Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
112s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 22:25
Behavioral task
behavioral1
Sample
528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2.exe
-
Size
256KB
-
MD5
678c991de11a0cf0e2de6ecedfb3e722
-
SHA1
d07c5276da432af79802a3317e93818428416ff7
-
SHA256
528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2
-
SHA512
64b361cab635c41e110a68342abf6be74fbeed40e02aca23b242e216fb705c419dc3ee35015c5d1cb7dfac08c2706e9fea06dad654438420e0d7e99dc4fadb29
-
SSDEEP
6144:iG07nV4jWMDgo4rQD85k/hQO+zrWnAdqjeOpKfduBU:907nVjrQg5W/+zrWAI5KFuU
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Idnppjcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hobjia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Almmlg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dcgmgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmojcceo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iihhmhng.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdpikmci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ghpngkhm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkfnln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ccjpfmic.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccbojk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnobfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Milcphgf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbhbfmkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdjenkgh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ageedflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hiehbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdjenkgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gheola32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pfkkhmjn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fimpcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nljcflbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdophn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nokdnail.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gdpikmci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Minnmomo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjmaed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbiadm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hddjcbfh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfjnja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Phaegfpg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jbpfpd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iofhmi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlkegimk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pghmeikh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Plnhbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bcdbjl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oafjfokk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flkjffkm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iegjnkod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Penlon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ehgaknbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kekkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glbcpokl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lanmde32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbcdjpba.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jkklpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmjqhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pidgnc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlaffbqk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hbmnfajm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dcgiejje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhpgnfpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aebjaj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cakfcfoc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dodlfmlb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Deedfacn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nnpofe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ancdgcab.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbodpo32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2224 Kmhhae32.exe 2220 Kecmfg32.exe 2168 Lflonn32.exe 2816 Laackgka.exe 1804 Mehbpjjk.exe 2572 Mejoei32.exe 3004 Ngqeha32.exe 2984 Nkqjdo32.exe 2136 Oogiha32.exe 1660 Oknjmb32.exe 2088 Pgjdmc32.exe 588 Pfoanp32.exe 3008 Poibmdmh.exe 2464 Aebjaj32.exe 900 Bleilh32.exe 612 Bepjjn32.exe 1996 Bhelghol.exe 2204 Cdnjaibm.exe 1204 Cmikpngk.exe 2096 Cgaoic32.exe 2140 Dhgelk32.exe 1928 Dekeeonn.exe 1736 Dnfjiali.exe 2156 Dpgckm32.exe 2008 Ehgaknbp.exe 3052 Ejfnda32.exe 3048 Fhngkm32.exe 2848 Fbfldc32.exe 2804 Fqnfkoen.exe 2548 Fpcblkje.exe 1192 Gcakbjpl.exe 1516 Gmipko32.exe 2580 Gfadcemm.exe 2560 Gfdaid32.exe 2676 Ganbjb32.exe 1548 Gnabcf32.exe 556 Hengep32.exe 2216 Hhopgkin.exe 2452 Hfdmhh32.exe 560 Hbknmicj.exe 1320 Hpoofm32.exe 1364 Iekgod32.exe 2264 Iencdc32.exe 1656 Iofhmi32.exe 1768 Idcqep32.exe 1748 Iagaod32.exe 1256 Idgjqook.exe 872 Jdjgfomh.exe 2024 Jnbkodci.exe 2312 Jcocgkbp.exe 2144 Jcaqmkpn.exe 2920 Jpeafo32.exe 2516 Jojnglco.exe 2484 Kdgfpbaf.exe 1784 Komjmk32.exe 2996 Kkckblgq.exe 1780 Khglkqfj.exe 608 Kbppdfmk.exe 2600 Kkhdml32.exe 2120 Kmjaddii.exe 1532 Kfbemi32.exe 2176 Lmqgec32.exe 1260 Lpapgnpb.exe 1812 Lijepc32.exe -
Loads dropped DLL 64 IoCs
pid Process 1688 528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2.exe 1688 528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2.exe 2224 Kmhhae32.exe 2224 Kmhhae32.exe 2220 Kecmfg32.exe 2220 Kecmfg32.exe 2168 Lflonn32.exe 2168 Lflonn32.exe 2816 Laackgka.exe 2816 Laackgka.exe 1804 Mehbpjjk.exe 1804 Mehbpjjk.exe 2572 Mejoei32.exe 2572 Mejoei32.exe 3004 Ngqeha32.exe 3004 Ngqeha32.exe 2984 Nkqjdo32.exe 2984 Nkqjdo32.exe 2136 Oogiha32.exe 2136 Oogiha32.exe 1660 Oknjmb32.exe 1660 Oknjmb32.exe 2088 Pgjdmc32.exe 2088 Pgjdmc32.exe 588 Pfoanp32.exe 588 Pfoanp32.exe 3008 Poibmdmh.exe 3008 Poibmdmh.exe 2464 Aebjaj32.exe 2464 Aebjaj32.exe 900 Bleilh32.exe 900 Bleilh32.exe 612 Bepjjn32.exe 612 Bepjjn32.exe 1996 Bhelghol.exe 1996 Bhelghol.exe 2204 Cdnjaibm.exe 2204 Cdnjaibm.exe 1204 Cmikpngk.exe 1204 Cmikpngk.exe 2096 Cgaoic32.exe 2096 Cgaoic32.exe 2140 Dhgelk32.exe 2140 Dhgelk32.exe 1928 Dekeeonn.exe 1928 Dekeeonn.exe 1736 Dnfjiali.exe 1736 Dnfjiali.exe 2156 Dpgckm32.exe 2156 Dpgckm32.exe 2008 Ehgaknbp.exe 2008 Ehgaknbp.exe 3052 Ejfnda32.exe 3052 Ejfnda32.exe 3048 Fhngkm32.exe 3048 Fhngkm32.exe 2848 Fbfldc32.exe 2848 Fbfldc32.exe 2804 Fqnfkoen.exe 2804 Fqnfkoen.exe 2548 Fpcblkje.exe 2548 Fpcblkje.exe 1192 Gcakbjpl.exe 1192 Gcakbjpl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Gfadcemm.exe Gmipko32.exe File created C:\Windows\SysWOW64\Nkmgmf32.dll Ppegdapd.exe File created C:\Windows\SysWOW64\Nfpphp32.exe Njiocobg.exe File created C:\Windows\SysWOW64\Kllboe32.dll Cbfeam32.exe File created C:\Windows\SysWOW64\Fdhadgoa.dll Chkpakla.exe File opened for modification C:\Windows\SysWOW64\Mdjnge32.exe Ljbmdmfc.exe File created C:\Windows\SysWOW64\Afpchl32.exe Afnfcl32.exe File created C:\Windows\SysWOW64\Kccmfg32.dll Bfpkfb32.exe File created C:\Windows\SysWOW64\Jdgphqgg.dll Dgjfbllj.exe File created C:\Windows\SysWOW64\Qifnkg32.dll Jijqeg32.exe File created C:\Windows\SysWOW64\Mpkmbn32.dll Dhadhakp.exe File opened for modification C:\Windows\SysWOW64\Fnjiin32.exe Egndgdai.exe File created C:\Windows\SysWOW64\Kfjhfboi.dll Mchmblji.exe File created C:\Windows\SysWOW64\Haiagm32.exe Hlliof32.exe File created C:\Windows\SysWOW64\Aiacqhfi.dll Jhjldiln.exe File created C:\Windows\SysWOW64\Okoefg32.dll Ohhcokmp.exe File opened for modification C:\Windows\SysWOW64\Onehadbj.exe Oelcho32.exe File created C:\Windows\SysWOW64\Ohefjnqk.dll Aeajcf32.exe File created C:\Windows\SysWOW64\Pgofbd32.dll Kjmeaa32.exe File opened for modification C:\Windows\SysWOW64\Fdcahdib.exe Fimpcc32.exe File created C:\Windows\SysWOW64\Gpgcne32.dll Lmbmbi32.exe File opened for modification C:\Windows\SysWOW64\Dpgckm32.exe Dnfjiali.exe File created C:\Windows\SysWOW64\Dkfdpa32.dll Mjofanld.exe File opened for modification C:\Windows\SysWOW64\Qmomelml.exe Pafpjljk.exe File created C:\Windows\SysWOW64\Gpdfph32.exe Gigano32.exe File opened for modification C:\Windows\SysWOW64\Edbonh32.exe Ekjjebed.exe File opened for modification C:\Windows\SysWOW64\Ajfoea32.exe Aclfigao.exe File created C:\Windows\SysWOW64\Benolo32.dll Mbiadm32.exe File created C:\Windows\SysWOW64\Bmjhdi32.exe Bcackdio.exe File opened for modification C:\Windows\SysWOW64\Acdfki32.exe Ahoamplo.exe File created C:\Windows\SysWOW64\Mchjjc32.exe Mjofanld.exe File opened for modification C:\Windows\SysWOW64\Iiablido.exe Hddjcbfh.exe File created C:\Windows\SysWOW64\Ghpjfl32.dll Ohoiaf32.exe File opened for modification C:\Windows\SysWOW64\Bleilh32.exe Aebjaj32.exe File created C:\Windows\SysWOW64\Oibiaa32.dll Hbjgbbpn.exe File created C:\Windows\SysWOW64\Hljljflh.exe Hpckee32.exe File created C:\Windows\SysWOW64\Mhjnniic.dll Mibgho32.exe File opened for modification C:\Windows\SysWOW64\Ccbojk32.exe Cdmbiojc.exe File opened for modification C:\Windows\SysWOW64\Kpkali32.exe Kkmhej32.exe File opened for modification C:\Windows\SysWOW64\Aacjba32.exe Abnmae32.exe File created C:\Windows\SysWOW64\Jhpbcdqm.exe Iognjojl.exe File created C:\Windows\SysWOW64\Ofacbbji.dll Process not Found File created C:\Windows\SysWOW64\Apneip32.dll Haggkf32.exe File created C:\Windows\SysWOW64\Lmlleofb.dll Ijfadkbm.exe File opened for modification C:\Windows\SysWOW64\Pcppbc32.exe Pncgjl32.exe File created C:\Windows\SysWOW64\Hfdmhh32.exe Hhopgkin.exe File opened for modification C:\Windows\SysWOW64\Mlkegimk.exe Mogene32.exe File created C:\Windows\SysWOW64\Onqaonnc.exe Nkbdbbop.exe File created C:\Windows\SysWOW64\Gjpgaohl.dll Onqaonnc.exe File opened for modification C:\Windows\SysWOW64\Cgibpj32.exe Cffejk32.exe File created C:\Windows\SysWOW64\Opcejd32.exe Nanhihno.exe File opened for modification C:\Windows\SysWOW64\Ggnqfgce.exe Fkgpaf32.exe File created C:\Windows\SysWOW64\Jaecfp32.dll Pkcfak32.exe File opened for modification C:\Windows\SysWOW64\Bmgddcnf.exe Bmegodpi.exe File opened for modification C:\Windows\SysWOW64\Cnpieceq.exe Cbihpbpl.exe File opened for modification C:\Windows\SysWOW64\Cdhgegfd.exe Bagncl32.exe File created C:\Windows\SysWOW64\Aeajcf32.exe Amdhidqk.exe File created C:\Windows\SysWOW64\Qgiibp32.exe Qqldpfmh.exe File created C:\Windows\SysWOW64\Ilhnjfmi.exe Ifkfap32.exe File created C:\Windows\SysWOW64\Cgcfia32.dll Iaipmm32.exe File created C:\Windows\SysWOW64\Plfhdlfb.exe Pobgjhgh.exe File created C:\Windows\SysWOW64\Ahoamplo.exe Apdminod.exe File opened for modification C:\Windows\SysWOW64\Nikflm32.exe Nlgfbh32.exe File created C:\Windows\SysWOW64\Himgmapn.dll Oaonfncb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4064 3580 Process not Found 1110 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcbofk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmkmlk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbfbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gphmbolk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcmkoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnlkdk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkboiamh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bncpffdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijbjpg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnjnolap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajcpgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbbpkjg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Piemih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Legmpdga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fflehp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecfednma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlbooaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hefibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opqdcgib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dohiefpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgfjld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feklja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Caajmilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cffnpdip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckgmon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhhchlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofefqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpkfb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghjjoeei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jblbpnhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojlmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjappa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Poqniegj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhccoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmnhnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbgela32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bplofekp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpoofm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgpjcnhh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aofhcmig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghmeikh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageedflj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Process not Found Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oknjmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgkncfdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aediaoae.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oelcho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmefcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihopjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Naihdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qmomelml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eeameodq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijeinphf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjlgdaad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipcjlaqd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbgbjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoilcc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfingaaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldgnmhhj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnpieceq.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odaqikaa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lojeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hohfmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfgbmf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahiimj32.dll" Ahbcda32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nchkjhdh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdohme32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Haggkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgjmfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmnicmpm.dll" Nqdjge32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kfjhfboi.dll" Mchmblji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chmglegi.dll" Mehbpjjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cghangih.dll" Gocpcfeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oodhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mmngof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Plfhdlfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oinbpend.dll" Ahancp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gebflaga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lpnobi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Migbkglj.dll" Fjjeid32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ingogcke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eoiniloa.dll" Lkgmdbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdnjaibm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmlmacfn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Imedjgph.dll" Oekaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mlcipnga.dll" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmegodpi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fflehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pncgjl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gafcahil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbdblmp.dll" Cpkaai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fmffhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pkboiamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hbknmicj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mcbofk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmabknal.dll" Fefpfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bplofekp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebhbna32.dll" Mbjhlg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Djqcki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cccgni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hblqbmcd.dll" Minnmomo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olhfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kbjpqmhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpgcne32.dll" Lmbmbi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ggqmnecg.dll" Jodfilko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ahioobed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Begpdg32.dll" Llooad32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Beccgi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefffo32.dll" Knnmeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fdlnmk32.dll" Oodhca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdfdkehc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pjhaec32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bmhmgbif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ndeifbfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dokjlcjh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbbpgc32.dll" Nmgjee32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chhbpfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Acplpjpj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mgodjico.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjeffc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ancdgcab.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1688 wrote to memory of 2224 1688 528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2.exe 30 PID 1688 wrote to memory of 2224 1688 528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2.exe 30 PID 1688 wrote to memory of 2224 1688 528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2.exe 30 PID 1688 wrote to memory of 2224 1688 528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2.exe 30 PID 2224 wrote to memory of 2220 2224 Kmhhae32.exe 31 PID 2224 wrote to memory of 2220 2224 Kmhhae32.exe 31 PID 2224 wrote to memory of 2220 2224 Kmhhae32.exe 31 PID 2224 wrote to memory of 2220 2224 Kmhhae32.exe 31 PID 2220 wrote to memory of 2168 2220 Kecmfg32.exe 32 PID 2220 wrote to memory of 2168 2220 Kecmfg32.exe 32 PID 2220 wrote to memory of 2168 2220 Kecmfg32.exe 32 PID 2220 wrote to memory of 2168 2220 Kecmfg32.exe 32 PID 2168 wrote to memory of 2816 2168 Lflonn32.exe 33 PID 2168 wrote to memory of 2816 2168 Lflonn32.exe 33 PID 2168 wrote to memory of 2816 2168 Lflonn32.exe 33 PID 2168 wrote to memory of 2816 2168 Lflonn32.exe 33 PID 2816 wrote to memory of 1804 2816 Laackgka.exe 34 PID 2816 wrote to memory of 1804 2816 Laackgka.exe 34 PID 2816 wrote to memory of 1804 2816 Laackgka.exe 34 PID 2816 wrote to memory of 1804 2816 Laackgka.exe 34 PID 1804 wrote to memory of 2572 1804 Mehbpjjk.exe 35 PID 1804 wrote to memory of 2572 1804 Mehbpjjk.exe 35 PID 1804 wrote to memory of 2572 1804 Mehbpjjk.exe 35 PID 1804 wrote to memory of 2572 1804 Mehbpjjk.exe 35 PID 2572 wrote to memory of 3004 2572 Mejoei32.exe 36 PID 2572 wrote to memory of 3004 2572 Mejoei32.exe 36 PID 2572 wrote to memory of 3004 2572 Mejoei32.exe 36 PID 2572 wrote to memory of 3004 2572 Mejoei32.exe 36 PID 3004 wrote to memory of 2984 3004 Ngqeha32.exe 37 PID 3004 wrote to memory of 2984 3004 Ngqeha32.exe 37 PID 3004 wrote to memory of 2984 3004 Ngqeha32.exe 37 PID 3004 wrote to memory of 2984 3004 Ngqeha32.exe 37 PID 2984 wrote to memory of 2136 2984 Nkqjdo32.exe 38 PID 2984 wrote to memory of 2136 2984 Nkqjdo32.exe 38 PID 2984 wrote to memory of 2136 2984 Nkqjdo32.exe 38 PID 2984 wrote to memory of 2136 2984 Nkqjdo32.exe 38 PID 2136 wrote to memory of 1660 2136 Oogiha32.exe 39 PID 2136 wrote to memory of 1660 2136 Oogiha32.exe 39 PID 2136 wrote to memory of 1660 2136 Oogiha32.exe 39 PID 2136 wrote to memory of 1660 2136 Oogiha32.exe 39 PID 1660 wrote to memory of 2088 1660 Oknjmb32.exe 40 PID 1660 wrote to memory of 2088 1660 Oknjmb32.exe 40 PID 1660 wrote to memory of 2088 1660 Oknjmb32.exe 40 PID 1660 wrote to memory of 2088 1660 Oknjmb32.exe 40 PID 2088 wrote to memory of 588 2088 Pgjdmc32.exe 41 PID 2088 wrote to memory of 588 2088 Pgjdmc32.exe 41 PID 2088 wrote to memory of 588 2088 Pgjdmc32.exe 41 PID 2088 wrote to memory of 588 2088 Pgjdmc32.exe 41 PID 588 wrote to memory of 3008 588 Pfoanp32.exe 42 PID 588 wrote to memory of 3008 588 Pfoanp32.exe 42 PID 588 wrote to memory of 3008 588 Pfoanp32.exe 42 PID 588 wrote to memory of 3008 588 Pfoanp32.exe 42 PID 3008 wrote to memory of 2464 3008 Poibmdmh.exe 43 PID 3008 wrote to memory of 2464 3008 Poibmdmh.exe 43 PID 3008 wrote to memory of 2464 3008 Poibmdmh.exe 43 PID 3008 wrote to memory of 2464 3008 Poibmdmh.exe 43 PID 2464 wrote to memory of 900 2464 Aebjaj32.exe 44 PID 2464 wrote to memory of 900 2464 Aebjaj32.exe 44 PID 2464 wrote to memory of 900 2464 Aebjaj32.exe 44 PID 2464 wrote to memory of 900 2464 Aebjaj32.exe 44 PID 900 wrote to memory of 612 900 Bleilh32.exe 45 PID 900 wrote to memory of 612 900 Bleilh32.exe 45 PID 900 wrote to memory of 612 900 Bleilh32.exe 45 PID 900 wrote to memory of 612 900 Bleilh32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2.exe"C:\Users\Admin\AppData\Local\Temp\528cca47fbb0ea3944e2011cca8eb63c9f07734a64f2376e2eac2cd340ef22d2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1688 -
C:\Windows\SysWOW64\Kmhhae32.exeC:\Windows\system32\Kmhhae32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Kecmfg32.exeC:\Windows\system32\Kecmfg32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\Lflonn32.exeC:\Windows\system32\Lflonn32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Laackgka.exeC:\Windows\system32\Laackgka.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Mehbpjjk.exeC:\Windows\system32\Mehbpjjk.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Mejoei32.exeC:\Windows\system32\Mejoei32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Ngqeha32.exeC:\Windows\system32\Ngqeha32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\Nkqjdo32.exeC:\Windows\system32\Nkqjdo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Windows\SysWOW64\Oogiha32.exeC:\Windows\system32\Oogiha32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Oknjmb32.exeC:\Windows\system32\Oknjmb32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\Pgjdmc32.exeC:\Windows\system32\Pgjdmc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Pfoanp32.exeC:\Windows\system32\Pfoanp32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:588 -
C:\Windows\SysWOW64\Poibmdmh.exeC:\Windows\system32\Poibmdmh.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\Aebjaj32.exeC:\Windows\system32\Aebjaj32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2464 -
C:\Windows\SysWOW64\Bleilh32.exeC:\Windows\system32\Bleilh32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\SysWOW64\Bepjjn32.exeC:\Windows\system32\Bepjjn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:612 -
C:\Windows\SysWOW64\Bhelghol.exeC:\Windows\system32\Bhelghol.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1996 -
C:\Windows\SysWOW64\Cdnjaibm.exeC:\Windows\system32\Cdnjaibm.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2204 -
C:\Windows\SysWOW64\Cmikpngk.exeC:\Windows\system32\Cmikpngk.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1204 -
C:\Windows\SysWOW64\Cgaoic32.exeC:\Windows\system32\Cgaoic32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2096 -
C:\Windows\SysWOW64\Dhgelk32.exeC:\Windows\system32\Dhgelk32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2140 -
C:\Windows\SysWOW64\Dekeeonn.exeC:\Windows\system32\Dekeeonn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1928 -
C:\Windows\SysWOW64\Dnfjiali.exeC:\Windows\system32\Dnfjiali.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1736 -
C:\Windows\SysWOW64\Dpgckm32.exeC:\Windows\system32\Dpgckm32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2156 -
C:\Windows\SysWOW64\Ehgaknbp.exeC:\Windows\system32\Ehgaknbp.exe26⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2008 -
C:\Windows\SysWOW64\Ejfnda32.exeC:\Windows\system32\Ejfnda32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Fhngkm32.exeC:\Windows\system32\Fhngkm32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Fbfldc32.exeC:\Windows\system32\Fbfldc32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2848 -
C:\Windows\SysWOW64\Fqnfkoen.exeC:\Windows\system32\Fqnfkoen.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2804 -
C:\Windows\SysWOW64\Fpcblkje.exeC:\Windows\system32\Fpcblkje.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2548 -
C:\Windows\SysWOW64\Gcakbjpl.exeC:\Windows\system32\Gcakbjpl.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1192 -
C:\Windows\SysWOW64\Gmipko32.exeC:\Windows\system32\Gmipko32.exe33⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1516 -
C:\Windows\SysWOW64\Gfadcemm.exeC:\Windows\system32\Gfadcemm.exe34⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\Gfdaid32.exeC:\Windows\system32\Gfdaid32.exe35⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Ganbjb32.exeC:\Windows\system32\Ganbjb32.exe36⤵
- Executes dropped EXE
PID:2676 -
C:\Windows\SysWOW64\Gnabcf32.exeC:\Windows\system32\Gnabcf32.exe37⤵
- Executes dropped EXE
PID:1548 -
C:\Windows\SysWOW64\Hengep32.exeC:\Windows\system32\Hengep32.exe38⤵
- Executes dropped EXE
PID:556 -
C:\Windows\SysWOW64\Hhopgkin.exeC:\Windows\system32\Hhopgkin.exe39⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2216 -
C:\Windows\SysWOW64\Hfdmhh32.exeC:\Windows\system32\Hfdmhh32.exe40⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Hbknmicj.exeC:\Windows\system32\Hbknmicj.exe41⤵
- Executes dropped EXE
- Modifies registry class
PID:560 -
C:\Windows\SysWOW64\Hpoofm32.exeC:\Windows\system32\Hpoofm32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1320 -
C:\Windows\SysWOW64\Iekgod32.exeC:\Windows\system32\Iekgod32.exe43⤵
- Executes dropped EXE
PID:1364 -
C:\Windows\SysWOW64\Iencdc32.exeC:\Windows\system32\Iencdc32.exe44⤵
- Executes dropped EXE
PID:2264 -
C:\Windows\SysWOW64\Iofhmi32.exeC:\Windows\system32\Iofhmi32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1656 -
C:\Windows\SysWOW64\Idcqep32.exeC:\Windows\system32\Idcqep32.exe46⤵
- Executes dropped EXE
PID:1768 -
C:\Windows\SysWOW64\Iagaod32.exeC:\Windows\system32\Iagaod32.exe47⤵
- Executes dropped EXE
PID:1748 -
C:\Windows\SysWOW64\Idgjqook.exeC:\Windows\system32\Idgjqook.exe48⤵
- Executes dropped EXE
PID:1256 -
C:\Windows\SysWOW64\Jdjgfomh.exeC:\Windows\system32\Jdjgfomh.exe49⤵
- Executes dropped EXE
PID:872 -
C:\Windows\SysWOW64\Jnbkodci.exeC:\Windows\system32\Jnbkodci.exe50⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Jcocgkbp.exeC:\Windows\system32\Jcocgkbp.exe51⤵
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Jcaqmkpn.exeC:\Windows\system32\Jcaqmkpn.exe52⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Jpeafo32.exeC:\Windows\system32\Jpeafo32.exe53⤵
- Executes dropped EXE
PID:2920 -
C:\Windows\SysWOW64\Jojnglco.exeC:\Windows\system32\Jojnglco.exe54⤵
- Executes dropped EXE
PID:2516 -
C:\Windows\SysWOW64\Kdgfpbaf.exeC:\Windows\system32\Kdgfpbaf.exe55⤵
- Executes dropped EXE
PID:2484 -
C:\Windows\SysWOW64\Komjmk32.exeC:\Windows\system32\Komjmk32.exe56⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Kkckblgq.exeC:\Windows\system32\Kkckblgq.exe57⤵
- Executes dropped EXE
PID:2996 -
C:\Windows\SysWOW64\Khglkqfj.exeC:\Windows\system32\Khglkqfj.exe58⤵
- Executes dropped EXE
PID:1780 -
C:\Windows\SysWOW64\Kbppdfmk.exeC:\Windows\system32\Kbppdfmk.exe59⤵
- Executes dropped EXE
PID:608 -
C:\Windows\SysWOW64\Kkhdml32.exeC:\Windows\system32\Kkhdml32.exe60⤵
- Executes dropped EXE
PID:2600 -
C:\Windows\SysWOW64\Kmjaddii.exeC:\Windows\system32\Kmjaddii.exe61⤵
- Executes dropped EXE
PID:2120 -
C:\Windows\SysWOW64\Kfbemi32.exeC:\Windows\system32\Kfbemi32.exe62⤵
- Executes dropped EXE
PID:1532 -
C:\Windows\SysWOW64\Lmqgec32.exeC:\Windows\system32\Lmqgec32.exe63⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Lpapgnpb.exeC:\Windows\system32\Lpapgnpb.exe64⤵
- Executes dropped EXE
PID:1260 -
C:\Windows\SysWOW64\Lijepc32.exeC:\Windows\system32\Lijepc32.exe65⤵
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Laeidfdn.exeC:\Windows\system32\Laeidfdn.exe66⤵PID:1600
-
C:\Windows\SysWOW64\Mljnaocd.exeC:\Windows\system32\Mljnaocd.exe67⤵PID:2552
-
C:\Windows\SysWOW64\Mganfp32.exeC:\Windows\system32\Mganfp32.exe68⤵PID:1312
-
C:\Windows\SysWOW64\Mmngof32.exeC:\Windows\system32\Mmngof32.exe69⤵
- Modifies registry class
PID:2172 -
C:\Windows\SysWOW64\Mnncii32.exeC:\Windows\system32\Mnncii32.exe70⤵PID:2092
-
C:\Windows\SysWOW64\Mhfhaoec.exeC:\Windows\system32\Mhfhaoec.exe71⤵PID:2104
-
C:\Windows\SysWOW64\Mdmhfpkg.exeC:\Windows\system32\Mdmhfpkg.exe72⤵PID:2900
-
C:\Windows\SysWOW64\Mlhmkbhb.exeC:\Windows\system32\Mlhmkbhb.exe73⤵PID:1624
-
C:\Windows\SysWOW64\Nmgjee32.exeC:\Windows\system32\Nmgjee32.exe74⤵
- Modifies registry class
PID:2952 -
C:\Windows\SysWOW64\Nlmffa32.exeC:\Windows\system32\Nlmffa32.exe75⤵PID:760
-
C:\Windows\SysWOW64\Neekogkm.exeC:\Windows\system32\Neekogkm.exe76⤵PID:2444
-
C:\Windows\SysWOW64\Nkbcgnie.exeC:\Windows\system32\Nkbcgnie.exe77⤵PID:1652
-
C:\Windows\SysWOW64\Nhfdqb32.exeC:\Windows\system32\Nhfdqb32.exe78⤵PID:432
-
C:\Windows\SysWOW64\Nanhihno.exeC:\Windows\system32\Nanhihno.exe79⤵
- Drops file in System32 directory
PID:1952 -
C:\Windows\SysWOW64\Opcejd32.exeC:\Windows\system32\Opcejd32.exe80⤵PID:2352
-
C:\Windows\SysWOW64\Oacbdg32.exeC:\Windows\system32\Oacbdg32.exe81⤵PID:2384
-
C:\Windows\SysWOW64\Ocdnloph.exeC:\Windows\system32\Ocdnloph.exe82⤵PID:2412
-
C:\Windows\SysWOW64\Ophoecoa.exeC:\Windows\system32\Ophoecoa.exe83⤵PID:1992
-
C:\Windows\SysWOW64\Oipcnieb.exeC:\Windows\system32\Oipcnieb.exe84⤵PID:2700
-
C:\Windows\SysWOW64\Oegdcj32.exeC:\Windows\system32\Oegdcj32.exe85⤵PID:2568
-
C:\Windows\SysWOW64\Piemih32.exeC:\Windows\system32\Piemih32.exe86⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Pdonjf32.exeC:\Windows\system32\Pdonjf32.exe87⤵PID:2632
-
C:\Windows\SysWOW64\Phmfpddb.exeC:\Windows\system32\Phmfpddb.exe88⤵PID:1524
-
C:\Windows\SysWOW64\Paekijkb.exeC:\Windows\system32\Paekijkb.exe89⤵PID:2036
-
C:\Windows\SysWOW64\Pdfdkehc.exeC:\Windows\system32\Pdfdkehc.exe90⤵
- Modifies registry class
PID:1720 -
C:\Windows\SysWOW64\Qqldpfmh.exeC:\Windows\system32\Qqldpfmh.exe91⤵
- Drops file in System32 directory
PID:2152 -
C:\Windows\SysWOW64\Qgiibp32.exeC:\Windows\system32\Qgiibp32.exe92⤵PID:2824
-
C:\Windows\SysWOW64\Afnfcl32.exeC:\Windows\system32\Afnfcl32.exe93⤵
- Drops file in System32 directory
PID:1988 -
C:\Windows\SysWOW64\Afpchl32.exeC:\Windows\system32\Afpchl32.exe94⤵PID:1460
-
C:\Windows\SysWOW64\Ankhmncb.exeC:\Windows\system32\Ankhmncb.exe95⤵PID:2740
-
C:\Windows\SysWOW64\Aalaoipc.exeC:\Windows\system32\Aalaoipc.exe96⤵PID:1352
-
C:\Windows\SysWOW64\Aaondi32.exeC:\Windows\system32\Aaondi32.exe97⤵PID:2308
-
C:\Windows\SysWOW64\Bnbnnm32.exeC:\Windows\system32\Bnbnnm32.exe98⤵PID:2456
-
C:\Windows\SysWOW64\Bfncbp32.exeC:\Windows\system32\Bfncbp32.exe99⤵PID:2328
-
C:\Windows\SysWOW64\Bcackdio.exeC:\Windows\system32\Bcackdio.exe100⤵
- Drops file in System32 directory
PID:680 -
C:\Windows\SysWOW64\Bmjhdi32.exeC:\Windows\system32\Bmjhdi32.exe101⤵PID:2584
-
C:\Windows\SysWOW64\Bpkqfdmp.exeC:\Windows\system32\Bpkqfdmp.exe102⤵PID:2704
-
C:\Windows\SysWOW64\Cpmmkdkn.exeC:\Windows\system32\Cpmmkdkn.exe103⤵PID:2588
-
C:\Windows\SysWOW64\Chhbpfhi.exeC:\Windows\system32\Chhbpfhi.exe104⤵
- Modifies registry class
PID:1984 -
C:\Windows\SysWOW64\Clfkfeno.exeC:\Windows\system32\Clfkfeno.exe105⤵PID:1616
-
C:\Windows\SysWOW64\Ceoooj32.exeC:\Windows\system32\Ceoooj32.exe106⤵PID:2976
-
C:\Windows\SysWOW64\Cogdhpkp.exeC:\Windows\system32\Cogdhpkp.exe107⤵PID:2820
-
C:\Windows\SysWOW64\Cahmik32.exeC:\Windows\system32\Cahmik32.exe108⤵PID:2856
-
C:\Windows\SysWOW64\Dmomnlne.exeC:\Windows\system32\Dmomnlne.exe109⤵PID:2908
-
C:\Windows\SysWOW64\Ddkbqfcp.exeC:\Windows\system32\Ddkbqfcp.exe110⤵PID:2340
-
C:\Windows\SysWOW64\Enqfco32.exeC:\Windows\system32\Enqfco32.exe111⤵PID:904
-
C:\Windows\SysWOW64\Ekdglcmh.exeC:\Windows\system32\Ekdglcmh.exe112⤵PID:2504
-
C:\Windows\SysWOW64\Ejjdmp32.exeC:\Windows\system32\Ejjdmp32.exe113⤵PID:2064
-
C:\Windows\SysWOW64\Egndgdai.exeC:\Windows\system32\Egndgdai.exe114⤵
- Drops file in System32 directory
PID:1080 -
C:\Windows\SysWOW64\Fnjiin32.exeC:\Windows\system32\Fnjiin32.exe115⤵PID:2208
-
C:\Windows\SysWOW64\Ffenmp32.exeC:\Windows\system32\Ffenmp32.exe116⤵PID:2624
-
C:\Windows\SysWOW64\Ffhkcpal.exeC:\Windows\system32\Ffhkcpal.exe117⤵PID:2236
-
C:\Windows\SysWOW64\Fopole32.exeC:\Windows\system32\Fopole32.exe118⤵PID:2020
-
C:\Windows\SysWOW64\Fkgpaf32.exeC:\Windows\system32\Fkgpaf32.exe119⤵
- Drops file in System32 directory
PID:2480 -
C:\Windows\SysWOW64\Ggnqfgce.exeC:\Windows\system32\Ggnqfgce.exe120⤵PID:1944
-
C:\Windows\SysWOW64\Geaaolbo.exeC:\Windows\system32\Geaaolbo.exe121⤵PID:2992
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-