C:\Windows\SysWOW64\Gngiba32.exe Ggnqfgce.exe File created C:\Windows\SysWOW64\Hpinagbm.exe Hiofdmkq.exe File opened for modification C:\Windows\SysWOW64\Lhhjcmpj.exe Ljejgp32.exe File created C:\Windows\SysWOW64\Gfbfln32.exe Gccjpb32.exe File created C:\Windows\SysWOW64\Dcihdo32.exe Dmopge32.exe File opened for modification C:\Windows\SysWOW64\Kpnbcfkc.exe Kfenjq32.exe File created C:\Windows\SysWOW64\Ecjkkp32.exe Eplood32.exe File created C:\Windows\SysWOW64\Faconabh.dll Hccfoehi.exe File created C:\Windows\SysWOW64\Ndhfppje.dll Eaoaafli.exe File created C:\Windows\SysWOW64\Dcbbjffh.dll Hnnkbd32.exe File opened for modification C:\Windows\SysWOW64\Kdilkllh.exe Knodnb32.exe File created C:\Windows\SysWOW64\Pkcfak32.exe Odimdqne.exe File opened for modification C:\Windows\SysWOW64\Cmocha32.exe Cjqglf32.exe File created C:\Windows\SysWOW64\Ddqeodjj.exe Dendcg32.exe File created C:\Windows\SysWOW64\Fhnjdfcl.exe Fepnhjdh.exe File created C:\Windows\SysWOW64\Lfingaaf.exe Lckbkfbb.exe File opened for modification C:\Windows\SysWOW64\Bncpffdn.exe Bgihjl32.exe File created C:\Windows\SysWOW64\Mnfhfmhc.exe Mglpjc32.exe File created C:\Windows\SysWOW64\Fonbff32.exe Fgbnbcmd.exe File created C:\Windows\SysWOW64\Fgjmfa32.exe Fdlqjf32.exe File created C:\Windows\SysWOW64\Lgdafeln.exe Lomidgkl.exe File created C:\Windows\SysWOW64\Dpkfchgk.dll Bkghjq32.exe File created C:\Windows\SysWOW64\Ooilcc32.dll Lflklaoc.exe File opened for modification C:\Windows\SysWOW64\Gngiba32.exe Ggnqfgce.exe File created C:\Windows\SysWOW64\Hlijpo32.dll Obakli32.exe File created C:\Windows\SysWOW64\Phbinc32.exe Pedmbg32.exe File opened for modification C:\Windows\SysWOW64\Aocgll32.exe Agloko32.exe File opened for modification C:\Windows\SysWOW64\Mhpigk32.exe Mfamko32.exe File created C:\Windows\SysWOW64\Kcqfahom.exe Koejqi32.exe File created C:\Windows\SysWOW64\Mkpijm32.dll Lnambeed.exe File created C:\Windows\SysWOW64\Ckndieep.dll Obonfj32.exe File opened for modification C:\Windows\SysWOW64\Jdmfdgbj.exe Janihlcf.exe File created C:\Windows\SysWOW64\Nplkhh32.exe Njobpa32.exe File opened for modification C:\Windows\SysWOW64\Gjqfmb32.exe Ggbjag32.exe File opened for modification C:\Windows\SysWOW64\Dbkolmia.exe Dplbpaim.exe File created C:\Windows\SysWOW64\Eenabkfk.exe Ecodfogg.exe File created C:\Windows\SysWOW64\Doaapm32.dll Hmnhnk32.exe File created C:\Windows\SysWOW64\Edocjp32.dll Lgdafeln.exe File created C:\Windows\SysWOW64\Hbfein32.dll Mcknjidn.exe File opened for modification C:\Windows\SysWOW64\Nhdjdk32.exe Neemgp32.exe File created C:\Windows\SysWOW64\Dikpihnb.dll Idbjkj32.exe File created C:\Windows\SysWOW64\Mbjhlg32.exe Mpllpl32.exe File opened for modification C:\Windows\SysWOW64\Eeiggk32.exe Ecjkkp32.exe File opened for modification C:\Windows\SysWOW64\Echoepmo.exe Epjbienl.exe File opened for modification C:\Windows\SysWOW64\Bqhbcqmj.exe Biakbc32.exe File created C:\Windows\SysWOW64\Ekaeoj32.dll Pmlngdhk.exe File created C:\Windows\SysWOW64\Dfnleh32.dll Akbgdkgm.exe File created C:\Windows\SysWOW64\Jbldej32.dll Jiclnpjg.exe File opened for modification C:\Windows\SysWOW64\Lolpah32.exe Lhbhdnio.exe File created C:\Windows\SysWOW64\Ghqchi32.exe Gfbfln32.exe File created C:\Windows\SysWOW64\Omjdmfaj.dll Feccqime.exe -
Program crash 1 IoCs
pid pid_target Process 12220 12196 WerFault.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpdpkfga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Empphi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lphlck32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcfhpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpinagbm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnhobgag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epjbienl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gfdcbmbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnipgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjaadjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmopge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfhpjaba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qchmll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkghjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpmgho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgeenb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Onfadc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adeiobgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccolja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkocfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpmdjf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbbed32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobgjhgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phmiimlf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bqhbcqmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojoelcm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anhdmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gofajcog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbkpfa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldlghhde.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbaafocg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Infjfblm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlmiojla.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimclh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fehmlh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjccbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljjjmeie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddqeodjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmdpcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmkkc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pddinn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekgfkl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oenmkngi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kobmkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjephakn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akjham32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fagnmkjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jehbfjia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjjdjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieqbbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfngbq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahancp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aggkdlod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojnelefl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmjjmbgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mginjnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lkffohon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgihjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdfmccfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Baecehhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aaogbh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkchpcoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bdoeipjh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adncoc32.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndemja32.dll" Hijmin32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gielchpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bichcm32.dll" Iadphghe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckjfchcp.dll" Epqhjdhc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gefjjk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lglnajjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qlpadaac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckajqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fehmlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agenobhd.dll" Fnelmb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hlkekilg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bcopkn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmgmbj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pheghenj.dll" Hqbnnj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ccdnipal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcelpdef.dll" Fialggcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hoegoqng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jmgfcc32.dll" Jhnbklji.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppgdjqna.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jhahcjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpblne32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjljpjjk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmopge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmkapcaf.dll" Gqidme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Liecfhhf.dll" Lbjlnd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jeblgodb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mbhnpplb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ampncd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ehjqif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobhkhgi.dll" Oenmkngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ofpmegpe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bkgqpjch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nffcebdd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nnjlhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Boqgep32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kghbmiik.dll" Hpjgdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgjcdc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpmgho32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gmaoomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjdpgnee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paqdgcfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jgeobdkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nmjicn32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hcajjf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fpkdca32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpndkj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Klijjnen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mckahlgg.dll" Gohnpcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lcgpddlf.dll" Olnipn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cfpofi32.dll" Pikohg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbidbf32.dll" Elpldp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Megohpba.dll" Imcaijia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqlbnnej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fnkfoiql.dll" Pkihpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dfegjknm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Igioiacg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmaoomld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Efnnjm32.dll" Dpjfjalp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ajolkncp.dll" Dbmlal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Akpkok32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lndlamke.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ohppjpkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Doapanne.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Flccjn32.dll" Ibpjaagi.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2024 wrote to memory of 1996 2024 bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24N.exe 30 PID 2024 wrote to memory of 1996 2024 bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24N.exe 30 PID 2024 wrote to memory of 1996 2024 bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24N.exe 30 PID 2024 wrote to memory of 1996 2024 bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24N.exe 30 PID 1996 wrote to memory of 2348 1996 Bcoffd32.exe 31 PID 1996 wrote to memory of 2348 1996 Bcoffd32.exe 31 PID 1996 wrote to memory of 2348 1996 Bcoffd32.exe 31 PID 1996 wrote to memory of 2348 1996 Bcoffd32.exe 31 PID 2348 wrote to memory of 2916 2348 Baecehhh.exe 32 PID 2348 wrote to memory of 2916 2348 Baecehhh.exe 32 PID 2348 wrote to memory of 2916 2348 Baecehhh.exe 32 PID 2348 wrote to memory of 2916 2348 Baecehhh.exe 32 PID 2916 wrote to memory of 2880 2916 Cldnqe32.exe 33 PID 2916 wrote to memory of 2880 2916 Cldnqe32.exe 33 PID 2916 wrote to memory of 2880 2916 Cldnqe32.exe 33 PID 2916 wrote to memory of 2880 2916 Cldnqe32.exe 33 PID 2880 wrote to memory of 2836 2880 Cbpcbo32.exe 34 PID 2880 wrote to memory of 2836 2880 Cbpcbo32.exe 34 PID 2880 wrote to memory of 2836 2880 Cbpcbo32.exe 34 PID 2880 wrote to memory of 2836 2880 Cbpcbo32.exe 34 PID 2836 wrote to memory of 2728 2836 Dmajdl32.exe 35 PID 2836 wrote to memory of 2728 2836 Dmajdl32.exe 35 PID 2836 wrote to memory of 2728 2836 Dmajdl32.exe 35 PID 2836 wrote to memory of 2728 2836 Dmajdl32.exe 35 PID 2728 wrote to memory of 2068 2728 Dpdpkfga.exe 36 PID 2728 wrote to memory of 2068 2728 Dpdpkfga.exe 36 PID 2728 wrote to memory of 2068 2728 Dpdpkfga.exe 36 PID 2728 wrote to memory of 2068 2728 Dpdpkfga.exe 36 PID 2068 wrote to memory of 584 2068 Dilddl32.exe 37 PID 2068 wrote to memory of 584 2068 Dilddl32.exe 37 PID 2068 wrote to memory of 584 2068 Dilddl32.exe 37 PID 2068 wrote to memory of 584 2068 Dilddl32.exe 37 PID 584 wrote to memory of 2232 584 Eaooin32.exe 38 PID 584 wrote to memory of 2232 584 Eaooin32.exe 38 PID 584 wrote to memory of 2232 584 Eaooin32.exe 38 PID 584 wrote to memory of 2232 584 Eaooin32.exe 38 PID 2232 wrote to memory of 1924 2232 Enepnoji.exe 39 PID 2232 wrote to memory of 1924 2232 Enepnoji.exe 39 PID 2232 wrote to memory of 1924 2232 Enepnoji.exe 39 PID 2232 wrote to memory of 1924 2232 Enepnoji.exe 39 PID 1924 wrote to memory of 3056 1924 Edohki32.exe 40 PID 1924 wrote to memory of 3056 1924 Edohki32.exe 40 PID 1924 wrote to memory of 3056 1924 Edohki32.exe 40 PID 1924 wrote to memory of 3056 1924 Edohki32.exe 40 PID 3056 wrote to memory of 1660 3056 Fnhlcn32.exe 41 PID 3056 wrote to memory of 1660 3056 Fnhlcn32.exe 41 PID 3056 wrote to memory of 1660 3056 Fnhlcn32.exe 41 PID 3056 wrote to memory of 1660 3056 Fnhlcn32.exe 41 PID 1660 wrote to memory of 1144 1660 Fdaephpc.exe 42 PID 1660 wrote to memory of 1144 1660 Fdaephpc.exe 42 PID 1660 wrote to memory of 1144 1660 Fdaephpc.exe 42 PID 1660 wrote to memory of 1144 1660 Fdaephpc.exe 42 PID 1144 wrote to memory of 2764 1144 Fgpalcog.exe 43 PID 1144 wrote to memory of 2764 1144 Fgpalcog.exe 43 PID 1144 wrote to memory of 2764 1144 Fgpalcog.exe 43 PID 1144 wrote to memory of 2764 1144 Fgpalcog.exe 43 PID 2764 wrote to memory of 860 2764 Fjomhonj.exe 44 PID 2764 wrote to memory of 860 2764 Fjomhonj.exe 44 PID 2764 wrote to memory of 860 2764 Fjomhonj.exe 44 PID 2764 wrote to memory of 860 2764 Fjomhonj.exe 44 PID 860 wrote to memory of 892 860 Fgbnbcmd.exe 45 PID 860 wrote to memory of 892 860 Fgbnbcmd.exe 45 PID 860 wrote to memory of 892 860 Fgbnbcmd.exe 45 PID 860 wrote to memory of 892 860 Fgbnbcmd.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24N.exe"C:\Users\Admin\AppData\Local\Temp\bc8aea06eb31923a0b9aea538a4088f75cab4d485406b8aa68a8506a41cc5f24N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\Bcoffd32.exeC:\Windows\system32\Bcoffd32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Windows\SysWOW64\Baecehhh.exeC:\Windows\system32\Baecehhh.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\Cldnqe32.exeC:\Windows\system32\Cldnqe32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Windows\SysWOW64\Cbpcbo32.exeC:\Windows\system32\Cbpcbo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Dmajdl32.exeC:\Windows\system32\Dmajdl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Dpdpkfga.exeC:\Windows\system32\Dpdpkfga.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2728 -
C:\Windows\SysWOW64\Dilddl32.exeC:\Windows\system32\Dilddl32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Eaooin32.exeC:\Windows\system32\Eaooin32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:584 -
C:\Windows\SysWOW64\Enepnoji.exeC:\Windows\system32\Enepnoji.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\Edohki32.exeC:\Windows\system32\Edohki32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\Fnhlcn32.exeC:\Windows\system32\Fnhlcn32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Windows\SysWOW64\Fdaephpc.exeC:\Windows\system32\Fdaephpc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Fgpalcog.exeC:\Windows\system32\Fgpalcog.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144 -
C:\Windows\SysWOW64\Fjomhonj.exeC:\Windows\system32\Fjomhonj.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Fgbnbcmd.exeC:\Windows\system32\Fgbnbcmd.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Windows\SysWOW64\Fonbff32.exeC:\Windows\system32\Fonbff32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:892 -
C:\Windows\SysWOW64\Fmacpj32.exeC:\Windows\system32\Fmacpj32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Fdmgdl32.exeC:\Windows\system32\Fdmgdl32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2136 -
C:\Windows\SysWOW64\Fnelmb32.exeC:\Windows\system32\Fnelmb32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1136 -
C:\Windows\SysWOW64\Ggnqfgce.exeC:\Windows\system32\Ggnqfgce.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Gngiba32.exeC:\Windows\system32\Gngiba32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Gqfeom32.exeC:\Windows\system32\Gqfeom32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2596 -
C:\Windows\SysWOW64\Ggpmkgab.exeC:\Windows\system32\Ggpmkgab.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Gjnigb32.exeC:\Windows\system32\Gjnigb32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1492 -
C:\Windows\SysWOW64\Gqhadmhc.exeC:\Windows\system32\Gqhadmhc.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Ggbjag32.exeC:\Windows\system32\Ggbjag32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2540 -
C:\Windows\SysWOW64\Gjqfmb32.exeC:\Windows\system32\Gjqfmb32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2888 -
C:\Windows\SysWOW64\Gefjjk32.exeC:\Windows\system32\Gefjjk32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2808 -
C:\Windows\SysWOW64\Ggdfff32.exeC:\Windows\system32\Ggdfff32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Gjccbb32.exeC:\Windows\system32\Gjccbb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:884 -
C:\Windows\SysWOW64\Gmaoomld.exeC:\Windows\system32\Gmaoomld.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1356 -
C:\Windows\SysWOW64\Gppkkikh.exeC:\Windows\system32\Gppkkikh.exe33⤵
- Executes dropped EXE
PID:760 -
C:\Windows\SysWOW64\Gggclfkj.exeC:\Windows\system32\Gggclfkj.exe34⤵
- Executes dropped EXE
PID:476 -
C:\Windows\SysWOW64\Gjephakn.exeC:\Windows\system32\Gjephakn.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Hmdldmja.exeC:\Windows\system32\Hmdldmja.exe36⤵
- Executes dropped EXE
PID:680 -
C:\Windows\SysWOW64\Hpbhphie.exeC:\Windows\system32\Hpbhphie.exe37⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Hbqdldhi.exeC:\Windows\system32\Hbqdldhi.exe38⤵
- Executes dropped EXE
PID:1956 -
C:\Windows\SysWOW64\Hijmin32.exeC:\Windows\system32\Hijmin32.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:492 -
C:\Windows\SysWOW64\Hpdefh32.exeC:\Windows\system32\Hpdefh32.exe40⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2184 -
C:\Windows\SysWOW64\Hbcabc32.exeC:\Windows\system32\Hbcabc32.exe41⤵
- Executes dropped EXE
PID:1472 -
C:\Windows\SysWOW64\Himionmc.exeC:\Windows\system32\Himionmc.exe42⤵
- Executes dropped EXE
PID:2324 -
C:\Windows\SysWOW64\Hlkekilg.exeC:\Windows\system32\Hlkekilg.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:1688 -
C:\Windows\SysWOW64\Hbengc32.exeC:\Windows\system32\Hbengc32.exe44⤵
- Executes dropped EXE
PID:2168 -
C:\Windows\SysWOW64\Hiofdmkq.exeC:\Windows\system32\Hiofdmkq.exe45⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2972 -
C:\Windows\SysWOW64\Hpinagbm.exeC:\Windows\system32\Hpinagbm.exe46⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2128 -
C:\Windows\SysWOW64\Hnlnmd32.exeC:\Windows\system32\Hnlnmd32.exe47⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Hefginae.exeC:\Windows\system32\Hefginae.exe48⤵
- Executes dropped EXE
PID:940 -
C:\Windows\SysWOW64\Hhdcejph.exeC:\Windows\system32\Hhdcejph.exe49⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Hnnkbd32.exeC:\Windows\system32\Hnnkbd32.exe50⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1368 -
C:\Windows\SysWOW64\Hehconob.exeC:\Windows\system32\Hehconob.exe51⤵
- Executes dropped EXE
PID:276 -
C:\Windows\SysWOW64\Ihgpkinf.exeC:\Windows\system32\Ihgpkinf.exe52⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\Inqhhc32.exeC:\Windows\system32\Inqhhc32.exe53⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Iaoddodf.exeC:\Windows\system32\Iaoddodf.exe54⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Idnppjcj.exeC:\Windows\system32\Idnppjcj.exe55⤵
- Executes dropped EXE
PID:2672 -
C:\Windows\SysWOW64\Iflmlfcn.exeC:\Windows\system32\Iflmlfcn.exe56⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Iocdmccp.exeC:\Windows\system32\Iocdmccp.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3088 -
C:\Windows\SysWOW64\Ipdaek32.exeC:\Windows\system32\Ipdaek32.exe58⤵
- Executes dropped EXE
PID:3148 -
C:\Windows\SysWOW64\Ifniaeqk.exeC:\Windows\system32\Ifniaeqk.exe59⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3200 -
C:\Windows\SysWOW64\Iimenapo.exeC:\Windows\system32\Iimenapo.exe60⤵
- Executes dropped EXE
PID:3252 -
C:\Windows\SysWOW64\Iadnon32.exeC:\Windows\system32\Iadnon32.exe61⤵
- Executes dropped EXE
PID:3304 -
C:\Windows\SysWOW64\Idbjkj32.exeC:\Windows\system32\Idbjkj32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:3356 -
C:\Windows\SysWOW64\Ifqfge32.exeC:\Windows\system32\Ifqfge32.exe63⤵
- Executes dropped EXE
PID:3408 -
C:\Windows\SysWOW64\Iiobcq32.exeC:\Windows\system32\Iiobcq32.exe64⤵
- Executes dropped EXE
PID:3460 -
C:\Windows\SysWOW64\Ipijpkei.exeC:\Windows\system32\Ipijpkei.exe65⤵
- Executes dropped EXE
PID:3516 -
C:\Windows\SysWOW64\Ifcbme32.exeC:\Windows\system32\Ifcbme32.exe66⤵PID:3568
-
C:\Windows\SysWOW64\Iefchacp.exeC:\Windows\system32\Iefchacp.exe67⤵PID:3620
-
C:\Windows\SysWOW64\Ilpkel32.exeC:\Windows\system32\Ilpkel32.exe68⤵PID:3672
-
C:\Windows\SysWOW64\Jongag32.exeC:\Windows\system32\Jongag32.exe69⤵PID:3720
-
C:\Windows\SysWOW64\Jgeobdkc.exeC:\Windows\system32\Jgeobdkc.exe70⤵
- Modifies registry class
PID:3772 -
C:\Windows\SysWOW64\Jiclnpjg.exeC:\Windows\system32\Jiclnpjg.exe71⤵
- Drops file in System32 directory
PID:3824 -
C:\Windows\SysWOW64\Jpndkj32.exeC:\Windows\system32\Jpndkj32.exe72⤵
- Modifies registry class
PID:3888 -
C:\Windows\SysWOW64\Jocalffk.exeC:\Windows\system32\Jocalffk.exe73⤵PID:3948
-
C:\Windows\SysWOW64\Jaamhb32.exeC:\Windows\system32\Jaamhb32.exe74⤵PID:4012
-
C:\Windows\SysWOW64\Jhkeelml.exeC:\Windows\system32\Jhkeelml.exe75⤵PID:4064
-
C:\Windows\SysWOW64\Joenaf32.exeC:\Windows\system32\Joenaf32.exe76⤵PID:3004
-
C:\Windows\SysWOW64\Jeofnpke.exeC:\Windows\system32\Jeofnpke.exe77⤵PID:2160
-
C:\Windows\SysWOW64\Jhnbklji.exeC:\Windows\system32\Jhnbklji.exe78⤵
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Jklnggjm.exeC:\Windows\system32\Jklnggjm.exe79⤵PID:1600
-
C:\Windows\SysWOW64\Jnjjcbiq.exeC:\Windows\system32\Jnjjcbiq.exe80⤵PID:868
-
C:\Windows\SysWOW64\Jpigonhd.exeC:\Windows\system32\Jpigonhd.exe81⤵PID:2544
-
C:\Windows\SysWOW64\Jhpopk32.exeC:\Windows\system32\Jhpopk32.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2584 -
C:\Windows\SysWOW64\Kjakhcne.exeC:\Windows\system32\Kjakhcne.exe83⤵PID:2708
-
C:\Windows\SysWOW64\Kahciaog.exeC:\Windows\system32\Kahciaog.exe84⤵PID:1740
-
C:\Windows\SysWOW64\Kcipqi32.exeC:\Windows\system32\Kcipqi32.exe85⤵PID:3132
-
C:\Windows\SysWOW64\Kkqhbf32.exeC:\Windows\system32\Kkqhbf32.exe86⤵PID:3224
-
C:\Windows\SysWOW64\Knodnb32.exeC:\Windows\system32\Knodnb32.exe87⤵
- Drops file in System32 directory
PID:3244 -
C:\Windows\SysWOW64\Kdilkllh.exeC:\Windows\system32\Kdilkllh.exe88⤵PID:3332
-
C:\Windows\SysWOW64\Kcllfi32.exeC:\Windows\system32\Kcllfi32.exe89⤵PID:3404
-
C:\Windows\SysWOW64\Kjfdcc32.exeC:\Windows\system32\Kjfdcc32.exe90⤵PID:3456
-
C:\Windows\SysWOW64\Kldaon32.exeC:\Windows\system32\Kldaon32.exe91⤵PID:2576
-
C:\Windows\SysWOW64\Kobmkj32.exeC:\Windows\system32\Kobmkj32.exe92⤵
- System Location Discovery: System Language Discovery
PID:3556 -
C:\Windows\SysWOW64\Kgjelg32.exeC:\Windows\system32\Kgjelg32.exe93⤵PID:2908
-
C:\Windows\SysWOW64\Kjhahb32.exeC:\Windows\system32\Kjhahb32.exe94⤵PID:3664
-
C:\Windows\SysWOW64\Khkadoog.exeC:\Windows\system32\Khkadoog.exe95⤵PID:3804
-
C:\Windows\SysWOW64\Koejqi32.exeC:\Windows\system32\Koejqi32.exe96⤵
- Drops file in System32 directory
PID:3812 -
C:\Windows\SysWOW64\Kcqfahom.exeC:\Windows\system32\Kcqfahom.exe97⤵PID:3860
-
C:\Windows\SysWOW64\Kjjnnbfj.exeC:\Windows\system32\Kjjnnbfj.exe98⤵PID:3912
-
C:\Windows\SysWOW64\Klijjnen.exeC:\Windows\system32\Klijjnen.exe99⤵
- Modifies registry class
PID:3964 -
C:\Windows\SysWOW64\Kogffida.exeC:\Windows\system32\Kogffida.exe100⤵PID:4028
-
C:\Windows\SysWOW64\Lfaocc32.exeC:\Windows\system32\Lfaocc32.exe101⤵PID:2644
-
C:\Windows\SysWOW64\Llkgpmck.exeC:\Windows\system32\Llkgpmck.exe102⤵PID:2640
-
C:\Windows\SysWOW64\Lojclibo.exeC:\Windows\system32\Lojclibo.exe103⤵PID:1852
-
C:\Windows\SysWOW64\Lbhphdab.exeC:\Windows\system32\Lbhphdab.exe104⤵PID:2172
-
C:\Windows\SysWOW64\Lhbhdnio.exeC:\Windows\system32\Lhbhdnio.exe105⤵
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Lolpah32.exeC:\Windows\system32\Lolpah32.exe106⤵PID:1884
-
C:\Windows\SysWOW64\Lbjlnd32.exeC:\Windows\system32\Lbjlnd32.exe107⤵
- Modifies registry class
PID:2788 -
C:\Windows\SysWOW64\Lhddjngm.exeC:\Windows\system32\Lhddjngm.exe108⤵PID:2844
-
C:\Windows\SysWOW64\Lggdfk32.exeC:\Windows\system32\Lggdfk32.exe109⤵PID:3160
-
C:\Windows\SysWOW64\Lnambeed.exeC:\Windows\system32\Lnambeed.exe110⤵
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Lqpiopdh.exeC:\Windows\system32\Lqpiopdh.exe111⤵PID:2248
-
C:\Windows\SysWOW64\Lcneklck.exeC:\Windows\system32\Lcneklck.exe112⤵PID:3388
-
C:\Windows\SysWOW64\Lkemli32.exeC:\Windows\system32\Lkemli32.exe113⤵PID:3480
-
C:\Windows\SysWOW64\Lncjhd32.exeC:\Windows\system32\Lncjhd32.exe114⤵PID:3544
-
C:\Windows\SysWOW64\Lqbfdp32.exeC:\Windows\system32\Lqbfdp32.exe115⤵PID:3608
-
C:\Windows\SysWOW64\Lglnajjb.exeC:\Windows\system32\Lglnajjb.exe116⤵
- Modifies registry class
PID:3012 -
C:\Windows\SysWOW64\Ljjjmeie.exeC:\Windows\system32\Ljjjmeie.exe117⤵
- System Location Discovery: System Language Discovery
PID:3752 -
C:\Windows\SysWOW64\Mgnkfjho.exeC:\Windows\system32\Mgnkfjho.exe118⤵PID:3764
-
C:\Windows\SysWOW64\Mjmgbe32.exeC:\Windows\system32\Mjmgbe32.exe119⤵PID:3908
-
C:\Windows\SysWOW64\Mmkcoq32.exeC:\Windows\system32\Mmkcoq32.exe120⤵PID:3972
-
C:\Windows\SysWOW64\Mcekkkmc.exeC:\Windows\system32\Mcekkkmc.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:4020
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-