Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
110s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/10/2024, 04:00
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815N.exe
-
Size
96KB
-
MD5
2b59fc38028f2b12bfb711ec770d6990
-
SHA1
647bfd4dfb9b0c2679cc5ab7b4dea3795310f95f
-
SHA256
7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815
-
SHA512
3603e5bcb5a89929714b14a4cddc8e71479ded32df2bc0de22d9b0d040e9ccad204efb4c2317313594bbe7b0863dacc3f9d41c11341ca76c04cb1821255887f5
-
SSDEEP
1536:1GZLdDKJk1EQzkD2EfkhGQtogDuVqS4WPduV9jojTIvjrH:0dDK/UkD2EfkozVMWPd69jc0vf
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nijdcdgn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qcigjolm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Abaaakob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Knkngp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opohil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmonoli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Epcomc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fbqkqj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ieoiai32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eohedi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Edieng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fffabman.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkdiehca.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Coidpiac.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nojljcjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nkqlodpk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cplfcj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjbljh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgghidfm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ljnebe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qmmbhegc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Djokgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dlbanfbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jficbn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oekaab32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Degage32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfgedkko.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jggiah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Majfcb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kkjeedio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mnbpgb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffndghdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbbdemnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Onhkan32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hopibdfd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lejbhbpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncplfj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bimbbhgh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qkolil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egbaelej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mbcofobg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lodbhp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hdonpjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ijeinphf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Icadpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qkolil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eloimcca.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfljpa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bamfloef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gijncn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgcbpemp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkbnjmhq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jdoblckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fjmfpe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nelkme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejcaanfg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fjhjlm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gefjlg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjmnfk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qddmbkoi.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cefbfa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ejfnfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edkbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lfmhla32.exe -
Executes dropped EXE 64 IoCs
pid Process 2332 Gijncn32.exe 2972 Gmhfjm32.exe 2372 Ghcdpjqj.exe 2876 Hopibdfd.exe 2900 Hdmajkdl.exe 2912 Hdonpjbi.exe 2660 Hpfoekhm.exe 2128 Hlmpjl32.exe 2956 Ilolol32.exe 1724 Ilaieljl.exe 1860 Ijeinphf.exe 2568 Idojon32.exe 1956 Iodolf32.exe 2068 Jknlfg32.exe 2236 Jciaki32.exe 1788 Jggiah32.exe 2280 Jmcbio32.exe 684 Jijbnppi.exe 1124 Jfnchd32.exe 1644 Kiolio32.exe 1812 Koidficq.exe 2412 Knnagehi.exe 3048 Kaojiqej.exe 864 Kgibeklf.exe 1368 Laccdp32.exe 1840 Lfpllg32.exe 2120 Ljnebe32.exe 2544 Lfeegfkf.exe 2804 Lejbhbpn.exe 2824 Mbqpgf32.exe 2872 Mlidplcf.exe 1324 Mgbeqjpd.exe 2604 Mahinb32.exe 2084 Majfcb32.exe 2116 Nppceo32.exe 2656 Nelkme32.exe 1648 Ncplfj32.exe 2684 Nijdcdgn.exe 2788 Nceeaikk.exe 1712 Ooiepnen.exe 2256 Ohajic32.exe 2320 Pcgnfl32.exe 2272 Pkeppngm.exe 2392 Pobhfl32.exe 1512 Pikmob32.exe 1968 Peandcih.exe 844 Qmmbhegc.exe 2980 Qedjib32.exe 2136 Qjacai32.exe 828 Qcigjolm.exe 2036 Aamhdckg.exe 2536 Apbeeppo.exe 2740 Abaaakob.exe 2816 Apeakonl.exe 2644 Afojgiei.exe 2612 Apgnpo32.exe 2192 Abejlj32.exe 1444 Aipbidbj.exe 1544 Bakgmgpe.exe 820 Boohgk32.exe 1372 Bdkpob32.exe 2228 Bmdehgcf.exe 460 Bhiiepcl.exe 2180 Bmfamg32.exe -
Loads dropped DLL 64 IoCs
pid Process 1480 7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815N.exe 1480 7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815N.exe 2332 Gijncn32.exe 2332 Gijncn32.exe 2972 Gmhfjm32.exe 2972 Gmhfjm32.exe 2372 Ghcdpjqj.exe 2372 Ghcdpjqj.exe 2876 Hopibdfd.exe 2876 Hopibdfd.exe 2900 Hdmajkdl.exe 2900 Hdmajkdl.exe 2912 Hdonpjbi.exe 2912 Hdonpjbi.exe 2660 Hpfoekhm.exe 2660 Hpfoekhm.exe 2128 Hlmpjl32.exe 2128 Hlmpjl32.exe 2956 Ilolol32.exe 2956 Ilolol32.exe 1724 Ilaieljl.exe 1724 Ilaieljl.exe 1860 Ijeinphf.exe 1860 Ijeinphf.exe 2568 Idojon32.exe 2568 Idojon32.exe 1956 Iodolf32.exe 1956 Iodolf32.exe 2068 Jknlfg32.exe 2068 Jknlfg32.exe 2236 Jciaki32.exe 2236 Jciaki32.exe 1788 Jggiah32.exe 1788 Jggiah32.exe 2280 Jmcbio32.exe 2280 Jmcbio32.exe 684 Jijbnppi.exe 684 Jijbnppi.exe 1124 Jfnchd32.exe 1124 Jfnchd32.exe 1644 Kiolio32.exe 1644 Kiolio32.exe 1812 Koidficq.exe 1812 Koidficq.exe 2412 Knnagehi.exe 2412 Knnagehi.exe 3048 Kaojiqej.exe 3048 Kaojiqej.exe 864 Kgibeklf.exe 864 Kgibeklf.exe 1368 Laccdp32.exe 1368 Laccdp32.exe 1840 Lfpllg32.exe 1840 Lfpllg32.exe 2120 Ljnebe32.exe 2120 Ljnebe32.exe 2544 Lfeegfkf.exe 2544 Lfeegfkf.exe 2804 Lejbhbpn.exe 2804 Lejbhbpn.exe 2824 Mbqpgf32.exe 2824 Mbqpgf32.exe 2872 Mlidplcf.exe 2872 Mlidplcf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Eljacalj.dll Jcnloa32.exe File opened for modification C:\Windows\SysWOW64\Henipenb.exe Hcmmhmhd.exe File created C:\Windows\SysWOW64\Eipgonjl.dll Igjckcbo.exe File created C:\Windows\SysWOW64\Oohoeg32.exe Odckho32.exe File opened for modification C:\Windows\SysWOW64\Fqmobelc.exe Fkpfjnnl.exe File created C:\Windows\SysWOW64\Ieoiai32.exe Ibqmen32.exe File created C:\Windows\SysWOW64\Afmokbop.exe Aiioanpf.exe File created C:\Windows\SysWOW64\Cefbfa32.exe Cceenilo.exe File opened for modification C:\Windows\SysWOW64\Elgmbnfn.exe Dpqlmm32.exe File opened for modification C:\Windows\SysWOW64\Cnhjbjam.exe Cnfnlk32.exe File created C:\Windows\SysWOW64\Ejfnfn32.exe Edieng32.exe File opened for modification C:\Windows\SysWOW64\Dphmiokb.exe Dechlfkl.exe File created C:\Windows\SysWOW64\Ighoanof.dll Jlcmhann.exe File created C:\Windows\SysWOW64\Nodikecl.exe Neldbo32.exe File created C:\Windows\SysWOW64\Kmecamae.dll Bpomdmqa.exe File created C:\Windows\SysWOW64\Jaklei32.exe Jhchlcjj.exe File created C:\Windows\SysWOW64\Eopbooqb.exe Ejcjfgbk.exe File created C:\Windows\SysWOW64\Ponbjgho.dll Fbqkqj32.exe File created C:\Windows\SysWOW64\Ffndghdj.exe Fkipiodd.exe File created C:\Windows\SysWOW64\Jggiah32.exe Jciaki32.exe File created C:\Windows\SysWOW64\Qedjib32.exe Qmmbhegc.exe File created C:\Windows\SysWOW64\Qcdgei32.exe Pmjohoej.exe File created C:\Windows\SysWOW64\Agbledno.dll Qddmbkoi.exe File created C:\Windows\SysWOW64\Fblmcdjb.dll Jijbnppi.exe File created C:\Windows\SysWOW64\Mbqpgf32.exe Lejbhbpn.exe File opened for modification C:\Windows\SysWOW64\Edkbdf32.exe Ejfnfn32.exe File created C:\Windows\SysWOW64\Padcqp32.exe Pgnpcg32.exe File opened for modification C:\Windows\SysWOW64\Abaaakob.exe Apbeeppo.exe File opened for modification C:\Windows\SysWOW64\Lfmhla32.exe Kiihcmoi.exe File opened for modification C:\Windows\SysWOW64\Linanl32.exe Lfpebq32.exe File opened for modification C:\Windows\SysWOW64\Pkdiehca.exe Pkalph32.exe File created C:\Windows\SysWOW64\Qjoheb32.exe Qhnlmjie.exe File created C:\Windows\SysWOW64\Jpneniod.dll Aiioanpf.exe File opened for modification C:\Windows\SysWOW64\Nipgab32.exe Noffadai.exe File created C:\Windows\SysWOW64\Ljljenoi.exe Lcbbidgl.exe File opened for modification C:\Windows\SysWOW64\Mlgjce32.exe Mncijanc.exe File opened for modification C:\Windows\SysWOW64\Okciddnh.exe Odiagj32.exe File created C:\Windows\SysWOW64\Chiedc32.exe Coqaknog.exe File created C:\Windows\SysWOW64\Fmkpchmp.exe Fpgpjdnf.exe File created C:\Windows\SysWOW64\Dacnln32.dll Hhqmogam.exe File created C:\Windows\SysWOW64\Jbfpcl32.exe Jinkkgeb.exe File opened for modification C:\Windows\SysWOW64\Hilbfc32.exe Hfmfjh32.exe File created C:\Windows\SysWOW64\Jaaope32.dll Ohajic32.exe File opened for modification C:\Windows\SysWOW64\Doipoldo.exe Ceqlff32.exe File created C:\Windows\SysWOW64\Fdmpmneg.dll Kboill32.exe File opened for modification C:\Windows\SysWOW64\Kboill32.exe Kgienc32.exe File created C:\Windows\SysWOW64\Folknlae.exe Ffdgef32.exe File created C:\Windows\SysWOW64\Dfjegl32.exe Dlbanfbo.exe File created C:\Windows\SysWOW64\Knkngp32.exe Kceijg32.exe File created C:\Windows\SysWOW64\Lgkbjb32.dll Fgbmdphe.exe File opened for modification C:\Windows\SysWOW64\Eohedi32.exe Eikmkbeg.exe File created C:\Windows\SysWOW64\Hjbljh32.exe Gaigab32.exe File opened for modification C:\Windows\SysWOW64\Lodbhp32.exe Kjgjpiob.exe File created C:\Windows\SysWOW64\Dajjck32.dll Coqaknog.exe File created C:\Windows\SysWOW64\Gnookifb.dll Kiihcmoi.exe File created C:\Windows\SysWOW64\Jkpkepnn.exe Jpkgggnh.exe File created C:\Windows\SysWOW64\Fjmphgbf.dll Majfcb32.exe File created C:\Windows\SysWOW64\Impdeg32.exe Idhplaoe.exe File opened for modification C:\Windows\SysWOW64\Akjhcimg.exe Afmokbop.exe File created C:\Windows\SysWOW64\Ediggoma.exe Eomoohoi.exe File created C:\Windows\SysWOW64\Bpomdmqa.exe Aejmha32.exe File created C:\Windows\SysWOW64\Bmkegaif.dll Dphmiokb.exe File created C:\Windows\SysWOW64\Nmapggfd.dll Kkpgdc32.exe File created C:\Windows\SysWOW64\Idcodh32.dll Bgbemjqh.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4784 2900 WerFault.exe 433 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljakkd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibqmen32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cplfcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbqkqj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gijncn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afjplj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boohgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnmdmj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhegckpd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcgppana.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkalph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbnajcig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgcnihnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbhhlo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpccnp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlaqba32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mahinb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gncblo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlfahgpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afmokbop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlcmhann.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpldjajo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egedebgc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbcofobg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjocja32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eojbii32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgbemjqh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cceenilo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enmplm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnbpgb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nodikecl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eopbooqb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfljpa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idojon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opohil32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dlajdpoc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjiiemaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjdeaohb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkpchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hikpnkme.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jchjqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anonqq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaigab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Janijh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfnkejeg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhfjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nchkjhdh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Epcomc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhbdce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nfgadbcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpomdmqa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bfifqg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nojljcjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iodolf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbegkn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddbbod32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkngp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ockhpgbf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pefmkpbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgibeklf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nijdcdgn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpcmojia.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkipiodd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idofmp32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dmimkc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bmdehgcf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhqmogam.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ighfecdb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojjaac32.dll" Hnpkkm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jlfahgpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paficbda.dll" Jlqniihl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cgibpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nfgadbcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfaachpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jinkkgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pikmob32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gnqolikm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ildhcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkehhlef.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lejbhbpn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ehgclbhf.dll" Gncblo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghqobdnq.dll" Ockhpgbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dpqlmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qmmbhegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gnfoao32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jpgaohej.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gjkeii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jdoblckh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbjjjlll.dll" Jfnchd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejcaanfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cdkfco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ponbjgho.dll" Fbqkqj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kcojfnhc.dll" Gecmghkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Enecegpg.dll" Ddbbod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Epflbbpp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfbfpnel.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fccncknc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocedieek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Majfcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pobhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfneilmi.dll" Jkfkjemd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mpcmojia.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjialchg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jciaki32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fpgpjdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lfpjnb32.dll" Jficbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hjiiemaj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpdoagge.dll" Kgghidfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aogqihcm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Clgpckcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khaipfcj.dll" Dlbanfbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Benbbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jobompob.dll" Iklajp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Aqkmgl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cceenilo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gjiefgfh.dll" Pkeppngm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hdegpplg.dll" Bbegkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ghjjoeei.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gdpkdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ikinjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnpfop32.dll" Fndhed32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqodpj32.dll" Pobhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbclfmph.dll" Apeakonl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Cialng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbejabln.dll" Fmkpchmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lnhmqc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ebccal32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Beogneel.dll" Hioefjfb.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1480 wrote to memory of 2332 1480 7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815N.exe 29 PID 1480 wrote to memory of 2332 1480 7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815N.exe 29 PID 1480 wrote to memory of 2332 1480 7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815N.exe 29 PID 1480 wrote to memory of 2332 1480 7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815N.exe 29 PID 2332 wrote to memory of 2972 2332 Gijncn32.exe 30 PID 2332 wrote to memory of 2972 2332 Gijncn32.exe 30 PID 2332 wrote to memory of 2972 2332 Gijncn32.exe 30 PID 2332 wrote to memory of 2972 2332 Gijncn32.exe 30 PID 2972 wrote to memory of 2372 2972 Gmhfjm32.exe 31 PID 2972 wrote to memory of 2372 2972 Gmhfjm32.exe 31 PID 2972 wrote to memory of 2372 2972 Gmhfjm32.exe 31 PID 2972 wrote to memory of 2372 2972 Gmhfjm32.exe 31 PID 2372 wrote to memory of 2876 2372 Ghcdpjqj.exe 32 PID 2372 wrote to memory of 2876 2372 Ghcdpjqj.exe 32 PID 2372 wrote to memory of 2876 2372 Ghcdpjqj.exe 32 PID 2372 wrote to memory of 2876 2372 Ghcdpjqj.exe 32 PID 2876 wrote to memory of 2900 2876 Hopibdfd.exe 33 PID 2876 wrote to memory of 2900 2876 Hopibdfd.exe 33 PID 2876 wrote to memory of 2900 2876 Hopibdfd.exe 33 PID 2876 wrote to memory of 2900 2876 Hopibdfd.exe 33 PID 2900 wrote to memory of 2912 2900 Hdmajkdl.exe 34 PID 2900 wrote to memory of 2912 2900 Hdmajkdl.exe 34 PID 2900 wrote to memory of 2912 2900 Hdmajkdl.exe 34 PID 2900 wrote to memory of 2912 2900 Hdmajkdl.exe 34 PID 2912 wrote to memory of 2660 2912 Hdonpjbi.exe 35 PID 2912 wrote to memory of 2660 2912 Hdonpjbi.exe 35 PID 2912 wrote to memory of 2660 2912 Hdonpjbi.exe 35 PID 2912 wrote to memory of 2660 2912 Hdonpjbi.exe 35 PID 2660 wrote to memory of 2128 2660 Hpfoekhm.exe 36 PID 2660 wrote to memory of 2128 2660 Hpfoekhm.exe 36 PID 2660 wrote to memory of 2128 2660 Hpfoekhm.exe 36 PID 2660 wrote to memory of 2128 2660 Hpfoekhm.exe 36 PID 2128 wrote to memory of 2956 2128 Hlmpjl32.exe 37 PID 2128 wrote to memory of 2956 2128 Hlmpjl32.exe 37 PID 2128 wrote to memory of 2956 2128 Hlmpjl32.exe 37 PID 2128 wrote to memory of 2956 2128 Hlmpjl32.exe 37 PID 2956 wrote to memory of 1724 2956 Ilolol32.exe 38 PID 2956 wrote to memory of 1724 2956 Ilolol32.exe 38 PID 2956 wrote to memory of 1724 2956 Ilolol32.exe 38 PID 2956 wrote to memory of 1724 2956 Ilolol32.exe 38 PID 1724 wrote to memory of 1860 1724 Ilaieljl.exe 39 PID 1724 wrote to memory of 1860 1724 Ilaieljl.exe 39 PID 1724 wrote to memory of 1860 1724 Ilaieljl.exe 39 PID 1724 wrote to memory of 1860 1724 Ilaieljl.exe 39 PID 1860 wrote to memory of 2568 1860 Ijeinphf.exe 40 PID 1860 wrote to memory of 2568 1860 Ijeinphf.exe 40 PID 1860 wrote to memory of 2568 1860 Ijeinphf.exe 40 PID 1860 wrote to memory of 2568 1860 Ijeinphf.exe 40 PID 2568 wrote to memory of 1956 2568 Idojon32.exe 41 PID 2568 wrote to memory of 1956 2568 Idojon32.exe 41 PID 2568 wrote to memory of 1956 2568 Idojon32.exe 41 PID 2568 wrote to memory of 1956 2568 Idojon32.exe 41 PID 1956 wrote to memory of 2068 1956 Iodolf32.exe 42 PID 1956 wrote to memory of 2068 1956 Iodolf32.exe 42 PID 1956 wrote to memory of 2068 1956 Iodolf32.exe 42 PID 1956 wrote to memory of 2068 1956 Iodolf32.exe 42 PID 2068 wrote to memory of 2236 2068 Jknlfg32.exe 43 PID 2068 wrote to memory of 2236 2068 Jknlfg32.exe 43 PID 2068 wrote to memory of 2236 2068 Jknlfg32.exe 43 PID 2068 wrote to memory of 2236 2068 Jknlfg32.exe 43 PID 2236 wrote to memory of 1788 2236 Jciaki32.exe 44 PID 2236 wrote to memory of 1788 2236 Jciaki32.exe 44 PID 2236 wrote to memory of 1788 2236 Jciaki32.exe 44 PID 2236 wrote to memory of 1788 2236 Jciaki32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815N.exe"C:\Users\Admin\AppData\Local\Temp\7d4c3429ebf5d9d0214fd18fbe1cf6855c9cf59965cd04078c76221cc26e0815N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1480 -
C:\Windows\SysWOW64\Gijncn32.exeC:\Windows\system32\Gijncn32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\Gmhfjm32.exeC:\Windows\system32\Gmhfjm32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\SysWOW64\Ghcdpjqj.exeC:\Windows\system32\Ghcdpjqj.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2372 -
C:\Windows\SysWOW64\Hopibdfd.exeC:\Windows\system32\Hopibdfd.exe5⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\SysWOW64\Hdmajkdl.exeC:\Windows\system32\Hdmajkdl.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Windows\SysWOW64\Hdonpjbi.exeC:\Windows\system32\Hdonpjbi.exe7⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Windows\SysWOW64\Hpfoekhm.exeC:\Windows\system32\Hpfoekhm.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Windows\SysWOW64\Hlmpjl32.exeC:\Windows\system32\Hlmpjl32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\SysWOW64\Ilolol32.exeC:\Windows\system32\Ilolol32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2956 -
C:\Windows\SysWOW64\Ilaieljl.exeC:\Windows\system32\Ilaieljl.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\SysWOW64\Ijeinphf.exeC:\Windows\system32\Ijeinphf.exe12⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Windows\SysWOW64\Idojon32.exeC:\Windows\system32\Idojon32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Iodolf32.exeC:\Windows\system32\Iodolf32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\Jknlfg32.exeC:\Windows\system32\Jknlfg32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\Jciaki32.exeC:\Windows\system32\Jciaki32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Windows\SysWOW64\Jggiah32.exeC:\Windows\system32\Jggiah32.exe17⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1788 -
C:\Windows\SysWOW64\Jmcbio32.exeC:\Windows\system32\Jmcbio32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2280 -
C:\Windows\SysWOW64\Jijbnppi.exeC:\Windows\system32\Jijbnppi.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:684 -
C:\Windows\SysWOW64\Jfnchd32.exeC:\Windows\system32\Jfnchd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1124 -
C:\Windows\SysWOW64\Kiolio32.exeC:\Windows\system32\Kiolio32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1644 -
C:\Windows\SysWOW64\Koidficq.exeC:\Windows\system32\Koidficq.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1812 -
C:\Windows\SysWOW64\Knnagehi.exeC:\Windows\system32\Knnagehi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2412 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3048 -
C:\Windows\SysWOW64\Kgibeklf.exeC:\Windows\system32\Kgibeklf.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:864 -
C:\Windows\SysWOW64\Laccdp32.exeC:\Windows\system32\Laccdp32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1368 -
C:\Windows\SysWOW64\Lfpllg32.exeC:\Windows\system32\Lfpllg32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1840 -
C:\Windows\SysWOW64\Ljnebe32.exeC:\Windows\system32\Ljnebe32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2120 -
C:\Windows\SysWOW64\Lfeegfkf.exeC:\Windows\system32\Lfeegfkf.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2544 -
C:\Windows\SysWOW64\Lejbhbpn.exeC:\Windows\system32\Lejbhbpn.exe30⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Mbqpgf32.exeC:\Windows\system32\Mbqpgf32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2824 -
C:\Windows\SysWOW64\Mlidplcf.exeC:\Windows\system32\Mlidplcf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2872 -
C:\Windows\SysWOW64\Mgbeqjpd.exeC:\Windows\system32\Mgbeqjpd.exe33⤵
- Executes dropped EXE
PID:1324 -
C:\Windows\SysWOW64\Mahinb32.exeC:\Windows\system32\Mahinb32.exe34⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2604 -
C:\Windows\SysWOW64\Majfcb32.exeC:\Windows\system32\Majfcb32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2084 -
C:\Windows\SysWOW64\Nppceo32.exeC:\Windows\system32\Nppceo32.exe36⤵
- Executes dropped EXE
PID:2116 -
C:\Windows\SysWOW64\Nelkme32.exeC:\Windows\system32\Nelkme32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Ncplfj32.exeC:\Windows\system32\Ncplfj32.exe38⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1648 -
C:\Windows\SysWOW64\Nijdcdgn.exeC:\Windows\system32\Nijdcdgn.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2684 -
C:\Windows\SysWOW64\Nceeaikk.exeC:\Windows\system32\Nceeaikk.exe40⤵
- Executes dropped EXE
PID:2788 -
C:\Windows\SysWOW64\Ooiepnen.exeC:\Windows\system32\Ooiepnen.exe41⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2256 -
C:\Windows\SysWOW64\Pcgnfl32.exeC:\Windows\system32\Pcgnfl32.exe43⤵
- Executes dropped EXE
PID:2320 -
C:\Windows\SysWOW64\Pkeppngm.exeC:\Windows\system32\Pkeppngm.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:2272 -
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe45⤵
- Executes dropped EXE
- Modifies registry class
PID:2392 -
C:\Windows\SysWOW64\Pikmob32.exeC:\Windows\system32\Pikmob32.exe46⤵
- Executes dropped EXE
- Modifies registry class
PID:1512 -
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe47⤵
- Executes dropped EXE
PID:1968 -
C:\Windows\SysWOW64\Qmmbhegc.exeC:\Windows\system32\Qmmbhegc.exe48⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:844 -
C:\Windows\SysWOW64\Qedjib32.exeC:\Windows\system32\Qedjib32.exe49⤵
- Executes dropped EXE
PID:2980 -
C:\Windows\SysWOW64\Qjacai32.exeC:\Windows\system32\Qjacai32.exe50⤵
- Executes dropped EXE
PID:2136 -
C:\Windows\SysWOW64\Qcigjolm.exeC:\Windows\system32\Qcigjolm.exe51⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Aamhdckg.exeC:\Windows\system32\Aamhdckg.exe52⤵
- Executes dropped EXE
PID:2036 -
C:\Windows\SysWOW64\Afjplj32.exeC:\Windows\system32\Afjplj32.exe53⤵
- System Location Discovery: System Language Discovery
PID:344 -
C:\Windows\SysWOW64\Apbeeppo.exeC:\Windows\system32\Apbeeppo.exe54⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2536 -
C:\Windows\SysWOW64\Abaaakob.exeC:\Windows\system32\Abaaakob.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\Apeakonl.exeC:\Windows\system32\Apeakonl.exe56⤵
- Executes dropped EXE
- Modifies registry class
PID:2816 -
C:\Windows\SysWOW64\Afojgiei.exeC:\Windows\system32\Afojgiei.exe57⤵
- Executes dropped EXE
PID:2644 -
C:\Windows\SysWOW64\Apgnpo32.exeC:\Windows\system32\Apgnpo32.exe58⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Abejlj32.exeC:\Windows\system32\Abejlj32.exe59⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Aipbidbj.exeC:\Windows\system32\Aipbidbj.exe60⤵
- Executes dropped EXE
PID:1444 -
C:\Windows\SysWOW64\Bakgmgpe.exeC:\Windows\system32\Bakgmgpe.exe61⤵
- Executes dropped EXE
PID:1544 -
C:\Windows\SysWOW64\Boohgk32.exeC:\Windows\system32\Boohgk32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:820 -
C:\Windows\SysWOW64\Bdkpob32.exeC:\Windows\system32\Bdkpob32.exe63⤵
- Executes dropped EXE
PID:1372 -
C:\Windows\SysWOW64\Bmdehgcf.exeC:\Windows\system32\Bmdehgcf.exe64⤵
- Executes dropped EXE
- Modifies registry class
PID:2228 -
C:\Windows\SysWOW64\Bhiiepcl.exeC:\Windows\system32\Bhiiepcl.exe65⤵
- Executes dropped EXE
PID:460 -
C:\Windows\SysWOW64\Bmfamg32.exeC:\Windows\system32\Bmfamg32.exe66⤵
- Executes dropped EXE
PID:2180 -
C:\Windows\SysWOW64\Bbcjfn32.exeC:\Windows\system32\Bbcjfn32.exe67⤵PID:1360
-
C:\Windows\SysWOW64\Bimbbhgh.exeC:\Windows\system32\Bimbbhgh.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Bbegkn32.exeC:\Windows\system32\Bbegkn32.exe69⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2096 -
C:\Windows\SysWOW64\Cmkkhfmn.exeC:\Windows\system32\Cmkkhfmn.exe70⤵PID:2448
-
C:\Windows\SysWOW64\Colgpo32.exeC:\Windows\system32\Colgpo32.exe71⤵PID:2540
-
C:\Windows\SysWOW64\Cialng32.exeC:\Windows\system32\Cialng32.exe72⤵
- Modifies registry class
PID:2008 -
C:\Windows\SysWOW64\Cpldjajo.exeC:\Windows\system32\Cpldjajo.exe73⤵
- System Location Discovery: System Language Discovery
PID:2688 -
C:\Windows\SysWOW64\Cidhcg32.exeC:\Windows\system32\Cidhcg32.exe74⤵PID:2892
-
C:\Windows\SysWOW64\Coqaknog.exeC:\Windows\system32\Coqaknog.exe75⤵
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Chiedc32.exeC:\Windows\system32\Chiedc32.exe76⤵PID:2648
-
C:\Windows\SysWOW64\Cnfnlk32.exeC:\Windows\system32\Cnfnlk32.exe77⤵
- Drops file in System32 directory
PID:2924 -
C:\Windows\SysWOW64\Cnhjbjam.exeC:\Windows\system32\Cnhjbjam.exe78⤵PID:2220
-
C:\Windows\SysWOW64\Ddbbod32.exeC:\Windows\system32\Ddbbod32.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1564 -
C:\Windows\SysWOW64\Djokgk32.exeC:\Windows\system32\Djokgk32.exe80⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1744 -
C:\Windows\SysWOW64\Dcgppana.exeC:\Windows\system32\Dcgppana.exe81⤵
- System Location Discovery: System Language Discovery
PID:2108 -
C:\Windows\SysWOW64\Dnmdmj32.exeC:\Windows\system32\Dnmdmj32.exe82⤵
- System Location Discovery: System Language Discovery
PID:2420 -
C:\Windows\SysWOW64\Dgehfodh.exeC:\Windows\system32\Dgehfodh.exe83⤵PID:2156
-
C:\Windows\SysWOW64\Dlbanfbo.exeC:\Windows\system32\Dlbanfbo.exe84⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1040 -
C:\Windows\SysWOW64\Dfjegl32.exeC:\Windows\system32\Dfjegl32.exe85⤵PID:328
-
C:\Windows\SysWOW64\Dbaflm32.exeC:\Windows\system32\Dbaflm32.exe86⤵PID:1320
-
C:\Windows\SysWOW64\Dhknigfq.exeC:\Windows\system32\Dhknigfq.exe87⤵PID:2232
-
C:\Windows\SysWOW64\Ebccal32.exeC:\Windows\system32\Ebccal32.exe88⤵
- Modifies registry class
PID:2140 -
C:\Windows\SysWOW64\Efoobkej.exeC:\Windows\system32\Efoobkej.exe89⤵PID:2528
-
C:\Windows\SysWOW64\Eklgjbca.exeC:\Windows\system32\Eklgjbca.exe90⤵PID:2724
-
C:\Windows\SysWOW64\Efakhk32.exeC:\Windows\system32\Efakhk32.exe91⤵PID:2248
-
C:\Windows\SysWOW64\Ekndpa32.exeC:\Windows\system32\Ekndpa32.exe92⤵PID:2620
-
C:\Windows\SysWOW64\Enmplm32.exeC:\Windows\system32\Enmplm32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2696 -
C:\Windows\SysWOW64\Egedebgc.exeC:\Windows\system32\Egedebgc.exe94⤵
- System Location Discovery: System Language Discovery
PID:1720 -
C:\Windows\SysWOW64\Ejcaanfg.exeC:\Windows\system32\Ejcaanfg.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:612 -
C:\Windows\SysWOW64\Edieng32.exeC:\Windows\system32\Edieng32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1488 -
C:\Windows\SysWOW64\Ejfnfn32.exeC:\Windows\system32\Ejfnfn32.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:1980 -
C:\Windows\SysWOW64\Edkbdf32.exeC:\Windows\system32\Edkbdf32.exe98⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1932 -
C:\Windows\SysWOW64\Fjhjlm32.exeC:\Windows\system32\Fjhjlm32.exe99⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:956 -
C:\Windows\SysWOW64\Fcqoec32.exeC:\Windows\system32\Fcqoec32.exe100⤵PID:1908
-
C:\Windows\SysWOW64\Fjkgampo.exeC:\Windows\system32\Fjkgampo.exe101⤵PID:1616
-
C:\Windows\SysWOW64\Fpgpjdnf.exeC:\Windows\system32\Fpgpjdnf.exe102⤵
- Drops file in System32 directory
- Modifies registry class
PID:2464 -
C:\Windows\SysWOW64\Fmkpchmp.exeC:\Windows\system32\Fmkpchmp.exe103⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1460 -
C:\Windows\SysWOW64\Fbhhlo32.exeC:\Windows\system32\Fbhhlo32.exe104⤵
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Fibqhibd.exeC:\Windows\system32\Fibqhibd.exe105⤵PID:3044
-
C:\Windows\SysWOW64\Fffabman.exeC:\Windows\system32\Fffabman.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2184 -
C:\Windows\SysWOW64\Fidmniqa.exeC:\Windows\system32\Fidmniqa.exe107⤵PID:2944
-
C:\Windows\SysWOW64\Gnaffpoi.exeC:\Windows\system32\Gnaffpoi.exe108⤵PID:2940
-
C:\Windows\SysWOW64\Ghjjoeei.exeC:\Windows\system32\Ghjjoeei.exe109⤵
- Modifies registry class
PID:1768 -
C:\Windows\SysWOW64\Gncblo32.exeC:\Windows\system32\Gncblo32.exe110⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Gdpkdf32.exeC:\Windows\system32\Gdpkdf32.exe111⤵
- Modifies registry class
PID:764 -
C:\Windows\SysWOW64\Gnfoao32.exeC:\Windows\system32\Gnfoao32.exe112⤵
- Modifies registry class
PID:1808 -
C:\Windows\SysWOW64\Gepgni32.exeC:\Windows\system32\Gepgni32.exe113⤵PID:916
-
C:\Windows\SysWOW64\Gjmpfp32.exeC:\Windows\system32\Gjmpfp32.exe114⤵PID:2564
-
C:\Windows\SysWOW64\Gmklbk32.exeC:\Windows\system32\Gmklbk32.exe115⤵PID:1600
-
C:\Windows\SysWOW64\Hikpnkme.exeC:\Windows\system32\Hikpnkme.exe116⤵
- System Location Discovery: System Language Discovery
PID:900 -
C:\Windows\SysWOW64\Hebqbl32.exeC:\Windows\system32\Hebqbl32.exe117⤵PID:2840
-
C:\Windows\SysWOW64\Hhqmogam.exeC:\Windows\system32\Hhqmogam.exe118⤵
- Drops file in System32 directory
- Modifies registry class
PID:964 -
C:\Windows\SysWOW64\Ighfecdb.exeC:\Windows\system32\Ighfecdb.exe119⤵
- Modifies registry class
PID:2196 -
C:\Windows\SysWOW64\Ippkni32.exeC:\Windows\system32\Ippkni32.exe120⤵PID:2836
-
C:\Windows\SysWOW64\Igjckcbo.exeC:\Windows\system32\Igjckcbo.exe121⤵
- Drops file in System32 directory
PID:2928
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-