Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
24/12/2024, 21:35
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579.exe
-
Size
144KB
-
MD5
73d6473d8d763f8e03356109df456bde
-
SHA1
f46e3c01179006a2dbbfe326d0d6acf8040ee8a4
-
SHA256
4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579
-
SHA512
28f5a03165b033df6acbdd331ff3942b7286bf6791c4477b8a2a347d301687d320fce11665561351d9e226ce116d8f6d55134fa6821c331f1843e9c5f666df92
-
SSDEEP
3072:0R69Eel415kYENwzGYJpD9r8XxrYnQg4sI+:KTnENaGyZ6Yu+
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Naalga32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ckolek32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkiicmdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeppdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfnpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajqljc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fkpjnkig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmkilb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ihpfgalh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knhjjj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijklknbn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpogbgmi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hcdnhoac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ggcaiqhj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljghjpfe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abpjjeim.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aoohekal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnqned32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iahkpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfkeokjp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Phqmgg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjoofhgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbafjlaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eeielfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mkaghg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mihdgkpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffaaoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhnkfpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oeindm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmmfaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohnaik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pmdmmalf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlnklcej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oaghki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Aaimopli.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlbgikia.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dikogf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Endjaief.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkhgip32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbcjnnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Omioekbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gljpncgc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ljieppcb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odebolpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qglmpi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmpdgf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofaicon.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Akiobk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhpemm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahifbpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jikeeh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjcaimgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pljlbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Danmmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmkfifa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mpamde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bgdibkam.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpbalb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdnild32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jhoice32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcijf32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1988 Mjjdacik.exe 1716 Mbeiefff.exe 2192 Nlnnnk32.exe 2856 Npijoj32.exe 2716 Nhdocl32.exe 2908 Nbjcqe32.exe 2596 Nidkmojn.exe 492 Nlbgikia.exe 2900 Naopaa32.exe 2300 Nledoj32.exe 2952 Naalga32.exe 2008 Nhlddkmc.exe 1720 Nadimacd.exe 1768 Ohnaik32.exe 1632 Omkjbb32.exe 1620 Odebolpe.exe 1600 Ocgbji32.exe 776 Olpgconp.exe 1676 Oehklddp.exe 936 Oidglb32.exe 1048 Opnpimdf.exe 1752 Ocllehcj.exe 844 Oekhacbn.exe 1512 Opplolac.exe 2172 Ooclji32.exe 2384 Oihqgbhd.exe 2392 Olgmcmgh.exe 2340 Pdbahpec.exe 2376 Phnnho32.exe 2860 Pnjfae32.exe 2852 Phpjnnki.exe 2764 Pkofjijm.exe 2208 Pgegok32.exe 2264 Pjcckf32.exe 1628 Pnopldgn.exe 1484 Pdihiook.exe 2976 Pjfpafmb.exe 2940 Pmdmmalf.exe 1732 Pdldnomh.exe 1316 Qjhmfekp.exe 480 Qglmpi32.exe 3040 Qjkjle32.exe 1868 Qogbdl32.exe 1336 Abfnpg32.exe 852 Akncimmh.exe 2212 Aeggbbci.exe 1816 Amnocpdk.exe 308 Aollokco.exe 2336 Abkhkgbb.exe 1984 Aeidgbaf.exe 1940 Aggpdnpj.exe 2728 Aoohekal.exe 2756 Anahqh32.exe 2868 Aekqmbod.exe 2632 Agjmim32.exe 1968 Akeijlfq.exe 2988 Ancefgfd.exe 2968 Aababceh.exe 2132 Acqnnndl.exe 1152 Ajjfkh32.exe 2536 Bmibgd32.exe 2512 Bepjha32.exe 296 Bfagpiam.exe 1088 Bjmbqhif.exe -
Loads dropped DLL 64 IoCs
pid Process 2100 4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579.exe 2100 4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579.exe 1988 Mjjdacik.exe 1988 Mjjdacik.exe 1716 Mbeiefff.exe 1716 Mbeiefff.exe 2192 Nlnnnk32.exe 2192 Nlnnnk32.exe 2856 Npijoj32.exe 2856 Npijoj32.exe 2716 Nhdocl32.exe 2716 Nhdocl32.exe 2908 Nbjcqe32.exe 2908 Nbjcqe32.exe 2596 Nidkmojn.exe 2596 Nidkmojn.exe 492 Nlbgikia.exe 492 Nlbgikia.exe 2900 Naopaa32.exe 2900 Naopaa32.exe 2300 Nledoj32.exe 2300 Nledoj32.exe 2952 Naalga32.exe 2952 Naalga32.exe 2008 Nhlddkmc.exe 2008 Nhlddkmc.exe 1720 Nadimacd.exe 1720 Nadimacd.exe 1768 Ohnaik32.exe 1768 Ohnaik32.exe 1632 Omkjbb32.exe 1632 Omkjbb32.exe 1620 Odebolpe.exe 1620 Odebolpe.exe 1600 Ocgbji32.exe 1600 Ocgbji32.exe 776 Olpgconp.exe 776 Olpgconp.exe 1676 Oehklddp.exe 1676 Oehklddp.exe 936 Oidglb32.exe 936 Oidglb32.exe 1048 Opnpimdf.exe 1048 Opnpimdf.exe 1752 Ocllehcj.exe 1752 Ocllehcj.exe 844 Oekhacbn.exe 844 Oekhacbn.exe 1512 Opplolac.exe 1512 Opplolac.exe 2172 Ooclji32.exe 2172 Ooclji32.exe 2384 Oihqgbhd.exe 2384 Oihqgbhd.exe 2392 Olgmcmgh.exe 2392 Olgmcmgh.exe 2340 Pdbahpec.exe 2340 Pdbahpec.exe 2376 Phnnho32.exe 2376 Phnnho32.exe 2860 Pnjfae32.exe 2860 Pnjfae32.exe 2852 Phpjnnki.exe 2852 Phpjnnki.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Lcomce32.exe Lqqpgj32.exe File created C:\Windows\SysWOW64\Bmmhbd32.dll Qobbofgn.exe File opened for modification C:\Windows\SysWOW64\Kffldlne.exe Kgclio32.exe File created C:\Windows\SysWOW64\Aldhcb32.dll Qpbglhjq.exe File opened for modification C:\Windows\SysWOW64\Ckolek32.exe Chqoipkk.exe File created C:\Windows\SysWOW64\Kjkbonmp.dll Npmphinm.exe File created C:\Windows\SysWOW64\Fkfgkgmk.dll Pdakniag.exe File created C:\Windows\SysWOW64\Oggfcl32.dll Hldlga32.exe File created C:\Windows\SysWOW64\Njhfcp32.exe Nhjjgd32.exe File opened for modification C:\Windows\SysWOW64\Qglmpi32.exe Qjhmfekp.exe File created C:\Windows\SysWOW64\Ecnoijbd.exe Eppcmncq.exe File opened for modification C:\Windows\SysWOW64\Gqahqd32.exe Gbohehoj.exe File created C:\Windows\SysWOW64\Lnjcomcf.exe Lgqkbb32.exe File created C:\Windows\SysWOW64\Kofaicon.exe Klhemhpk.exe File created C:\Windows\SysWOW64\Lkfalipj.dll Fkpjnkig.exe File opened for modification C:\Windows\SysWOW64\Ldpbpgoh.exe Lcofio32.exe File created C:\Windows\SysWOW64\Pjdjea32.dll Nlqmmd32.exe File created C:\Windows\SysWOW64\Dchmkkkj.exe Dkadjn32.exe File created C:\Windows\SysWOW64\Idebfofe.dll Fkhgip32.exe File opened for modification C:\Windows\SysWOW64\Giiglhjb.exe Gfkkpmko.exe File created C:\Windows\SysWOW64\Ohpbbo32.dll Jdejhfig.exe File opened for modification C:\Windows\SysWOW64\Cehfkb32.exe Cbiiog32.exe File created C:\Windows\SysWOW64\Cfhakqek.dll Ggicgopd.exe File created C:\Windows\SysWOW64\Hkgoklhk.dll Pmpbdm32.exe File created C:\Windows\SysWOW64\Akfkbd32.exe Ahgofi32.exe File created C:\Windows\SysWOW64\Pnopldgn.exe Pjcckf32.exe File opened for modification C:\Windows\SysWOW64\Fbpbpkpj.exe Fcmben32.exe File opened for modification C:\Windows\SysWOW64\Geeemeif.exe Gbfiaj32.exe File created C:\Windows\SysWOW64\Oflpao32.dll Kfebambf.exe File opened for modification C:\Windows\SysWOW64\Gjojef32.exe Gceailog.exe File opened for modification C:\Windows\SysWOW64\Jfliim32.exe Jbqmhnbo.exe File created C:\Windows\SysWOW64\Phkckneq.dll Mdghaf32.exe File created C:\Windows\SysWOW64\Acddagag.dll Fjdnlhco.exe File created C:\Windows\SysWOW64\Mhmdim32.dll Pcghof32.exe File created C:\Windows\SysWOW64\Jehlkhig.exe Jondnnbk.exe File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe Nmfbpk32.exe File opened for modification C:\Windows\SysWOW64\Olpgconp.exe Ocgbji32.exe File created C:\Windows\SysWOW64\Mfelmo32.dll Gljpncgc.exe File opened for modification C:\Windows\SysWOW64\Eiekpd32.exe Eejopecj.exe File created C:\Windows\SysWOW64\Jbefcm32.exe Jpgjgboe.exe File created C:\Windows\SysWOW64\Dgdfdnfj.dll Gqahqd32.exe File opened for modification C:\Windows\SysWOW64\Lbfook32.exe Lnjcomcf.exe File created C:\Windows\SysWOW64\Kmapmi32.dll Bkhhhd32.exe File created C:\Windows\SysWOW64\Jkdgkc32.dll Ajjfkh32.exe File created C:\Windows\SysWOW64\Ehlenfjb.dll Hndlem32.exe File created C:\Windows\SysWOW64\Nfkapb32.exe Ndmecgba.exe File created C:\Windows\SysWOW64\Ogjbid32.dll Eddeladm.exe File opened for modification C:\Windows\SysWOW64\Cpnaca32.exe Cmpdgf32.exe File created C:\Windows\SysWOW64\Eddeladm.exe Eaeipfei.exe File created C:\Windows\SysWOW64\Icblnd32.dll Nidmfh32.exe File opened for modification C:\Windows\SysWOW64\Aomnhd32.exe Ahbekjcf.exe File created C:\Windows\SysWOW64\Kbdjhe32.dll Bpqain32.exe File created C:\Windows\SysWOW64\Koaqcn32.exe Klbdgb32.exe File created C:\Windows\SysWOW64\Paiaplin.exe Pojecajj.exe File created C:\Windows\SysWOW64\Aomnhd32.exe Ahbekjcf.exe File created C:\Windows\SysWOW64\Eqjmncna.exe Enkpahon.exe File opened for modification C:\Windows\SysWOW64\Iapgkl32.exe Ibmgpoia.exe File created C:\Windows\SysWOW64\Jeecim32.dll Gdhkfd32.exe File created C:\Windows\SysWOW64\Oeeikk32.dll Mklcadfn.exe File opened for modification C:\Windows\SysWOW64\Jjdofm32.exe Jgfcja32.exe File created C:\Windows\SysWOW64\Ngndfk32.dll Aobnniji.exe File created C:\Windows\SysWOW64\Klngkfge.exe Kjokokha.exe File created C:\Windows\SysWOW64\Ecinnn32.dll Pepcelel.exe File created C:\Windows\SysWOW64\Pnjfae32.exe Phnnho32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7336 8016 WerFault.exe 827 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdmhbplb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hlgimqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jialfgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aficjnpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbeiefff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgmfchei.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnnaoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ffkoai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phhjblpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mikjpiim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pghfnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amohfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mqnifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjmbqhif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgjfek32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdjccf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klbdgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidmfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgegok32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjbbpmgo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Daofpchf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agbpnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ecploipa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgpjhn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpnmgdli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhnkffeo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekhacbn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfhiplmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkhgip32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Accqnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nlnnnk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Blchcpko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhbnbpjc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paiaplin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qnghel32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdiogq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpbalb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iihiphln.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmkhjncg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnimiblo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoohekal.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbbfep32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkbgckgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ciohqa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifjlcmmj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oabkom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fheabelm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilabmedg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miehak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phqmgg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omkjbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aeggbbci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkmqdpce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idfnicfl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlelhe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfebambf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omcifpnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fqdiga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhpglecl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lqcmmjko.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Odhhgkib.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qfljkp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Phlclgfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kfkpknkq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hblgnkdh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Paknelgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mnbpjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bplhnoej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ibmcpifp.dll" Jlelhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ndjcbk32.dll" Lnbdko32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pknedeoi.dll" Difnaqih.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lcjlnpmo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pifbjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hicoaj32.dll" Phpjnnki.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Loqhnifk.dll" Ilcoce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Imokehhl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chnbcpmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bmmhbd32.dll" Qobbofgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpicle32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lghlndfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nhjjgd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmmgmc32.dll" Ahbekjcf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gaqomeke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nagbgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Elajgpmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bafple32.dll" Hloiib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abkhkgbb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elemhgkf.dll" Dlndnacm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nenakoho.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qkibcg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cinafkkd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oekhacbn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dddimn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lmhjag32.dll" Gfhgpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gneijien.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fljiqocb.dll" Mimgeigj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdaqmg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clmdmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhfpnk32.dll" Kffldlne.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdlbfien.dll" Ajnpecbj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klqahn32.dll" Amohfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgbfnngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mnaiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfikmo32.dll" Bgcbhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ogknoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeiead32.dll" Lngnfnji.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pglabp32.dll" Odmabj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aojabdlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlnnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dinklffl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ffkoai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Miehak32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ojomdoof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cjonncab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ocgbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clhfpifk.dll" Ocgbji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dkabpebk.dll" Mkddnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fcbecl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Omkjbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Niplmn32.dll" Mbbfep32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nmfbpk32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2100 wrote to memory of 1988 2100 4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579.exe 30 PID 2100 wrote to memory of 1988 2100 4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579.exe 30 PID 2100 wrote to memory of 1988 2100 4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579.exe 30 PID 2100 wrote to memory of 1988 2100 4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579.exe 30 PID 1988 wrote to memory of 1716 1988 Mjjdacik.exe 31 PID 1988 wrote to memory of 1716 1988 Mjjdacik.exe 31 PID 1988 wrote to memory of 1716 1988 Mjjdacik.exe 31 PID 1988 wrote to memory of 1716 1988 Mjjdacik.exe 31 PID 1716 wrote to memory of 2192 1716 Mbeiefff.exe 32 PID 1716 wrote to memory of 2192 1716 Mbeiefff.exe 32 PID 1716 wrote to memory of 2192 1716 Mbeiefff.exe 32 PID 1716 wrote to memory of 2192 1716 Mbeiefff.exe 32 PID 2192 wrote to memory of 2856 2192 Nlnnnk32.exe 33 PID 2192 wrote to memory of 2856 2192 Nlnnnk32.exe 33 PID 2192 wrote to memory of 2856 2192 Nlnnnk32.exe 33 PID 2192 wrote to memory of 2856 2192 Nlnnnk32.exe 33 PID 2856 wrote to memory of 2716 2856 Npijoj32.exe 34 PID 2856 wrote to memory of 2716 2856 Npijoj32.exe 34 PID 2856 wrote to memory of 2716 2856 Npijoj32.exe 34 PID 2856 wrote to memory of 2716 2856 Npijoj32.exe 34 PID 2716 wrote to memory of 2908 2716 Nhdocl32.exe 35 PID 2716 wrote to memory of 2908 2716 Nhdocl32.exe 35 PID 2716 wrote to memory of 2908 2716 Nhdocl32.exe 35 PID 2716 wrote to memory of 2908 2716 Nhdocl32.exe 35 PID 2908 wrote to memory of 2596 2908 Nbjcqe32.exe 36 PID 2908 wrote to memory of 2596 2908 Nbjcqe32.exe 36 PID 2908 wrote to memory of 2596 2908 Nbjcqe32.exe 36 PID 2908 wrote to memory of 2596 2908 Nbjcqe32.exe 36 PID 2596 wrote to memory of 492 2596 Nidkmojn.exe 37 PID 2596 wrote to memory of 492 2596 Nidkmojn.exe 37 PID 2596 wrote to memory of 492 2596 Nidkmojn.exe 37 PID 2596 wrote to memory of 492 2596 Nidkmojn.exe 37 PID 492 wrote to memory of 2900 492 Nlbgikia.exe 38 PID 492 wrote to memory of 2900 492 Nlbgikia.exe 38 PID 492 wrote to memory of 2900 492 Nlbgikia.exe 38 PID 492 wrote to memory of 2900 492 Nlbgikia.exe 38 PID 2900 wrote to memory of 2300 2900 Naopaa32.exe 39 PID 2900 wrote to memory of 2300 2900 Naopaa32.exe 39 PID 2900 wrote to memory of 2300 2900 Naopaa32.exe 39 PID 2900 wrote to memory of 2300 2900 Naopaa32.exe 39 PID 2300 wrote to memory of 2952 2300 Nledoj32.exe 40 PID 2300 wrote to memory of 2952 2300 Nledoj32.exe 40 PID 2300 wrote to memory of 2952 2300 Nledoj32.exe 40 PID 2300 wrote to memory of 2952 2300 Nledoj32.exe 40 PID 2952 wrote to memory of 2008 2952 Naalga32.exe 41 PID 2952 wrote to memory of 2008 2952 Naalga32.exe 41 PID 2952 wrote to memory of 2008 2952 Naalga32.exe 41 PID 2952 wrote to memory of 2008 2952 Naalga32.exe 41 PID 2008 wrote to memory of 1720 2008 Nhlddkmc.exe 42 PID 2008 wrote to memory of 1720 2008 Nhlddkmc.exe 42 PID 2008 wrote to memory of 1720 2008 Nhlddkmc.exe 42 PID 2008 wrote to memory of 1720 2008 Nhlddkmc.exe 42 PID 1720 wrote to memory of 1768 1720 Nadimacd.exe 43 PID 1720 wrote to memory of 1768 1720 Nadimacd.exe 43 PID 1720 wrote to memory of 1768 1720 Nadimacd.exe 43 PID 1720 wrote to memory of 1768 1720 Nadimacd.exe 43 PID 1768 wrote to memory of 1632 1768 Ohnaik32.exe 44 PID 1768 wrote to memory of 1632 1768 Ohnaik32.exe 44 PID 1768 wrote to memory of 1632 1768 Ohnaik32.exe 44 PID 1768 wrote to memory of 1632 1768 Ohnaik32.exe 44 PID 1632 wrote to memory of 1620 1632 Omkjbb32.exe 45 PID 1632 wrote to memory of 1620 1632 Omkjbb32.exe 45 PID 1632 wrote to memory of 1620 1632 Omkjbb32.exe 45 PID 1632 wrote to memory of 1620 1632 Omkjbb32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579.exe"C:\Users\Admin\AppData\Local\Temp\4179a865b08103d2d04ef65a62e06b3a3d8a0ae4d9fe04e731ccd330fcfd8579.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\SysWOW64\Mjjdacik.exeC:\Windows\system32\Mjjdacik.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\Mbeiefff.exeC:\Windows\system32\Mbeiefff.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\SysWOW64\Nlnnnk32.exeC:\Windows\system32\Nlnnnk32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Windows\SysWOW64\Npijoj32.exeC:\Windows\system32\Npijoj32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Nhdocl32.exeC:\Windows\system32\Nhdocl32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\Nbjcqe32.exeC:\Windows\system32\Nbjcqe32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Windows\SysWOW64\Nidkmojn.exeC:\Windows\system32\Nidkmojn.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\SysWOW64\Nlbgikia.exeC:\Windows\system32\Nlbgikia.exe9⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Windows\SysWOW64\Naopaa32.exeC:\Windows\system32\Naopaa32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Nledoj32.exeC:\Windows\system32\Nledoj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2300 -
C:\Windows\SysWOW64\Naalga32.exeC:\Windows\system32\Naalga32.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Nhlddkmc.exeC:\Windows\system32\Nhlddkmc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\SysWOW64\Nadimacd.exeC:\Windows\system32\Nadimacd.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1720 -
C:\Windows\SysWOW64\Ohnaik32.exeC:\Windows\system32\Ohnaik32.exe15⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\Omkjbb32.exeC:\Windows\system32\Omkjbb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\Odebolpe.exeC:\Windows\system32\Odebolpe.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1620 -
C:\Windows\SysWOW64\Ocgbji32.exeC:\Windows\system32\Ocgbji32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Olpgconp.exeC:\Windows\system32\Olpgconp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:776 -
C:\Windows\SysWOW64\Oehklddp.exeC:\Windows\system32\Oehklddp.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1676 -
C:\Windows\SysWOW64\Oidglb32.exeC:\Windows\system32\Oidglb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:936 -
C:\Windows\SysWOW64\Opnpimdf.exeC:\Windows\system32\Opnpimdf.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1048 -
C:\Windows\SysWOW64\Ocllehcj.exeC:\Windows\system32\Ocllehcj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1752 -
C:\Windows\SysWOW64\Oekhacbn.exeC:\Windows\system32\Oekhacbn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Opplolac.exeC:\Windows\system32\Opplolac.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Ooclji32.exeC:\Windows\system32\Ooclji32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2172 -
C:\Windows\SysWOW64\Oihqgbhd.exeC:\Windows\system32\Oihqgbhd.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2384 -
C:\Windows\SysWOW64\Olgmcmgh.exeC:\Windows\system32\Olgmcmgh.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2392 -
C:\Windows\SysWOW64\Pdbahpec.exeC:\Windows\system32\Pdbahpec.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\Phnnho32.exeC:\Windows\system32\Phnnho32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2376 -
C:\Windows\SysWOW64\Pnjfae32.exeC:\Windows\system32\Pnjfae32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2860 -
C:\Windows\SysWOW64\Phpjnnki.exeC:\Windows\system32\Phpjnnki.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Pkofjijm.exeC:\Windows\system32\Pkofjijm.exe33⤵
- Executes dropped EXE
PID:2764 -
C:\Windows\SysWOW64\Pgegok32.exeC:\Windows\system32\Pgegok32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2208 -
C:\Windows\SysWOW64\Pjcckf32.exeC:\Windows\system32\Pjcckf32.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2264 -
C:\Windows\SysWOW64\Pnopldgn.exeC:\Windows\system32\Pnopldgn.exe36⤵
- Executes dropped EXE
PID:1628 -
C:\Windows\SysWOW64\Pdihiook.exeC:\Windows\system32\Pdihiook.exe37⤵
- Executes dropped EXE
PID:1484 -
C:\Windows\SysWOW64\Pjfpafmb.exeC:\Windows\system32\Pjfpafmb.exe38⤵
- Executes dropped EXE
PID:2976 -
C:\Windows\SysWOW64\Pmdmmalf.exeC:\Windows\system32\Pmdmmalf.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Pdldnomh.exeC:\Windows\system32\Pdldnomh.exe40⤵
- Executes dropped EXE
PID:1732 -
C:\Windows\SysWOW64\Qjhmfekp.exeC:\Windows\system32\Qjhmfekp.exe41⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1316 -
C:\Windows\SysWOW64\Qglmpi32.exeC:\Windows\system32\Qglmpi32.exe42⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Qjkjle32.exeC:\Windows\system32\Qjkjle32.exe43⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Qogbdl32.exeC:\Windows\system32\Qogbdl32.exe44⤵
- Executes dropped EXE
PID:1868 -
C:\Windows\SysWOW64\Abfnpg32.exeC:\Windows\system32\Abfnpg32.exe45⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1336 -
C:\Windows\SysWOW64\Akncimmh.exeC:\Windows\system32\Akncimmh.exe46⤵
- Executes dropped EXE
PID:852 -
C:\Windows\SysWOW64\Aeggbbci.exeC:\Windows\system32\Aeggbbci.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2212 -
C:\Windows\SysWOW64\Amnocpdk.exeC:\Windows\system32\Amnocpdk.exe48⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Aollokco.exeC:\Windows\system32\Aollokco.exe49⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Abkhkgbb.exeC:\Windows\system32\Abkhkgbb.exe50⤵
- Executes dropped EXE
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Aeidgbaf.exeC:\Windows\system32\Aeidgbaf.exe51⤵
- Executes dropped EXE
PID:1984 -
C:\Windows\SysWOW64\Aggpdnpj.exeC:\Windows\system32\Aggpdnpj.exe52⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Aoohekal.exeC:\Windows\system32\Aoohekal.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Anahqh32.exeC:\Windows\system32\Anahqh32.exe54⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Aekqmbod.exeC:\Windows\system32\Aekqmbod.exe55⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Agjmim32.exeC:\Windows\system32\Agjmim32.exe56⤵
- Executes dropped EXE
PID:2632 -
C:\Windows\SysWOW64\Akeijlfq.exeC:\Windows\system32\Akeijlfq.exe57⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Ancefgfd.exeC:\Windows\system32\Ancefgfd.exe58⤵
- Executes dropped EXE
PID:2988 -
C:\Windows\SysWOW64\Aababceh.exeC:\Windows\system32\Aababceh.exe59⤵
- Executes dropped EXE
PID:2968 -
C:\Windows\SysWOW64\Acqnnndl.exeC:\Windows\system32\Acqnnndl.exe60⤵
- Executes dropped EXE
PID:2132 -
C:\Windows\SysWOW64\Ajjfkh32.exeC:\Windows\system32\Ajjfkh32.exe61⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1152 -
C:\Windows\SysWOW64\Bmibgd32.exeC:\Windows\system32\Bmibgd32.exe62⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Bepjha32.exeC:\Windows\system32\Bepjha32.exe63⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Bfagpiam.exeC:\Windows\system32\Bfagpiam.exe64⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Bjmbqhif.exeC:\Windows\system32\Bjmbqhif.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1088 -
C:\Windows\SysWOW64\Bmkomchi.exeC:\Windows\system32\Bmkomchi.exe66⤵PID:3052
-
C:\Windows\SysWOW64\Bcegin32.exeC:\Windows\system32\Bcegin32.exe67⤵PID:2292
-
C:\Windows\SysWOW64\Bfccei32.exeC:\Windows\system32\Bfccei32.exe68⤵PID:1728
-
C:\Windows\SysWOW64\Bjoofhgc.exeC:\Windows\system32\Bjoofhgc.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2408 -
C:\Windows\SysWOW64\Bibpad32.exeC:\Windows\system32\Bibpad32.exe70⤵PID:1820
-
C:\Windows\SysWOW64\Bplhnoej.exeC:\Windows\system32\Bplhnoej.exe71⤵
- Modifies registry class
PID:344 -
C:\Windows\SysWOW64\Bbjdjjdn.exeC:\Windows\system32\Bbjdjjdn.exe72⤵PID:2708
-
C:\Windows\SysWOW64\Bjallg32.exeC:\Windows\system32\Bjallg32.exe73⤵PID:2840
-
C:\Windows\SysWOW64\Blchcpko.exeC:\Windows\system32\Blchcpko.exe74⤵
- System Location Discovery: System Language Discovery
PID:2848 -
C:\Windows\SysWOW64\Bcjqdmla.exeC:\Windows\system32\Bcjqdmla.exe75⤵PID:2652
-
C:\Windows\SysWOW64\Bfhmqhkd.exeC:\Windows\system32\Bfhmqhkd.exe76⤵PID:2888
-
C:\Windows\SysWOW64\Bigimdjh.exeC:\Windows\system32\Bigimdjh.exe77⤵PID:2688
-
C:\Windows\SysWOW64\Bmbemb32.exeC:\Windows\system32\Bmbemb32.exe78⤵PID:1032
-
C:\Windows\SysWOW64\Bpqain32.exeC:\Windows\system32\Bpqain32.exe79⤵
- Drops file in System32 directory
PID:2496 -
C:\Windows\SysWOW64\Bbonei32.exeC:\Windows\system32\Bbonei32.exe80⤵PID:1392
-
C:\Windows\SysWOW64\Cemjae32.exeC:\Windows\system32\Cemjae32.exe81⤵PID:2244
-
C:\Windows\SysWOW64\Ciifbchf.exeC:\Windows\system32\Ciifbchf.exe82⤵PID:1672
-
C:\Windows\SysWOW64\Clgbno32.exeC:\Windows\system32\Clgbno32.exe83⤵PID:848
-
C:\Windows\SysWOW64\Cofnjj32.exeC:\Windows\system32\Cofnjj32.exe84⤵PID:3004
-
C:\Windows\SysWOW64\Cadjgf32.exeC:\Windows\system32\Cadjgf32.exe85⤵PID:2368
-
C:\Windows\SysWOW64\Cepfgdnj.exeC:\Windows\system32\Cepfgdnj.exe86⤵PID:1592
-
C:\Windows\SysWOW64\Chnbcpmn.exeC:\Windows\system32\Chnbcpmn.exe87⤵
- Modifies registry class
PID:2508 -
C:\Windows\SysWOW64\Cljodo32.exeC:\Windows\system32\Cljodo32.exe88⤵PID:2748
-
C:\Windows\SysWOW64\Cjmopkla.exeC:\Windows\system32\Cjmopkla.exe89⤵PID:2644
-
C:\Windows\SysWOW64\Cohkpj32.exeC:\Windows\system32\Cohkpj32.exe90⤵PID:2676
-
C:\Windows\SysWOW64\Cbdgqimc.exeC:\Windows\system32\Cbdgqimc.exe91⤵PID:1212
-
C:\Windows\SysWOW64\Chqoipkk.exeC:\Windows\system32\Chqoipkk.exe92⤵
- Drops file in System32 directory
PID:2012 -
C:\Windows\SysWOW64\Ckolek32.exeC:\Windows\system32\Ckolek32.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2016 -
C:\Windows\SysWOW64\Cojhejbh.exeC:\Windows\system32\Cojhejbh.exe94⤵PID:1864
-
C:\Windows\SysWOW64\Caidaeak.exeC:\Windows\system32\Caidaeak.exe95⤵PID:2696
-
C:\Windows\SysWOW64\Cdgpnqpo.exeC:\Windows\system32\Cdgpnqpo.exe96⤵PID:1532
-
C:\Windows\SysWOW64\Cffljlpc.exeC:\Windows\system32\Cffljlpc.exe97⤵PID:2084
-
C:\Windows\SysWOW64\Cmpdgf32.exeC:\Windows\system32\Cmpdgf32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2268 -
C:\Windows\SysWOW64\Cpnaca32.exeC:\Windows\system32\Cpnaca32.exe99⤵PID:1932
-
C:\Windows\SysWOW64\Cfhiplmp.exeC:\Windows\system32\Cfhiplmp.exe100⤵
- System Location Discovery: System Language Discovery
PID:2388 -
C:\Windows\SysWOW64\Cifelgmd.exeC:\Windows\system32\Cifelgmd.exe101⤵PID:2096
-
C:\Windows\SysWOW64\Cmbalfem.exeC:\Windows\system32\Cmbalfem.exe102⤵PID:2740
-
C:\Windows\SysWOW64\Danmmd32.exeC:\Windows\system32\Danmmd32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3012 -
C:\Windows\SysWOW64\Ddliip32.exeC:\Windows\system32\Ddliip32.exe104⤵PID:2672
-
C:\Windows\SysWOW64\Dgjfek32.exeC:\Windows\system32\Dgjfek32.exe105⤵
- System Location Discovery: System Language Discovery
PID:2164 -
C:\Windows\SysWOW64\Dkfbfjdf.exeC:\Windows\system32\Dkfbfjdf.exe106⤵PID:2028
-
C:\Windows\SysWOW64\Dmdnbecj.exeC:\Windows\system32\Dmdnbecj.exe107⤵PID:2912
-
C:\Windows\SysWOW64\Dbafjlaa.exeC:\Windows\system32\Dbafjlaa.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1936 -
C:\Windows\SysWOW64\Depbfhpe.exeC:\Windows\system32\Depbfhpe.exe109⤵PID:920
-
C:\Windows\SysWOW64\Dikogf32.exeC:\Windows\system32\Dikogf32.exe110⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2344 -
C:\Windows\SysWOW64\Dljkcb32.exeC:\Windows\system32\Dljkcb32.exe111⤵PID:2452
-
C:\Windows\SysWOW64\Dgoopkgh.exeC:\Windows\system32\Dgoopkgh.exe112⤵PID:768
-
C:\Windows\SysWOW64\Dinklffl.exeC:\Windows\system32\Dinklffl.exe113⤵
- Modifies registry class
PID:1556 -
C:\Windows\SysWOW64\Dllhhaep.exeC:\Windows\system32\Dllhhaep.exe114⤵PID:2180
-
C:\Windows\SysWOW64\Dpgcip32.exeC:\Windows\system32\Dpgcip32.exe115⤵PID:2316
-
C:\Windows\SysWOW64\Diphbfdi.exeC:\Windows\system32\Diphbfdi.exe116⤵PID:1856
-
C:\Windows\SysWOW64\Dlndnacm.exeC:\Windows\system32\Dlndnacm.exe117⤵
- Modifies registry class
PID:1488 -
C:\Windows\SysWOW64\Dkadjn32.exeC:\Windows\system32\Dkadjn32.exe118⤵
- Drops file in System32 directory
PID:3064 -
C:\Windows\SysWOW64\Dchmkkkj.exeC:\Windows\system32\Dchmkkkj.exe119⤵PID:532
-
C:\Windows\SysWOW64\Degiggjm.exeC:\Windows\system32\Degiggjm.exe120⤵PID:1524
-
C:\Windows\SysWOW64\Eheecbia.exeC:\Windows\system32\Eheecbia.exe121⤵PID:916
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-