Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
43s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
25/12/2024, 18:53
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe
-
Size
74KB
-
MD5
c6a0939cf076e4a973904fd4006cd00f
-
SHA1
7081f05b590b86cfa527f1e7cc7c6ea31fa648c7
-
SHA256
148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1
-
SHA512
0e341192cf437c7e2c7f3859c80603c15b926310f8d6f498160588de90346a20f3f0b40dc0696f0081b8402dfabe93ea2d22c84599e60859801079e9a3a35de7
-
SSDEEP
1536:HaL5QefEVWhlp5pKvJjHHajdsRsS49vCRA1FMbA38J7:HGBE0hn5AdOiRsS49vCRaFWN7
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kcgdgnmc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmkklflj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cpkaai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ogiegc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdpgai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flqmddah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Eelfedpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lfeegfkf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qpmiahlp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pbdhbnnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Alfpab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cplkehnk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oebffm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Meojkide.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ocdohdfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Odpeop32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jadnoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fenedlec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdpnlo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hbblpf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lblflgqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bdpjjaiq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfoffmhd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nchiao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aadbfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fagqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pqdend32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qeglqpaj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajfcgoec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifljcanj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npbpjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cjdmee32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eelfedpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbbcdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhdmahpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hiffbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bhiiepcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cbhcankf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iedmhlqf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pjndca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hahoodqi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nlpmjdce.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmcbio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eggajb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jpdibapb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ndnbeclb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmnljc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeldk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pqdend32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Adnegldo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abejlj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Enajgllm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkahbkgk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gncblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iiekkdjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckilmfke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kiifjd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lhgeao32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gigjch32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfmjoe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hgmhcm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfeljlqh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dnpgmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1516 Mqgahh32.exe 2856 Moloidjl.exe 2864 Mookod32.exe 2936 Mgjpcf32.exe 2924 Njjieace.exe 2760 Nmkbfmpf.exe 1676 Nnknqpgi.exe 2112 Njaoeq32.exe 1020 Obamebfc.exe 3052 Oebffm32.exe 2152 Onkjocjd.exe 2248 Pdjpmi32.exe 1804 Pfjiod32.exe 1728 Pfmeddag.exe 2088 Pljnmkoo.exe 2052 Pmijgn32.exe 1408 Pipklo32.exe 1712 Qeglqpaj.exe 696 Qbkljd32.exe 388 Ahgdbk32.exe 2524 Adnegldo.exe 1736 Anfjpa32.exe 2460 Aadbfp32.exe 1964 Acfonhgd.exe 1512 Akmgoehg.exe 1392 Achlch32.exe 2552 Bfieec32.exe 2296 Bocfch32.exe 2916 Bdpnlo32.exe 2720 Bfpkfb32.exe 2976 Bnkpjd32.exe 2712 Cjdmee32.exe 2536 Cqneaodd.exe 2808 Cqqbgoba.exe 2792 Cfmjoe32.exe 3064 Cqcomn32.exe 2200 Dmllgo32.exe 2016 Dghjmlnm.exe 1996 Dgjfbllj.exe 1108 Emilqb32.exe 592 Ejmljg32.exe 368 Eeijpdbd.exe 1776 Eelfedpa.exe 2412 Eodknifb.exe 2128 Fhlogo32.exe 1816 Fbbcdh32.exe 2436 Fljhmmci.exe 1988 Fagqed32.exe 1560 Flmecm32.exe 2392 Faimkd32.exe 1620 Fgffck32.exe 1608 Faljqcmk.exe 2868 Fkdoii32.exe 2920 Gpagbp32.exe 2876 Gkfkoi32.exe 2824 Gpccgppq.exe 2588 Geplpfnh.exe 2800 Gpfpmonn.exe 3036 Gebiefle.exe 2064 Gphmbolk.exe 2540 Geeekf32.exe 1272 Gkancm32.exe 2072 Gheola32.exe 2212 Hnbgdh32.exe -
Loads dropped DLL 64 IoCs
pid Process 1680 148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe 1680 148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe 1516 Mqgahh32.exe 1516 Mqgahh32.exe 2856 Moloidjl.exe 2856 Moloidjl.exe 2864 Mookod32.exe 2864 Mookod32.exe 2936 Mgjpcf32.exe 2936 Mgjpcf32.exe 2924 Njjieace.exe 2924 Njjieace.exe 2760 Nmkbfmpf.exe 2760 Nmkbfmpf.exe 1676 Nnknqpgi.exe 1676 Nnknqpgi.exe 2112 Njaoeq32.exe 2112 Njaoeq32.exe 1020 Obamebfc.exe 1020 Obamebfc.exe 3052 Oebffm32.exe 3052 Oebffm32.exe 2152 Onkjocjd.exe 2152 Onkjocjd.exe 2248 Pdjpmi32.exe 2248 Pdjpmi32.exe 1804 Pfjiod32.exe 1804 Pfjiod32.exe 1728 Pfmeddag.exe 1728 Pfmeddag.exe 2088 Pljnmkoo.exe 2088 Pljnmkoo.exe 2052 Pmijgn32.exe 2052 Pmijgn32.exe 1408 Pipklo32.exe 1408 Pipklo32.exe 1712 Qeglqpaj.exe 1712 Qeglqpaj.exe 696 Qbkljd32.exe 696 Qbkljd32.exe 388 Ahgdbk32.exe 388 Ahgdbk32.exe 2524 Adnegldo.exe 2524 Adnegldo.exe 1736 Anfjpa32.exe 1736 Anfjpa32.exe 2460 Aadbfp32.exe 2460 Aadbfp32.exe 1964 Acfonhgd.exe 1964 Acfonhgd.exe 1512 Akmgoehg.exe 1512 Akmgoehg.exe 1392 Achlch32.exe 1392 Achlch32.exe 2552 Bfieec32.exe 2552 Bfieec32.exe 2296 Bocfch32.exe 2296 Bocfch32.exe 2916 Bdpnlo32.exe 2916 Bdpnlo32.exe 2720 Bfpkfb32.exe 2720 Bfpkfb32.exe 2976 Bnkpjd32.exe 2976 Bnkpjd32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ecahhhlc.dll Kmeiei32.exe File created C:\Windows\SysWOW64\Ckdlgq32.exe Cpogjh32.exe File created C:\Windows\SysWOW64\Dhaboi32.exe Dcdjgbed.exe File created C:\Windows\SysWOW64\Fenedlec.exe Epamlegl.exe File opened for modification C:\Windows\SysWOW64\Jqjdon32.exe Ihopjl32.exe File created C:\Windows\SysWOW64\Mmlmmdga.exe Mmjqhd32.exe File created C:\Windows\SysWOW64\Qnblkahe.dll Aihmhe32.exe File opened for modification C:\Windows\SysWOW64\Enmplm32.exe Ehphdf32.exe File opened for modification C:\Windows\SysWOW64\Gpccgppq.exe Gkfkoi32.exe File opened for modification C:\Windows\SysWOW64\Geplpfnh.exe Gpccgppq.exe File created C:\Windows\SysWOW64\Jfabkg32.dll Mchmblji.exe File created C:\Windows\SysWOW64\Gbpegdik.exe Fdkheh32.exe File opened for modification C:\Windows\SysWOW64\Bamdcf32.exe Befcne32.exe File opened for modification C:\Windows\SysWOW64\Cialng32.exe Cbhcankf.exe File created C:\Windows\SysWOW64\Meojkide.exe Modano32.exe File created C:\Windows\SysWOW64\Fepnhp32.dll Dfecim32.exe File created C:\Windows\SysWOW64\Fnifbaja.exe Faefim32.exe File opened for modification C:\Windows\SysWOW64\Gonlld32.exe Geehcoaf.exe File opened for modification C:\Windows\SysWOW64\Ogigpllh.exe Ohdkop32.exe File opened for modification C:\Windows\SysWOW64\Djhnmj32.exe Docjpa32.exe File opened for modification C:\Windows\SysWOW64\Enomam32.exe Egedebgc.exe File created C:\Windows\SysWOW64\Laamkikl.dll Ilneef32.exe File created C:\Windows\SysWOW64\Llcppm32.dll Hnecjgch.exe File created C:\Windows\SysWOW64\Pafklb32.dll Fpdqlkhe.exe File created C:\Windows\SysWOW64\Nogeln32.dll Heoadcmh.exe File created C:\Windows\SysWOW64\Bfoffmhd.exe Bdpjjaiq.exe File created C:\Windows\SysWOW64\Hdjnje32.exe Gffmqq32.exe File created C:\Windows\SysWOW64\Jkpfcnoe.exe Iganmp32.exe File created C:\Windows\SysWOW64\Koqddqkg.dll Efihcpqk.exe File opened for modification C:\Windows\SysWOW64\Abgeiaaf.exe Almmlg32.exe File created C:\Windows\SysWOW64\Lafgdfbm.exe Lljolodf.exe File created C:\Windows\SysWOW64\Blhifemo.exe Bbpdmp32.exe File opened for modification C:\Windows\SysWOW64\Ihhjjm32.exe Ipmeej32.exe File opened for modification C:\Windows\SysWOW64\Kcbcah32.exe Jjjohbgl.exe File created C:\Windows\SysWOW64\Kililk32.dll Pidgnc32.exe File created C:\Windows\SysWOW64\Bdpjjaiq.exe Bhiiepcl.exe File opened for modification C:\Windows\SysWOW64\Gkfkoi32.exe Gpagbp32.exe File created C:\Windows\SysWOW64\Ogfagmck.exe Nlpmjdce.exe File created C:\Windows\SysWOW64\Fdnpkd32.dll Kicednho.exe File created C:\Windows\SysWOW64\Aamhdckg.exe Qcigjolm.exe File created C:\Windows\SysWOW64\Ogkfcmie.dll Pmijgn32.exe File created C:\Windows\SysWOW64\Bdpnlo32.exe Bocfch32.exe File created C:\Windows\SysWOW64\Fmjgnb32.dll Cldolj32.exe File opened for modification C:\Windows\SysWOW64\Kmkodd32.exe Jadnoc32.exe File created C:\Windows\SysWOW64\Kcgdgnmc.exe Kmnljc32.exe File opened for modification C:\Windows\SysWOW64\Dcdjgbed.exe Cofaad32.exe File created C:\Windows\SysWOW64\Jjcigcmd.exe Jqjdon32.exe File created C:\Windows\SysWOW64\Gnmold32.dll Lbgmah32.exe File created C:\Windows\SysWOW64\Bpfjmg32.dll Abejlj32.exe File created C:\Windows\SysWOW64\Dghjmlnm.exe Dmllgo32.exe File created C:\Windows\SysWOW64\Fcfmdigd.dll Nfcoel32.exe File opened for modification C:\Windows\SysWOW64\Pbdhbnnp.exe Pildih32.exe File created C:\Windows\SysWOW64\Mbnleo32.dll Hfmcapna.exe File opened for modification C:\Windows\SysWOW64\Cfmjoe32.exe Cqqbgoba.exe File created C:\Windows\SysWOW64\Laidie32.exe Lhqpqp32.exe File created C:\Windows\SysWOW64\Mpgdaqmh.exe Mlikkbga.exe File created C:\Windows\SysWOW64\Jiacmfbb.dll Ppcoqbao.exe File created C:\Windows\SysWOW64\Ddlloi32.exe Dghlfe32.exe File created C:\Windows\SysWOW64\Kqqejc32.dll Geehcoaf.exe File created C:\Windows\SysWOW64\Icdcpb32.dll Ekjjebed.exe File created C:\Windows\SysWOW64\Bnkpjd32.exe Bfpkfb32.exe File created C:\Windows\SysWOW64\Gechnn32.dll Hnbgdh32.exe File created C:\Windows\SysWOW64\Klpdie32.dll Knkbimbg.exe File opened for modification C:\Windows\SysWOW64\Ocbbbd32.exe Onejjm32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4856 4820 WerFault.exe 470 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdgoll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aamhdckg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpogjh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlpdifda.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joagkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Moloidjl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbbcdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkancm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abnbccia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igeggkoq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpjeaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfmjoe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giakoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Njjieace.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Geeekf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhkiae32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmkodd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mibeofaf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obdlcjkd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckeekp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chiedc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilihij32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cqneaodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fimedaoe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icnealbb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ijmfiefj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldfgbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ejhhcdjm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncbilimn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadbfp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghlgdecf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnkpjd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdolga32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jqjdon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hoflpbmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehgoaiml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohajic32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmllgo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Peakkj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fpdqlkhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hohfmi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlikkbga.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clehoiam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmjhjndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djcbib32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Faefim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gljfeimi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoobkej.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiffbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncpjnahm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjiiim32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfoffmhd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmijgn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qeeadi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enajgllm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdkop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alnoepam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fffabman.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kopldl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhdmahpn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efaiobkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmnljc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kacakgip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Meojkide.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjiefgfh.dll" Pfjdmggb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgdlld32.dll" Bnkpjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffabjf32.dll" Pbcooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dmhocf32.dll" Eeffpn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ihhjjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmffif32.dll" Bamdcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgbanlfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abbknb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kofnbk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ainllp32.dll" Dlpdifda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nghehm32.dll" Pipklo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dghjmlnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pbcooo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cldolj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Efaiobkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Obahknna.dll" Abhnlqlf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jjjohbgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pdjpmi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbkljd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Amiioj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ckboba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Glhjpjok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lblflgqk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhfidc32.dll" Lmlofhmb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Efdohq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ifljcanj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Iniebmfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cqneaodd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fbbcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lmlofhmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cnifhcei.dll" Dcgmgh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hlgmkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aipickfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nlkmeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgmhcm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fifogcdl.dll" Inopce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qoggilne.dll" Mamjchoa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dnpgmp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hnllcoed.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Klpdie32.dll" Knkbimbg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmeiei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhidjd32.dll" Ncellpog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qpjeaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebjgol32.dll" Cioohh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Naagdj32.dll" Iniebmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfcoel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjoflc32.dll" Pacbel32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobamdkg.dll" Aihjpman.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Abbknb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Joaebkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kkpekjie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qnjbmh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fagqed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jjdocail.dll" Mdkmld32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdgoll32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Laidie32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ipmeej32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hiffbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ljcbii32.dll" Hlebog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kpndlobg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dghlfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oqaliabh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Chiedc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pifakj32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1680 wrote to memory of 1516 1680 148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe 29 PID 1680 wrote to memory of 1516 1680 148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe 29 PID 1680 wrote to memory of 1516 1680 148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe 29 PID 1680 wrote to memory of 1516 1680 148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe 29 PID 1516 wrote to memory of 2856 1516 Mqgahh32.exe 30 PID 1516 wrote to memory of 2856 1516 Mqgahh32.exe 30 PID 1516 wrote to memory of 2856 1516 Mqgahh32.exe 30 PID 1516 wrote to memory of 2856 1516 Mqgahh32.exe 30 PID 2856 wrote to memory of 2864 2856 Moloidjl.exe 31 PID 2856 wrote to memory of 2864 2856 Moloidjl.exe 31 PID 2856 wrote to memory of 2864 2856 Moloidjl.exe 31 PID 2856 wrote to memory of 2864 2856 Moloidjl.exe 31 PID 2864 wrote to memory of 2936 2864 Mookod32.exe 32 PID 2864 wrote to memory of 2936 2864 Mookod32.exe 32 PID 2864 wrote to memory of 2936 2864 Mookod32.exe 32 PID 2864 wrote to memory of 2936 2864 Mookod32.exe 32 PID 2936 wrote to memory of 2924 2936 Mgjpcf32.exe 33 PID 2936 wrote to memory of 2924 2936 Mgjpcf32.exe 33 PID 2936 wrote to memory of 2924 2936 Mgjpcf32.exe 33 PID 2936 wrote to memory of 2924 2936 Mgjpcf32.exe 33 PID 2924 wrote to memory of 2760 2924 Njjieace.exe 34 PID 2924 wrote to memory of 2760 2924 Njjieace.exe 34 PID 2924 wrote to memory of 2760 2924 Njjieace.exe 34 PID 2924 wrote to memory of 2760 2924 Njjieace.exe 34 PID 2760 wrote to memory of 1676 2760 Nmkbfmpf.exe 35 PID 2760 wrote to memory of 1676 2760 Nmkbfmpf.exe 35 PID 2760 wrote to memory of 1676 2760 Nmkbfmpf.exe 35 PID 2760 wrote to memory of 1676 2760 Nmkbfmpf.exe 35 PID 1676 wrote to memory of 2112 1676 Nnknqpgi.exe 36 PID 1676 wrote to memory of 2112 1676 Nnknqpgi.exe 36 PID 1676 wrote to memory of 2112 1676 Nnknqpgi.exe 36 PID 1676 wrote to memory of 2112 1676 Nnknqpgi.exe 36 PID 2112 wrote to memory of 1020 2112 Njaoeq32.exe 37 PID 2112 wrote to memory of 1020 2112 Njaoeq32.exe 37 PID 2112 wrote to memory of 1020 2112 Njaoeq32.exe 37 PID 2112 wrote to memory of 1020 2112 Njaoeq32.exe 37 PID 1020 wrote to memory of 3052 1020 Obamebfc.exe 38 PID 1020 wrote to memory of 3052 1020 Obamebfc.exe 38 PID 1020 wrote to memory of 3052 1020 Obamebfc.exe 38 PID 1020 wrote to memory of 3052 1020 Obamebfc.exe 38 PID 3052 wrote to memory of 2152 3052 Oebffm32.exe 39 PID 3052 wrote to memory of 2152 3052 Oebffm32.exe 39 PID 3052 wrote to memory of 2152 3052 Oebffm32.exe 39 PID 3052 wrote to memory of 2152 3052 Oebffm32.exe 39 PID 2152 wrote to memory of 2248 2152 Onkjocjd.exe 40 PID 2152 wrote to memory of 2248 2152 Onkjocjd.exe 40 PID 2152 wrote to memory of 2248 2152 Onkjocjd.exe 40 PID 2152 wrote to memory of 2248 2152 Onkjocjd.exe 40 PID 2248 wrote to memory of 1804 2248 Pdjpmi32.exe 41 PID 2248 wrote to memory of 1804 2248 Pdjpmi32.exe 41 PID 2248 wrote to memory of 1804 2248 Pdjpmi32.exe 41 PID 2248 wrote to memory of 1804 2248 Pdjpmi32.exe 41 PID 1804 wrote to memory of 1728 1804 Pfjiod32.exe 42 PID 1804 wrote to memory of 1728 1804 Pfjiod32.exe 42 PID 1804 wrote to memory of 1728 1804 Pfjiod32.exe 42 PID 1804 wrote to memory of 1728 1804 Pfjiod32.exe 42 PID 1728 wrote to memory of 2088 1728 Pfmeddag.exe 43 PID 1728 wrote to memory of 2088 1728 Pfmeddag.exe 43 PID 1728 wrote to memory of 2088 1728 Pfmeddag.exe 43 PID 1728 wrote to memory of 2088 1728 Pfmeddag.exe 43 PID 2088 wrote to memory of 2052 2088 Pljnmkoo.exe 44 PID 2088 wrote to memory of 2052 2088 Pljnmkoo.exe 44 PID 2088 wrote to memory of 2052 2088 Pljnmkoo.exe 44 PID 2088 wrote to memory of 2052 2088 Pljnmkoo.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe"C:\Users\Admin\AppData\Local\Temp\148e1a669328bc3ef45e155a53d54d441000fc1243cc590bfa480a361c4edec1.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\SysWOW64\Mqgahh32.exeC:\Windows\system32\Mqgahh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1516 -
C:\Windows\SysWOW64\Moloidjl.exeC:\Windows\system32\Moloidjl.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Mookod32.exeC:\Windows\system32\Mookod32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\Mgjpcf32.exeC:\Windows\system32\Mgjpcf32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Windows\SysWOW64\Njjieace.exeC:\Windows\system32\Njjieace.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Nmkbfmpf.exeC:\Windows\system32\Nmkbfmpf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Nnknqpgi.exeC:\Windows\system32\Nnknqpgi.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676 -
C:\Windows\SysWOW64\Njaoeq32.exeC:\Windows\system32\Njaoeq32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Obamebfc.exeC:\Windows\system32\Obamebfc.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\Oebffm32.exeC:\Windows\system32\Oebffm32.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\Onkjocjd.exeC:\Windows\system32\Onkjocjd.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Windows\SysWOW64\Pdjpmi32.exeC:\Windows\system32\Pdjpmi32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\Pfjiod32.exeC:\Windows\system32\Pfjiod32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\Pfmeddag.exeC:\Windows\system32\Pfmeddag.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Pljnmkoo.exeC:\Windows\system32\Pljnmkoo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Windows\SysWOW64\Pmijgn32.exeC:\Windows\system32\Pmijgn32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2052 -
C:\Windows\SysWOW64\Pipklo32.exeC:\Windows\system32\Pipklo32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1408 -
C:\Windows\SysWOW64\Qeglqpaj.exeC:\Windows\system32\Qeglqpaj.exe19⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1712 -
C:\Windows\SysWOW64\Qbkljd32.exeC:\Windows\system32\Qbkljd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:696 -
C:\Windows\SysWOW64\Ahgdbk32.exeC:\Windows\system32\Ahgdbk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:388 -
C:\Windows\SysWOW64\Adnegldo.exeC:\Windows\system32\Adnegldo.exe22⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2524 -
C:\Windows\SysWOW64\Anfjpa32.exeC:\Windows\system32\Anfjpa32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1736 -
C:\Windows\SysWOW64\Aadbfp32.exeC:\Windows\system32\Aadbfp32.exe24⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\Acfonhgd.exeC:\Windows\system32\Acfonhgd.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1964 -
C:\Windows\SysWOW64\Akmgoehg.exeC:\Windows\system32\Akmgoehg.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1512 -
C:\Windows\SysWOW64\Achlch32.exeC:\Windows\system32\Achlch32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1392 -
C:\Windows\SysWOW64\Bfieec32.exeC:\Windows\system32\Bfieec32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2552 -
C:\Windows\SysWOW64\Bocfch32.exeC:\Windows\system32\Bocfch32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Bdpnlo32.exeC:\Windows\system32\Bdpnlo32.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Bfpkfb32.exeC:\Windows\system32\Bfpkfb32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2720 -
C:\Windows\SysWOW64\Bnkpjd32.exeC:\Windows\system32\Bnkpjd32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2976 -
C:\Windows\SysWOW64\Cjdmee32.exeC:\Windows\system32\Cjdmee32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Cqneaodd.exeC:\Windows\system32\Cqneaodd.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2536 -
C:\Windows\SysWOW64\Cqqbgoba.exeC:\Windows\system32\Cqqbgoba.exe35⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Cfmjoe32.exeC:\Windows\system32\Cfmjoe32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2792 -
C:\Windows\SysWOW64\Cqcomn32.exeC:\Windows\system32\Cqcomn32.exe37⤵
- Executes dropped EXE
PID:3064 -
C:\Windows\SysWOW64\Dmllgo32.exeC:\Windows\system32\Dmllgo32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Dghjmlnm.exeC:\Windows\system32\Dghjmlnm.exe39⤵
- Executes dropped EXE
- Modifies registry class
PID:2016 -
C:\Windows\SysWOW64\Dgjfbllj.exeC:\Windows\system32\Dgjfbllj.exe40⤵
- Executes dropped EXE
PID:1996 -
C:\Windows\SysWOW64\Emilqb32.exeC:\Windows\system32\Emilqb32.exe41⤵
- Executes dropped EXE
PID:1108 -
C:\Windows\SysWOW64\Ejmljg32.exeC:\Windows\system32\Ejmljg32.exe42⤵
- Executes dropped EXE
PID:592 -
C:\Windows\SysWOW64\Eeijpdbd.exeC:\Windows\system32\Eeijpdbd.exe43⤵
- Executes dropped EXE
PID:368 -
C:\Windows\SysWOW64\Eelfedpa.exeC:\Windows\system32\Eelfedpa.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1776 -
C:\Windows\SysWOW64\Eodknifb.exeC:\Windows\system32\Eodknifb.exe45⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Fhlogo32.exeC:\Windows\system32\Fhlogo32.exe46⤵
- Executes dropped EXE
PID:2128 -
C:\Windows\SysWOW64\Fbbcdh32.exeC:\Windows\system32\Fbbcdh32.exe47⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1816 -
C:\Windows\SysWOW64\Fljhmmci.exeC:\Windows\system32\Fljhmmci.exe48⤵
- Executes dropped EXE
PID:2436 -
C:\Windows\SysWOW64\Fagqed32.exeC:\Windows\system32\Fagqed32.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:1988 -
C:\Windows\SysWOW64\Flmecm32.exeC:\Windows\system32\Flmecm32.exe50⤵
- Executes dropped EXE
PID:1560 -
C:\Windows\SysWOW64\Faimkd32.exeC:\Windows\system32\Faimkd32.exe51⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Fgffck32.exeC:\Windows\system32\Fgffck32.exe52⤵
- Executes dropped EXE
PID:1620 -
C:\Windows\SysWOW64\Faljqcmk.exeC:\Windows\system32\Faljqcmk.exe53⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Fkdoii32.exeC:\Windows\system32\Fkdoii32.exe54⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\Gpagbp32.exeC:\Windows\system32\Gpagbp32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2920 -
C:\Windows\SysWOW64\Gkfkoi32.exeC:\Windows\system32\Gkfkoi32.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2876 -
C:\Windows\SysWOW64\Gpccgppq.exeC:\Windows\system32\Gpccgppq.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2824 -
C:\Windows\SysWOW64\Geplpfnh.exeC:\Windows\system32\Geplpfnh.exe58⤵
- Executes dropped EXE
PID:2588 -
C:\Windows\SysWOW64\Gpfpmonn.exeC:\Windows\system32\Gpfpmonn.exe59⤵
- Executes dropped EXE
PID:2800 -
C:\Windows\SysWOW64\Gebiefle.exeC:\Windows\system32\Gebiefle.exe60⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Gphmbolk.exeC:\Windows\system32\Gphmbolk.exe61⤵
- Executes dropped EXE
PID:2064 -
C:\Windows\SysWOW64\Geeekf32.exeC:\Windows\system32\Geeekf32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2540 -
C:\Windows\SysWOW64\Gkancm32.exeC:\Windows\system32\Gkancm32.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1272 -
C:\Windows\SysWOW64\Gheola32.exeC:\Windows\system32\Gheola32.exe64⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Hnbgdh32.exeC:\Windows\system32\Hnbgdh32.exe65⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2212 -
C:\Windows\SysWOW64\Hhhkbqea.exeC:\Windows\system32\Hhhkbqea.exe66⤵PID:2168
-
C:\Windows\SysWOW64\Hnecjgch.exeC:\Windows\system32\Hnecjgch.exe67⤵
- Drops file in System32 directory
PID:456 -
C:\Windows\SysWOW64\Hdolga32.exeC:\Windows\system32\Hdolga32.exe68⤵
- System Location Discovery: System Language Discovery
PID:1640 -
C:\Windows\SysWOW64\Hgmhcm32.exeC:\Windows\system32\Hgmhcm32.exe69⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe70⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1004 -
C:\Windows\SysWOW64\Hcdihn32.exeC:\Windows\system32\Hcdihn32.exe71⤵PID:884
-
C:\Windows\SysWOW64\Hqhiab32.exeC:\Windows\system32\Hqhiab32.exe72⤵PID:3008
-
C:\Windows\SysWOW64\Hgbanlfc.exeC:\Windows\system32\Hgbanlfc.exe73⤵
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Homfboco.exeC:\Windows\system32\Homfboco.exe74⤵PID:2948
-
C:\Windows\SysWOW64\Iiekkdjo.exeC:\Windows\system32\Iiekkdjo.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2736 -
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe76⤵PID:2724
-
C:\Windows\SysWOW64\Ikfdmogp.exeC:\Windows\system32\Ikfdmogp.exe77⤵PID:2768
-
C:\Windows\SysWOW64\Iijdfc32.exeC:\Windows\system32\Iijdfc32.exe78⤵PID:832
-
C:\Windows\SysWOW64\Ingmoj32.exeC:\Windows\system32\Ingmoj32.exe79⤵PID:1584
-
C:\Windows\SysWOW64\Igoagpja.exeC:\Windows\system32\Igoagpja.exe80⤵PID:1260
-
C:\Windows\SysWOW64\Iniidj32.exeC:\Windows\system32\Iniidj32.exe81⤵PID:2764
-
C:\Windows\SysWOW64\Iganmp32.exeC:\Windows\system32\Iganmp32.exe82⤵
- Drops file in System32 directory
PID:2488 -
C:\Windows\SysWOW64\Jkpfcnoe.exeC:\Windows\system32\Jkpfcnoe.exe83⤵PID:2672
-
C:\Windows\SysWOW64\Jehklc32.exeC:\Windows\system32\Jehklc32.exe84⤵PID:976
-
C:\Windows\SysWOW64\Jjdcdjcm.exeC:\Windows\system32\Jjdcdjcm.exe85⤵PID:2584
-
C:\Windows\SysWOW64\Jcmhmp32.exeC:\Windows\system32\Jcmhmp32.exe86⤵PID:2444
-
C:\Windows\SysWOW64\Jjgpjjak.exeC:\Windows\system32\Jjgpjjak.exe87⤵PID:2000
-
C:\Windows\SysWOW64\Jpdibapb.exeC:\Windows\system32\Jpdibapb.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1756 -
C:\Windows\SysWOW64\Jjimpj32.exeC:\Windows\system32\Jjimpj32.exe89⤵PID:524
-
C:\Windows\SysWOW64\Jcaahofh.exeC:\Windows\system32\Jcaahofh.exe90⤵PID:2388
-
C:\Windows\SysWOW64\Kiojqfdp.exeC:\Windows\system32\Kiojqfdp.exe91⤵PID:2912
-
C:\Windows\SysWOW64\Knkbimbg.exeC:\Windows\system32\Knkbimbg.exe92⤵
- Drops file in System32 directory
- Modifies registry class
PID:2740 -
C:\Windows\SysWOW64\Klocba32.exeC:\Windows\system32\Klocba32.exe93⤵PID:2880
-
C:\Windows\SysWOW64\Kehgkgha.exeC:\Windows\system32\Kehgkgha.exe94⤵PID:580
-
C:\Windows\SysWOW64\Kopldl32.exeC:\Windows\system32\Kopldl32.exe95⤵
- System Location Discovery: System Language Discovery
PID:2692 -
C:\Windows\SysWOW64\Kdmdlc32.exeC:\Windows\system32\Kdmdlc32.exe96⤵PID:1148
-
C:\Windows\SysWOW64\Kmeiei32.exeC:\Windows\system32\Kmeiei32.exe97⤵
- Drops file in System32 directory
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Kfnmnojj.exeC:\Windows\system32\Kfnmnojj.exe98⤵PID:2492
-
C:\Windows\SysWOW64\Kacakgip.exeC:\Windows\system32\Kacakgip.exe99⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Lkkfdmpq.exeC:\Windows\system32\Lkkfdmpq.exe100⤵PID:2032
-
C:\Windows\SysWOW64\Lphnlcnh.exeC:\Windows\system32\Lphnlcnh.exe101⤵PID:1624
-
C:\Windows\SysWOW64\Lmlofhmb.exeC:\Windows\system32\Lmlofhmb.exe102⤵
- Modifies registry class
PID:332 -
C:\Windows\SysWOW64\Ldfgbb32.exeC:\Windows\system32\Ldfgbb32.exe103⤵
- System Location Discovery: System Language Discovery
PID:1752 -
C:\Windows\SysWOW64\Licpki32.exeC:\Windows\system32\Licpki32.exe104⤵PID:2448
-
C:\Windows\SysWOW64\Lophcpam.exeC:\Windows\system32\Lophcpam.exe105⤵PID:2820
-
C:\Windows\SysWOW64\Lejppj32.exeC:\Windows\system32\Lejppj32.exe106⤵PID:2148
-
C:\Windows\SysWOW64\Lpodmb32.exeC:\Windows\system32\Lpodmb32.exe107⤵PID:2832
-
C:\Windows\SysWOW64\Lelmei32.exeC:\Windows\system32\Lelmei32.exe108⤵PID:1688
-
C:\Windows\SysWOW64\Lhkiae32.exeC:\Windows\system32\Lhkiae32.exe109⤵
- System Location Discovery: System Language Discovery
PID:2952 -
C:\Windows\SysWOW64\Modano32.exeC:\Windows\system32\Modano32.exe110⤵
- Drops file in System32 directory
PID:2700 -
C:\Windows\SysWOW64\Meojkide.exeC:\Windows\system32\Meojkide.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Mdkmld32.exeC:\Windows\system32\Mdkmld32.exe112⤵
- Modifies registry class
PID:2244 -
C:\Windows\SysWOW64\Nflidmic.exeC:\Windows\system32\Nflidmic.exe113⤵PID:1124
-
C:\Windows\SysWOW64\Ncpjnahm.exeC:\Windows\system32\Ncpjnahm.exe114⤵
- System Location Discovery: System Language Discovery
PID:1464 -
C:\Windows\SysWOW64\Nmkklflj.exeC:\Windows\system32\Nmkklflj.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2292 -
C:\Windows\SysWOW64\Nfcoel32.exeC:\Windows\system32\Nfcoel32.exe116⤵
- Drops file in System32 directory
- Modifies registry class
PID:1656 -
C:\Windows\SysWOW64\Nokdnail.exeC:\Windows\system32\Nokdnail.exe117⤵PID:1600
-
C:\Windows\SysWOW64\Nfeljlqh.exeC:\Windows\system32\Nfeljlqh.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2468 -
C:\Windows\SysWOW64\Ngfhbd32.exeC:\Windows\system32\Ngfhbd32.exe119⤵PID:2780
-
C:\Windows\SysWOW64\Oqomkimg.exeC:\Windows\system32\Oqomkimg.exe120⤵PID:2396
-
C:\Windows\SysWOW64\Ogiegc32.exeC:\Windows\system32\Ogiegc32.exe121⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3040
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-