Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
94s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 12:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe
Resource
win7-20240729-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe
-
Size
97KB
-
MD5
654497a4b7db67c90d625aaa1a676246
-
SHA1
2e05dcbb34d03dc8834bffabe48e52f9a55e9746
-
SHA256
c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d
-
SHA512
cec0dfc602ef00a1ba75d160e1c82729d15e6b1c1084f9d63d486761dba36b28e74d347680b29110838c68918fed44513f2a01ae77039abf4a94f749fed4f6b6
-
SSDEEP
1536:CvCzHO6FeT+0+HKs7WZubHs0wNfpS8ZBOE0DVtvJXeYZe:y8FehaK5ZuQ0whRgEEFJXeKe
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkejnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohkdfhge.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mfkebkjk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hpicbe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbpfeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hlkcbp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fdblkoco.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdcfoq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qgfkchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Codeih32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lenioenj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nebnigmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjkbpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lekjal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Glijnmdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbemho32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gihnkejd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hlmphp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Icdhnn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mbopon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dakpiajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inkcem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iqllghon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ipkema32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nkqjdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elbmkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icabeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lffmpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmikpngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fichqckn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laackgka.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qidckjae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gipngg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Golgon32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ghbhhnhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nikkkn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pijgbl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nobpmb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdfmoha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqkalenn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjofjm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bllomg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Giejkp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ogmngn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpcnbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbmco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Limhpihl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knaeeo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkejnl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbkgig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apfici32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oklmhcdf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdamao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kflcok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifgekbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhdpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mifkfhpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjfpdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hflndjin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lojjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Opccallb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ojkhjabc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ceickb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcnhmdli.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2380 Fnjnkkbk.exe 824 Faijggao.exe 2748 Fedfgejh.exe 2880 Fipbhd32.exe 2264 Fakglf32.exe 2628 Fefcmehe.exe 2108 Fmbgageq.exe 1944 Ffjljmla.exe 2288 Fjfhkl32.exe 1920 Fjhdpk32.exe 2056 Fmfalg32.exe 2480 Gbcien32.exe 572 Gfoeel32.exe 2168 Gpgjnbnl.exe 2496 Gdcfoq32.exe 2204 Gipngg32.exe 1724 Golgon32.exe 840 Gefolhja.exe 980 Ghekhd32.exe 2360 Gplcia32.exe 1260 Goocenaa.exe 604 Geilah32.exe 2916 Gidhbgag.exe 1440 Glbdnbpk.exe 2920 Goapjnoo.exe 2320 Gaplfinb.exe 1972 Gdnibdmf.exe 2840 Hhlaiccm.exe 2632 Hgoadp32.exe 2760 Hpgfmeag.exe 2376 Hhnnnbaj.exe 1120 Hkmjjn32.exe 2092 Hpicbe32.exe 1976 Hchoop32.exe 2464 Hgckoofa.exe 2428 Hdgkicek.exe 1744 Hgfheodo.exe 1616 Hpnlndkp.exe 3028 Hghdjn32.exe 2212 Hekefkig.exe 2216 Ipqicdim.exe 632 Ihlnhffh.exe 1884 Ilgjhena.exe 2348 Icabeo32.exe 1528 Idbnmgll.exe 3052 Inkcem32.exe 2316 Idekbgji.exe 860 Ihpgce32.exe 2888 Ikocoa32.exe 2824 Iojopp32.exe 2684 Ibillk32.exe 2960 Iqllghon.exe 2660 Idghhf32.exe 1228 Ikapdqoc.exe 1032 Ijdppm32.exe 1904 Inplqlng.exe 2292 Jdidmf32.exe 1860 Jnbifl32.exe 1104 Jqpebg32.exe 2156 Jcoanb32.exe 1180 Jfmnkn32.exe 836 Jjijkmbi.exe 820 Jqbbhg32.exe 2912 Jcandb32.exe -
Loads dropped DLL 64 IoCs
pid Process 1760 c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe 1760 c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe 2380 Fnjnkkbk.exe 2380 Fnjnkkbk.exe 824 Faijggao.exe 824 Faijggao.exe 2748 Fedfgejh.exe 2748 Fedfgejh.exe 2880 Fipbhd32.exe 2880 Fipbhd32.exe 2264 Fakglf32.exe 2264 Fakglf32.exe 2628 Fefcmehe.exe 2628 Fefcmehe.exe 2108 Fmbgageq.exe 2108 Fmbgageq.exe 1944 Ffjljmla.exe 1944 Ffjljmla.exe 2288 Fjfhkl32.exe 2288 Fjfhkl32.exe 1920 Fjhdpk32.exe 1920 Fjhdpk32.exe 2056 Fmfalg32.exe 2056 Fmfalg32.exe 2480 Gbcien32.exe 2480 Gbcien32.exe 572 Gfoeel32.exe 572 Gfoeel32.exe 2168 Gpgjnbnl.exe 2168 Gpgjnbnl.exe 2496 Gdcfoq32.exe 2496 Gdcfoq32.exe 2204 Gipngg32.exe 2204 Gipngg32.exe 1724 Golgon32.exe 1724 Golgon32.exe 840 Gefolhja.exe 840 Gefolhja.exe 980 Ghekhd32.exe 980 Ghekhd32.exe 2360 Gplcia32.exe 2360 Gplcia32.exe 1260 Goocenaa.exe 1260 Goocenaa.exe 604 Geilah32.exe 604 Geilah32.exe 2916 Gidhbgag.exe 2916 Gidhbgag.exe 1440 Glbdnbpk.exe 1440 Glbdnbpk.exe 2920 Goapjnoo.exe 2920 Goapjnoo.exe 2320 Gaplfinb.exe 2320 Gaplfinb.exe 1972 Gdnibdmf.exe 1972 Gdnibdmf.exe 2840 Hhlaiccm.exe 2840 Hhlaiccm.exe 2632 Hgoadp32.exe 2632 Hgoadp32.exe 2760 Hpgfmeag.exe 2760 Hpgfmeag.exe 2376 Hhnnnbaj.exe 2376 Hhnnnbaj.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Acbnggjo.exe Aadakl32.exe File created C:\Windows\SysWOW64\Bnjgld32.dll Iabhdefo.exe File opened for modification C:\Windows\SysWOW64\Kfacdqhf.exe Kgocid32.exe File opened for modification C:\Windows\SysWOW64\Ldjmidcj.exe Llcehg32.exe File opened for modification C:\Windows\SysWOW64\Abinjdad.exe Apkbnibq.exe File created C:\Windows\SysWOW64\Cagjqbam.exe Cnlnpd32.exe File opened for modification C:\Windows\SysWOW64\Qidckjae.exe Pffgonbb.exe File opened for modification C:\Windows\SysWOW64\Kjkbpp32.exe Kglfcd32.exe File created C:\Windows\SysWOW64\Fbokdb32.dll Eqcjaa32.exe File created C:\Windows\SysWOW64\Fldabn32.exe Fmaqgaae.exe File created C:\Windows\SysWOW64\Eoecbheg.exe Emggflfc.exe File created C:\Windows\SysWOW64\Lddcfl32.dll Fmdfppkb.exe File created C:\Windows\SysWOW64\Goapjnoo.exe Glbdnbpk.exe File created C:\Windows\SysWOW64\Npechhgd.exe Nljhhi32.exe File opened for modification C:\Windows\SysWOW64\Inhoegqc.exe Idokma32.exe File opened for modification C:\Windows\SysWOW64\Jnjhjj32.exe Jjnlikic.exe File created C:\Windows\SysWOW64\Bojkib32.exe Bllomg32.exe File created C:\Windows\SysWOW64\Qghagobg.dll Aidpjm32.exe File created C:\Windows\SysWOW64\Mhlmhiho.dll Dekeeonn.exe File created C:\Windows\SysWOW64\Iemanlnj.dll Jcoanb32.exe File created C:\Windows\SysWOW64\Kghmhegc.exe Keiqlihp.exe File opened for modification C:\Windows\SysWOW64\Lcncbc32.exe Lmckeidj.exe File created C:\Windows\SysWOW64\Lpgqlc32.exe Limhpihl.exe File created C:\Windows\SysWOW64\Cfmjiqbg.dll Qmpplh32.exe File opened for modification C:\Windows\SysWOW64\Amkbpm32.exe Ajmfca32.exe File opened for modification C:\Windows\SysWOW64\Fdblkoco.exe Ffpkob32.exe File created C:\Windows\SysWOW64\Nhmiqo32.dll Nmbmii32.exe File created C:\Windows\SysWOW64\Jfmnkn32.exe Jcoanb32.exe File created C:\Windows\SysWOW64\Lidilk32.exe Lffmpp32.exe File created C:\Windows\SysWOW64\Madcho32.dll Cobhdhha.exe File opened for modification C:\Windows\SysWOW64\Doijcjde.exe Dljngoea.exe File created C:\Windows\SysWOW64\Obdngaom.dll Jkgbcofn.exe File created C:\Windows\SysWOW64\Olalpdbc.exe Oegdcj32.exe File created C:\Windows\SysWOW64\Neblqoel.exe Ncdpdcfh.exe File created C:\Windows\SysWOW64\Oojfnakl.exe Oknjmb32.exe File created C:\Windows\SysWOW64\Okqgcb32.exe Ohbjgg32.exe File created C:\Windows\SysWOW64\Ckhbnb32.exe Cbajme32.exe File opened for modification C:\Windows\SysWOW64\Mjmnmk32.exe Mgoaap32.exe File opened for modification C:\Windows\SysWOW64\Ckchcc32.exe Cfhlbe32.exe File created C:\Windows\SysWOW64\Liopnp32.dll Okfmbm32.exe File created C:\Windows\SysWOW64\Gipngg32.exe Gdcfoq32.exe File created C:\Windows\SysWOW64\Hbboiknb.exe Hpdbmooo.exe File opened for modification C:\Windows\SysWOW64\Hlpmmpam.exe Hhdqma32.exe File opened for modification C:\Windows\SysWOW64\Jdadadkl.exe Jqfhqe32.exe File created C:\Windows\SysWOW64\Pagmlp32.dll Maocekoo.exe File created C:\Windows\SysWOW64\Gjpldngk.dll Moqgiopk.exe File created C:\Windows\SysWOW64\Pcbqhkfi.dll Mnkfcjqe.exe File opened for modification C:\Windows\SysWOW64\Jcocgkbp.exe Jpqgkpcl.exe File created C:\Windows\SysWOW64\Ifnpchjd.dll Kfdfdf32.exe File created C:\Windows\SysWOW64\Aonjnmnj.dll Kgjlgm32.exe File created C:\Windows\SysWOW64\Lmphha32.dll Gpgjnbnl.exe File created C:\Windows\SysWOW64\Aqmidk32.dll Pjmjdnop.exe File created C:\Windows\SysWOW64\Ahpfkg32.dll Kjnanhhc.exe File opened for modification C:\Windows\SysWOW64\Gidhbgag.exe Geilah32.exe File created C:\Windows\SysWOW64\Hahljg32.exe Hoipnl32.exe File created C:\Windows\SysWOW64\Jebopgbd.dll Jjcieg32.exe File created C:\Windows\SysWOW64\Ghagcnje.dll Oknjmb32.exe File opened for modification C:\Windows\SysWOW64\Qgiplffm.exe Qekdpkgj.exe File created C:\Windows\SysWOW64\Lncacf32.dll Ogddhmdl.exe File created C:\Windows\SysWOW64\Mlnbgj32.dll Fjhdpk32.exe File opened for modification C:\Windows\SysWOW64\Pkepnalk.exe Pcnhmdli.exe File opened for modification C:\Windows\SysWOW64\Pjjmonac.exe Pglacbbo.exe File created C:\Windows\SysWOW64\Hjoiiffo.exe Hfdmhh32.exe File opened for modification C:\Windows\SysWOW64\Ogddhmdl.exe Oomlfpdi.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8852 8560 WerFault.exe 958 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dakpiajj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqnfkoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pajeanhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apnhggln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmmcgha.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaekljjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnbmoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhoohgdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alofnj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idmnga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjcedj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fefcmehe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnibdmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbemho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehafe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abinjdad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbbpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffohikd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfpmog32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciglaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feobac32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fgjkmijh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aankkqfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgiobadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgoadp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nljjqbfp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkqjdo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acbnggjo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmikpngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hengep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mmcpjfcj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clfhml32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpbihl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihcfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pncljmko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abldccka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbijcgbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milaecdp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Maocekoo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oeoeplfn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nickoldp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpcmlnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcgbhig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgkiih32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enkdda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghenamai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Inhoegqc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qkelme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbajme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpgfmeag.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blibghmm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nanhihno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ogmngn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihnkejd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agqfme32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dodahk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ebnmpemq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Laeidfdn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnqhkcdo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omgfdhbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okfmbm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lidilk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbabf32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fclbgj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhoohgdg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Noagjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ojndpqpq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fqkieogp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fefcmehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfjfik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lddkfl32.dll" Pnfipm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbndmh32.dll" Jipcbidn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nndgeplo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Maapjjml.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Baipij32.dll" Jjgonf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlkfk32.dll" c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mpcgbhig.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dflmpebj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fdgefn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Llbnnq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhclfogi.dll" Nacmpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nickoldp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gegaeabe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kjkbpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Egkehllh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iphhgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kodghqop.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpcmlnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmidlkkk.dll" Fcilnl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jkgbcofn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qkgbae32.dll" Bmdefk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eefjaj32.dll" Bhbpahan.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpckce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjjbkefk.dll" Nljhhi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ofdeeb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdjgff32.dll" Bdodmlcm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cbajme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eqlhflgh.dll" Mjpkbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbokdb32.dll" Eqcjaa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hilgfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Deiipp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efhenccl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gbbbjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jcandb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bjfpdf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ekfaij32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljkodkb.dll" Ecbfmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlqfqo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljpnch32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfihml32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lffmpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpaohjkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dnqhkcdo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffghjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifadmn32.dll" Knddcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aegkfpah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ammoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mcmoeong.dll" Cfhlbe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkpgohdb.dll" Jcdmbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qlckjo32.dll" Nkbcgnie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iopeoknn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljcbcngi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjhkqme.dll" Ejadibmh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Epjqgm32.dll" Hjhchg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Malmllfb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lgdfgbhf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hmgodc32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1760 wrote to memory of 2380 1760 c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe 30 PID 1760 wrote to memory of 2380 1760 c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe 30 PID 1760 wrote to memory of 2380 1760 c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe 30 PID 1760 wrote to memory of 2380 1760 c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe 30 PID 2380 wrote to memory of 824 2380 Fnjnkkbk.exe 31 PID 2380 wrote to memory of 824 2380 Fnjnkkbk.exe 31 PID 2380 wrote to memory of 824 2380 Fnjnkkbk.exe 31 PID 2380 wrote to memory of 824 2380 Fnjnkkbk.exe 31 PID 824 wrote to memory of 2748 824 Faijggao.exe 32 PID 824 wrote to memory of 2748 824 Faijggao.exe 32 PID 824 wrote to memory of 2748 824 Faijggao.exe 32 PID 824 wrote to memory of 2748 824 Faijggao.exe 32 PID 2748 wrote to memory of 2880 2748 Fedfgejh.exe 33 PID 2748 wrote to memory of 2880 2748 Fedfgejh.exe 33 PID 2748 wrote to memory of 2880 2748 Fedfgejh.exe 33 PID 2748 wrote to memory of 2880 2748 Fedfgejh.exe 33 PID 2880 wrote to memory of 2264 2880 Fipbhd32.exe 34 PID 2880 wrote to memory of 2264 2880 Fipbhd32.exe 34 PID 2880 wrote to memory of 2264 2880 Fipbhd32.exe 34 PID 2880 wrote to memory of 2264 2880 Fipbhd32.exe 34 PID 2264 wrote to memory of 2628 2264 Fakglf32.exe 35 PID 2264 wrote to memory of 2628 2264 Fakglf32.exe 35 PID 2264 wrote to memory of 2628 2264 Fakglf32.exe 35 PID 2264 wrote to memory of 2628 2264 Fakglf32.exe 35 PID 2628 wrote to memory of 2108 2628 Fefcmehe.exe 36 PID 2628 wrote to memory of 2108 2628 Fefcmehe.exe 36 PID 2628 wrote to memory of 2108 2628 Fefcmehe.exe 36 PID 2628 wrote to memory of 2108 2628 Fefcmehe.exe 36 PID 2108 wrote to memory of 1944 2108 Fmbgageq.exe 37 PID 2108 wrote to memory of 1944 2108 Fmbgageq.exe 37 PID 2108 wrote to memory of 1944 2108 Fmbgageq.exe 37 PID 2108 wrote to memory of 1944 2108 Fmbgageq.exe 37 PID 1944 wrote to memory of 2288 1944 Ffjljmla.exe 38 PID 1944 wrote to memory of 2288 1944 Ffjljmla.exe 38 PID 1944 wrote to memory of 2288 1944 Ffjljmla.exe 38 PID 1944 wrote to memory of 2288 1944 Ffjljmla.exe 38 PID 2288 wrote to memory of 1920 2288 Fjfhkl32.exe 39 PID 2288 wrote to memory of 1920 2288 Fjfhkl32.exe 39 PID 2288 wrote to memory of 1920 2288 Fjfhkl32.exe 39 PID 2288 wrote to memory of 1920 2288 Fjfhkl32.exe 39 PID 1920 wrote to memory of 2056 1920 Fjhdpk32.exe 40 PID 1920 wrote to memory of 2056 1920 Fjhdpk32.exe 40 PID 1920 wrote to memory of 2056 1920 Fjhdpk32.exe 40 PID 1920 wrote to memory of 2056 1920 Fjhdpk32.exe 40 PID 2056 wrote to memory of 2480 2056 Fmfalg32.exe 41 PID 2056 wrote to memory of 2480 2056 Fmfalg32.exe 41 PID 2056 wrote to memory of 2480 2056 Fmfalg32.exe 41 PID 2056 wrote to memory of 2480 2056 Fmfalg32.exe 41 PID 2480 wrote to memory of 572 2480 Gbcien32.exe 42 PID 2480 wrote to memory of 572 2480 Gbcien32.exe 42 PID 2480 wrote to memory of 572 2480 Gbcien32.exe 42 PID 2480 wrote to memory of 572 2480 Gbcien32.exe 42 PID 572 wrote to memory of 2168 572 Gfoeel32.exe 43 PID 572 wrote to memory of 2168 572 Gfoeel32.exe 43 PID 572 wrote to memory of 2168 572 Gfoeel32.exe 43 PID 572 wrote to memory of 2168 572 Gfoeel32.exe 43 PID 2168 wrote to memory of 2496 2168 Gpgjnbnl.exe 44 PID 2168 wrote to memory of 2496 2168 Gpgjnbnl.exe 44 PID 2168 wrote to memory of 2496 2168 Gpgjnbnl.exe 44 PID 2168 wrote to memory of 2496 2168 Gpgjnbnl.exe 44 PID 2496 wrote to memory of 2204 2496 Gdcfoq32.exe 45 PID 2496 wrote to memory of 2204 2496 Gdcfoq32.exe 45 PID 2496 wrote to memory of 2204 2496 Gdcfoq32.exe 45 PID 2496 wrote to memory of 2204 2496 Gdcfoq32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe"C:\Users\Admin\AppData\Local\Temp\c3b9dbe3f2d0286080530e43b4110e893b78351090d7af79b9d7bc1586cf924d.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Fnjnkkbk.exeC:\Windows\system32\Fnjnkkbk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2380 -
C:\Windows\SysWOW64\Faijggao.exeC:\Windows\system32\Faijggao.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\Fedfgejh.exeC:\Windows\system32\Fedfgejh.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\Fipbhd32.exeC:\Windows\system32\Fipbhd32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\Fakglf32.exeC:\Windows\system32\Fakglf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\Fefcmehe.exeC:\Windows\system32\Fefcmehe.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\Fmbgageq.exeC:\Windows\system32\Fmbgageq.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\SysWOW64\Ffjljmla.exeC:\Windows\system32\Ffjljmla.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\SysWOW64\Fjfhkl32.exeC:\Windows\system32\Fjfhkl32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Fjhdpk32.exeC:\Windows\system32\Fjhdpk32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Fmfalg32.exeC:\Windows\system32\Fmfalg32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\Gbcien32.exeC:\Windows\system32\Gbcien32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\Gfoeel32.exeC:\Windows\system32\Gfoeel32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\Gpgjnbnl.exeC:\Windows\system32\Gpgjnbnl.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\SysWOW64\Gdcfoq32.exeC:\Windows\system32\Gdcfoq32.exe16⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Gipngg32.exeC:\Windows\system32\Gipngg32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2204 -
C:\Windows\SysWOW64\Golgon32.exeC:\Windows\system32\Golgon32.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1724 -
C:\Windows\SysWOW64\Gefolhja.exeC:\Windows\system32\Gefolhja.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:840 -
C:\Windows\SysWOW64\Ghekhd32.exeC:\Windows\system32\Ghekhd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:980 -
C:\Windows\SysWOW64\Gplcia32.exeC:\Windows\system32\Gplcia32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2360 -
C:\Windows\SysWOW64\Goocenaa.exeC:\Windows\system32\Goocenaa.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1260 -
C:\Windows\SysWOW64\Geilah32.exeC:\Windows\system32\Geilah32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:604 -
C:\Windows\SysWOW64\Gidhbgag.exeC:\Windows\system32\Gidhbgag.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Glbdnbpk.exeC:\Windows\system32\Glbdnbpk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1440 -
C:\Windows\SysWOW64\Goapjnoo.exeC:\Windows\system32\Goapjnoo.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2920 -
C:\Windows\SysWOW64\Gaplfinb.exeC:\Windows\system32\Gaplfinb.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2320 -
C:\Windows\SysWOW64\Gdnibdmf.exeC:\Windows\system32\Gdnibdmf.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1972 -
C:\Windows\SysWOW64\Hhlaiccm.exeC:\Windows\system32\Hhlaiccm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2840 -
C:\Windows\SysWOW64\Hgoadp32.exeC:\Windows\system32\Hgoadp32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Hpgfmeag.exeC:\Windows\system32\Hpgfmeag.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2760 -
C:\Windows\SysWOW64\Hhnnnbaj.exeC:\Windows\system32\Hhnnnbaj.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Hkmjjn32.exeC:\Windows\system32\Hkmjjn32.exe33⤵
- Executes dropped EXE
PID:1120 -
C:\Windows\SysWOW64\Hpicbe32.exeC:\Windows\system32\Hpicbe32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2092 -
C:\Windows\SysWOW64\Hchoop32.exeC:\Windows\system32\Hchoop32.exe35⤵
- Executes dropped EXE
PID:1976 -
C:\Windows\SysWOW64\Hgckoofa.exeC:\Windows\system32\Hgckoofa.exe36⤵
- Executes dropped EXE
PID:2464 -
C:\Windows\SysWOW64\Hdgkicek.exeC:\Windows\system32\Hdgkicek.exe37⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Hgfheodo.exeC:\Windows\system32\Hgfheodo.exe38⤵
- Executes dropped EXE
PID:1744 -
C:\Windows\SysWOW64\Hpnlndkp.exeC:\Windows\system32\Hpnlndkp.exe39⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Hghdjn32.exeC:\Windows\system32\Hghdjn32.exe40⤵
- Executes dropped EXE
PID:3028 -
C:\Windows\SysWOW64\Hekefkig.exeC:\Windows\system32\Hekefkig.exe41⤵
- Executes dropped EXE
PID:2212 -
C:\Windows\SysWOW64\Ipqicdim.exeC:\Windows\system32\Ipqicdim.exe42⤵
- Executes dropped EXE
PID:2216 -
C:\Windows\SysWOW64\Ihlnhffh.exeC:\Windows\system32\Ihlnhffh.exe43⤵
- Executes dropped EXE
PID:632 -
C:\Windows\SysWOW64\Ilgjhena.exeC:\Windows\system32\Ilgjhena.exe44⤵
- Executes dropped EXE
PID:1884 -
C:\Windows\SysWOW64\Icabeo32.exeC:\Windows\system32\Icabeo32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2348 -
C:\Windows\SysWOW64\Idbnmgll.exeC:\Windows\system32\Idbnmgll.exe46⤵
- Executes dropped EXE
PID:1528 -
C:\Windows\SysWOW64\Inkcem32.exeC:\Windows\system32\Inkcem32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:3052 -
C:\Windows\SysWOW64\Idekbgji.exeC:\Windows\system32\Idekbgji.exe48⤵
- Executes dropped EXE
PID:2316 -
C:\Windows\SysWOW64\Ihpgce32.exeC:\Windows\system32\Ihpgce32.exe49⤵
- Executes dropped EXE
PID:860 -
C:\Windows\SysWOW64\Ikocoa32.exeC:\Windows\system32\Ikocoa32.exe50⤵
- Executes dropped EXE
PID:2888 -
C:\Windows\SysWOW64\Iojopp32.exeC:\Windows\system32\Iojopp32.exe51⤵
- Executes dropped EXE
PID:2824 -
C:\Windows\SysWOW64\Ibillk32.exeC:\Windows\system32\Ibillk32.exe52⤵
- Executes dropped EXE
PID:2684 -
C:\Windows\SysWOW64\Iqllghon.exeC:\Windows\system32\Iqllghon.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Idghhf32.exeC:\Windows\system32\Idghhf32.exe54⤵
- Executes dropped EXE
PID:2660 -
C:\Windows\SysWOW64\Ikapdqoc.exeC:\Windows\system32\Ikapdqoc.exe55⤵
- Executes dropped EXE
PID:1228 -
C:\Windows\SysWOW64\Ijdppm32.exeC:\Windows\system32\Ijdppm32.exe56⤵
- Executes dropped EXE
PID:1032 -
C:\Windows\SysWOW64\Inplqlng.exeC:\Windows\system32\Inplqlng.exe57⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Jdidmf32.exeC:\Windows\system32\Jdidmf32.exe58⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Jnbifl32.exeC:\Windows\system32\Jnbifl32.exe59⤵
- Executes dropped EXE
PID:1860 -
C:\Windows\SysWOW64\Jqpebg32.exeC:\Windows\system32\Jqpebg32.exe60⤵
- Executes dropped EXE
PID:1104 -
C:\Windows\SysWOW64\Jcoanb32.exeC:\Windows\system32\Jcoanb32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2156 -
C:\Windows\SysWOW64\Jfmnkn32.exeC:\Windows\system32\Jfmnkn32.exe62⤵
- Executes dropped EXE
PID:1180 -
C:\Windows\SysWOW64\Jjijkmbi.exeC:\Windows\system32\Jjijkmbi.exe63⤵
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Jqbbhg32.exeC:\Windows\system32\Jqbbhg32.exe64⤵
- Executes dropped EXE
PID:820 -
C:\Windows\SysWOW64\Jcandb32.exeC:\Windows\system32\Jcandb32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:2912 -
C:\Windows\SysWOW64\Jfojpn32.exeC:\Windows\system32\Jfojpn32.exe66⤵PID:3012
-
C:\Windows\SysWOW64\Jinfli32.exeC:\Windows\system32\Jinfli32.exe67⤵PID:2020
-
C:\Windows\SysWOW64\Jqeomfgc.exeC:\Windows\system32\Jqeomfgc.exe68⤵PID:2724
-
C:\Windows\SysWOW64\Johoic32.exeC:\Windows\system32\Johoic32.exe69⤵PID:2336
-
C:\Windows\SysWOW64\Jipcbidn.exeC:\Windows\system32\Jipcbidn.exe70⤵
- Modifies registry class
PID:2832 -
C:\Windows\SysWOW64\Jmlobg32.exeC:\Windows\system32\Jmlobg32.exe71⤵PID:2596
-
C:\Windows\SysWOW64\Jcfgoadd.exeC:\Windows\system32\Jcfgoadd.exe72⤵PID:2552
-
C:\Windows\SysWOW64\Jfddkmch.exeC:\Windows\system32\Jfddkmch.exe73⤵PID:2284
-
C:\Windows\SysWOW64\Jibpghbk.exeC:\Windows\system32\Jibpghbk.exe74⤵PID:2408
-
C:\Windows\SysWOW64\Kmnlhg32.exeC:\Windows\system32\Kmnlhg32.exe75⤵PID:1392
-
C:\Windows\SysWOW64\Knohpo32.exeC:\Windows\system32\Knohpo32.exe76⤵PID:2992
-
C:\Windows\SysWOW64\Keiqlihp.exeC:\Windows\system32\Keiqlihp.exe77⤵
- Drops file in System32 directory
PID:2220 -
C:\Windows\SysWOW64\Kghmhegc.exeC:\Windows\system32\Kghmhegc.exe78⤵PID:2208
-
C:\Windows\SysWOW64\Kpoejbhe.exeC:\Windows\system32\Kpoejbhe.exe79⤵PID:2164
-
C:\Windows\SysWOW64\Knaeeo32.exeC:\Windows\system32\Knaeeo32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1432 -
C:\Windows\SysWOW64\Kapaaj32.exeC:\Windows\system32\Kapaaj32.exe81⤵PID:2968
-
C:\Windows\SysWOW64\Kigibh32.exeC:\Windows\system32\Kigibh32.exe82⤵PID:1004
-
C:\Windows\SysWOW64\Kkefoc32.exeC:\Windows\system32\Kkefoc32.exe83⤵PID:1136
-
C:\Windows\SysWOW64\Kndbko32.exeC:\Windows\system32\Kndbko32.exe84⤵PID:1908
-
C:\Windows\SysWOW64\Kabngjla.exeC:\Windows\system32\Kabngjla.exe85⤵PID:2120
-
C:\Windows\SysWOW64\Kglfcd32.exeC:\Windows\system32\Kglfcd32.exe86⤵
- Drops file in System32 directory
PID:2620 -
C:\Windows\SysWOW64\Kjkbpp32.exeC:\Windows\system32\Kjkbpp32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2540 -
C:\Windows\SysWOW64\Kmiolk32.exeC:\Windows\system32\Kmiolk32.exe88⤵PID:2460
-
C:\Windows\SysWOW64\Kaekljjo.exeC:\Windows\system32\Kaekljjo.exe89⤵
- System Location Discovery: System Language Discovery
PID:1960 -
C:\Windows\SysWOW64\Kgocid32.exeC:\Windows\system32\Kgocid32.exe90⤵
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Kfacdqhf.exeC:\Windows\system32\Kfacdqhf.exe91⤵PID:2144
-
C:\Windows\SysWOW64\Knikfnih.exeC:\Windows\system32\Knikfnih.exe92⤵PID:2456
-
C:\Windows\SysWOW64\Kaggbihl.exeC:\Windows\system32\Kaggbihl.exe93⤵PID:2544
-
C:\Windows\SysWOW64\Lhapocoi.exeC:\Windows\system32\Lhapocoi.exe94⤵PID:2000
-
C:\Windows\SysWOW64\Lfdpjp32.exeC:\Windows\system32\Lfdpjp32.exe95⤵PID:2064
-
C:\Windows\SysWOW64\Liblfl32.exeC:\Windows\system32\Liblfl32.exe96⤵PID:2712
-
C:\Windows\SysWOW64\Laidgi32.exeC:\Windows\system32\Laidgi32.exe97⤵PID:2604
-
C:\Windows\SysWOW64\Lchqcd32.exeC:\Windows\system32\Lchqcd32.exe98⤵PID:2864
-
C:\Windows\SysWOW64\Lffmpp32.exeC:\Windows\system32\Lffmpp32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1360 -
C:\Windows\SysWOW64\Lidilk32.exeC:\Windows\system32\Lidilk32.exe100⤵
- System Location Discovery: System Language Discovery
PID:1964 -
C:\Windows\SysWOW64\Llcehg32.exeC:\Windows\system32\Llcehg32.exe101⤵
- Drops file in System32 directory
PID:2492 -
C:\Windows\SysWOW64\Ldjmidcj.exeC:\Windows\system32\Ldjmidcj.exe102⤵PID:1916
-
C:\Windows\SysWOW64\Lbmnea32.exeC:\Windows\system32\Lbmnea32.exe103⤵PID:2356
-
C:\Windows\SysWOW64\Lekjal32.exeC:\Windows\system32\Lekjal32.exe104⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:892 -
C:\Windows\SysWOW64\Lmbabj32.exeC:\Windows\system32\Lmbabj32.exe105⤵PID:2152
-
C:\Windows\SysWOW64\Lpanne32.exeC:\Windows\system32\Lpanne32.exe106⤵PID:1768
-
C:\Windows\SysWOW64\Lbojjq32.exeC:\Windows\system32\Lbojjq32.exe107⤵PID:780
-
C:\Windows\SysWOW64\Lenffl32.exeC:\Windows\system32\Lenffl32.exe108⤵PID:2736
-
C:\Windows\SysWOW64\Llhocfnb.exeC:\Windows\system32\Llhocfnb.exe109⤵PID:2768
-
C:\Windows\SysWOW64\Lpckce32.exeC:\Windows\system32\Lpckce32.exe110⤵
- Modifies registry class
PID:2972 -
C:\Windows\SysWOW64\Ladgkmlj.exeC:\Windows\system32\Ladgkmlj.exe111⤵PID:2160
-
C:\Windows\SysWOW64\Lepclldc.exeC:\Windows\system32\Lepclldc.exe112⤵PID:2516
-
C:\Windows\SysWOW64\Lhoohgdg.exeC:\Windows\system32\Lhoohgdg.exe113⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2980 -
C:\Windows\SysWOW64\Lkmldbcj.exeC:\Windows\system32\Lkmldbcj.exe114⤵PID:2196
-
C:\Windows\SysWOW64\Mbdcepcm.exeC:\Windows\system32\Mbdcepcm.exe115⤵PID:756
-
C:\Windows\SysWOW64\Magdam32.exeC:\Windows\system32\Magdam32.exe116⤵PID:1544
-
C:\Windows\SysWOW64\Mhalngad.exeC:\Windows\system32\Mhalngad.exe117⤵PID:1640
-
C:\Windows\SysWOW64\Mllhne32.exeC:\Windows\system32\Mllhne32.exe118⤵PID:2720
-
C:\Windows\SysWOW64\Mmndfnpl.exeC:\Windows\system32\Mmndfnpl.exe119⤵PID:2844
-
C:\Windows\SysWOW64\Maiqfl32.exeC:\Windows\system32\Maiqfl32.exe120⤵PID:1728
-
C:\Windows\SysWOW64\Mdgmbhgh.exeC:\Windows\system32\Mdgmbhgh.exe121⤵PID:3048
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-