Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 09:16
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe
Resource
win7-20240903-en
windows7-x64
9 signatures
120 seconds
Behavioral task
behavioral2
Sample
21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
8 signatures
120 seconds
General
-
Target
21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe
-
Size
384KB
-
MD5
c6e86ae15b1e3b5ab8a2ad378a308a40
-
SHA1
9c15c0df0c4da014251edffb82b7dbdf1e1f63ca
-
SHA256
21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2
-
SHA512
6fffdc485de2bc3b6c1d6d92884ca2b4a50276c308898a57715ab3fe369509b2fd0e4cb4672d3565e626fe36f3cb08c8beeed62b807cbfafb6d599700c59de54
-
SSDEEP
6144:M7Crqta8SeNpgdyuH1lZfRo0V8JcgE+ezpg12:M+987g7/VycgE82
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://viruslist.com/wcmd.txt
http://viruslist.com/ppslog.php
http://viruslist.com/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dejbqb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nmflee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dihmpinj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfodfh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeohkeoe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ikfbbjdj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbpfnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dogpdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jjfkmdlg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khnapkjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fqalaa32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjacjifm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ibcnojnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dnpciaef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kfibhjlj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Agbpnh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgqocoin.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgpdglhn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ajhddk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Eoebgcol.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Obgnhkkh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ppmgfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ccpeld32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dpklkgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dkqnoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fhgppnan.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Jpbcek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Iefcfe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aacmij32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igqhpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gckdgjeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ifdlng32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fcphnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Fliook32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Lgngbmjp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Epeoaffo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jialfgcc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qlgkki32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Aoojnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dgbeiiqe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jmhnkfpa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ojmpooah.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Emgioakg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nnjicjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Kpdjaecc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbcbjlmb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Nfdddm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Apedah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Igceej32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpmjhk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ilnomp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Obmnna32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Ifgpnmom.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Qobdgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Hiioin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kpgionie.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gncldi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Cbffoabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npbklabl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79ECA078-17FF-726B-E811-213280E5C831}" Dahifbpk.exe -
Executes dropped EXE 64 IoCs
pid Process 1732 Njbdea32.exe 2924 Ndkhngdd.exe 2732 Ndmecgba.exe 3060 Nmejllia.exe 2788 Nfnneb32.exe 2764 Ooicid32.exe 2700 Oeckfndj.exe 684 Oajlkojn.exe 1028 Olophhjd.exe 1544 Oehdan32.exe 2120 Oopijc32.exe 1760 Opaebkmc.exe 3028 Ohhmcinf.exe 2504 Ppfomk32.exe 2112 Pgpgjepk.exe 1000 Peedka32.exe 844 Phcpgm32.exe 1916 Pegqpacp.exe 2224 Phfmllbd.exe 2612 Panaeb32.exe 3052 Pdmnam32.exe 1912 Qobbofgn.exe 2268 Qnebjc32.exe 1584 Qhjfgl32.exe 2256 Qgmfchei.exe 780 Qackpado.exe 2736 Qdaglmcb.exe 2780 Ajnpecbj.exe 2744 Abegfa32.exe 1888 Agbpnh32.exe 2680 Anlhkbhq.exe 1684 Afgmodel.exe 2728 Ajcipc32.exe 1204 Amaelomh.exe 2944 Ackmih32.exe 2716 Aqonbm32.exe 1348 Acnjnh32.exe 2668 Abpjjeim.exe 2152 Akiobk32.exe 1712 Beackp32.exe 272 Bkklhjnk.exe 1408 Bofgii32.exe 2176 Bbeded32.exe 2236 Becpap32.exe 1908 Biolanld.exe 2520 Bkmhnjlh.exe 2548 Bbgqjdce.exe 1724 Biaign32.exe 2772 Bgdibkam.exe 2752 Bbjmpcab.exe 2636 Bammlq32.exe 2908 Bgffhkoj.exe 2692 Bmcnqama.exe 1488 Baojapfj.exe 236 Bcmfmlen.exe 1616 Cjgoje32.exe 1512 Cmfkfa32.exe 3036 Cpdgbm32.exe 2100 Ccpcckck.exe 1940 Cgkocj32.exe 1308 Cjjkpe32.exe 604 Cmhglq32.exe 1928 Cacclpae.exe 884 Cfpldf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2428 21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe 2428 21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe 1732 Njbdea32.exe 1732 Njbdea32.exe 2924 Ndkhngdd.exe 2924 Ndkhngdd.exe 2732 Ndmecgba.exe 2732 Ndmecgba.exe 3060 Nmejllia.exe 3060 Nmejllia.exe 2788 Nfnneb32.exe 2788 Nfnneb32.exe 2764 Ooicid32.exe 2764 Ooicid32.exe 2700 Oeckfndj.exe 2700 Oeckfndj.exe 684 Oajlkojn.exe 684 Oajlkojn.exe 1028 Olophhjd.exe 1028 Olophhjd.exe 1544 Oehdan32.exe 1544 Oehdan32.exe 2120 Oopijc32.exe 2120 Oopijc32.exe 1760 Opaebkmc.exe 1760 Opaebkmc.exe 3028 Ohhmcinf.exe 3028 Ohhmcinf.exe 2504 Ppfomk32.exe 2504 Ppfomk32.exe 2112 Pgpgjepk.exe 2112 Pgpgjepk.exe 1000 Peedka32.exe 1000 Peedka32.exe 844 Phcpgm32.exe 844 Phcpgm32.exe 1916 Pegqpacp.exe 1916 Pegqpacp.exe 2224 Phfmllbd.exe 2224 Phfmllbd.exe 2612 Panaeb32.exe 2612 Panaeb32.exe 3052 Pdmnam32.exe 3052 Pdmnam32.exe 1912 Qobbofgn.exe 1912 Qobbofgn.exe 2268 Qnebjc32.exe 2268 Qnebjc32.exe 1584 Qhjfgl32.exe 1584 Qhjfgl32.exe 2256 Qgmfchei.exe 2256 Qgmfchei.exe 780 Qackpado.exe 780 Qackpado.exe 2736 Qdaglmcb.exe 2736 Qdaglmcb.exe 2780 Ajnpecbj.exe 2780 Ajnpecbj.exe 2744 Abegfa32.exe 2744 Abegfa32.exe 1888 Agbpnh32.exe 1888 Agbpnh32.exe 2680 Anlhkbhq.exe 2680 Anlhkbhq.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Njbdea32.exe 21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe File created C:\Windows\SysWOW64\Oljomn32.dll Golbnm32.exe File created C:\Windows\SysWOW64\Lngkoe32.dll Gepafc32.exe File created C:\Windows\SysWOW64\Kpgffe32.exe Knhjjj32.exe File opened for modification C:\Windows\SysWOW64\Ohiffh32.exe Oekjjl32.exe File created C:\Windows\SysWOW64\Ihaiqn32.dll Oococb32.exe File created C:\Windows\SysWOW64\Eadbpdla.dll Cbgobp32.exe File created C:\Windows\SysWOW64\Mcbniafn.dll Lifcib32.exe File created C:\Windows\SysWOW64\Bofgii32.exe Bkklhjnk.exe File opened for modification C:\Windows\SysWOW64\Jfofol32.exe Jdpjba32.exe File created C:\Windows\SysWOW64\Mclebc32.exe Mqnifg32.exe File opened for modification C:\Windows\SysWOW64\Mgjnhaco.exe Mcnbhb32.exe File created C:\Windows\SysWOW64\Odldga32.dll Nbmaon32.exe File created C:\Windows\SysWOW64\Cgaaah32.exe Cagienkb.exe File created C:\Windows\SysWOW64\Gonnhc32.dll Mdogedmh.exe File created C:\Windows\SysWOW64\Ijmkqhaf.dll Aqonbm32.exe File created C:\Windows\SysWOW64\Kgnbnpkp.exe Kpdjaecc.exe File opened for modification C:\Windows\SysWOW64\Pkaehb32.exe Phcilf32.exe File created C:\Windows\SysWOW64\Elnpioai.dll Dilapopb.exe File created C:\Windows\SysWOW64\Jgodnk32.dll Hkmollme.exe File created C:\Windows\SysWOW64\Kndkfpje.dll Igqhpj32.exe File created C:\Windows\SysWOW64\Anlhkbhq.exe Agbpnh32.exe File opened for modification C:\Windows\SysWOW64\Hfcjdkpg.exe Hebnlb32.exe File opened for modification C:\Windows\SysWOW64\Ldpbpgoh.exe Lfmbek32.exe File created C:\Windows\SysWOW64\Lqapifjb.dll Fijbco32.exe File created C:\Windows\SysWOW64\Folfoj32.exe Fgdnnl32.exe File created C:\Windows\SysWOW64\Cfnmapnj.dll Mjkgjl32.exe File created C:\Windows\SysWOW64\Ecfnmh32.exe Edcnakpa.exe File created C:\Windows\SysWOW64\Iedfqeka.exe Iahkpg32.exe File created C:\Windows\SysWOW64\Ingkdeak.exe Igmbgk32.exe File created C:\Windows\SysWOW64\Kpojkp32.exe Kalipcmb.exe File created C:\Windows\SysWOW64\Bddbjhlp.exe Baefnmml.exe File opened for modification C:\Windows\SysWOW64\Ckbpqe32.exe Cmppehkh.exe File created C:\Windows\SysWOW64\Hjohmbpd.exe Hcepqh32.exe File opened for modification C:\Windows\SysWOW64\Bgffhkoj.exe Bammlq32.exe File created C:\Windows\SysWOW64\Gfblih32.dll Ooabmbbe.exe File opened for modification C:\Windows\SysWOW64\Bbbpenco.exe Bkhhhd32.exe File created C:\Windows\SysWOW64\Dghccddl.dll Kalipcmb.exe File created C:\Windows\SysWOW64\Cmpppdfa.dll Kajiigba.exe File created C:\Windows\SysWOW64\Eogffk32.dll Hfhfhbce.exe File opened for modification C:\Windows\SysWOW64\Jcnoejch.exe Jpbcek32.exe File opened for modification C:\Windows\SysWOW64\Kpdjaecc.exe Kaajei32.exe File opened for modification C:\Windows\SysWOW64\Mbcoio32.exe Mpebmc32.exe File created C:\Windows\SysWOW64\Ngealejo.exe Nfdddm32.exe File created C:\Windows\SysWOW64\Nenkqi32.exe Nabopjmj.exe File created C:\Windows\SysWOW64\Hfiocpon.dll Omioekbo.exe File opened for modification C:\Windows\SysWOW64\Eppefg32.exe Emaijk32.exe File created C:\Windows\SysWOW64\Ndmecgba.exe Ndkhngdd.exe File opened for modification C:\Windows\SysWOW64\Gonocmbi.exe Ghdgfbkl.exe File created C:\Windows\SysWOW64\Gdkjdl32.exe Gamnhq32.exe File opened for modification C:\Windows\SysWOW64\Gglbfg32.exe Gdnfjl32.exe File created C:\Windows\SysWOW64\Kmfpmc32.exe Kjhcag32.exe File created C:\Windows\SysWOW64\Kjpndcho.dll Kmfpmc32.exe File created C:\Windows\SysWOW64\Biaign32.exe Bbgqjdce.exe File created C:\Windows\SysWOW64\Ghdgfbkl.exe Gbjojh32.exe File opened for modification C:\Windows\SysWOW64\Pgcmbcih.exe Pebpkk32.exe File created C:\Windows\SysWOW64\Cfmhdpnc.exe Cnfqccna.exe File created C:\Windows\SysWOW64\Kaqnpc32.dll Cagienkb.exe File created C:\Windows\SysWOW64\Jhndmp32.dll Ichmgl32.exe File opened for modification C:\Windows\SysWOW64\Dbabho32.exe Dnefhpma.exe File created C:\Windows\SysWOW64\Efdmgc32.dll Gefmcp32.exe File created C:\Windows\SysWOW64\Fjfikeqd.dll Fqalaa32.exe File created C:\Windows\SysWOW64\Ccmpce32.exe Coacbfii.exe File opened for modification C:\Windows\SysWOW64\Dbiocd32.exe Dlofgj32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 8312 9012 WerFault.exe 956 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccpcckck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ompefj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qiioon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkdnhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeecogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbbccgmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbbobkol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nqokpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbgqjdce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nbmaon32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ehlmljkm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmbndmkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fnflke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpbmqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fglfgd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdkjdl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hpnkbpdd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlkngc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pmjaohol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbefcm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlkfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhhhbg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Keeeje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adipfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdnfjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ajpepm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igoomk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpojkp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfckcoen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kmimcbja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfaalh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clmdmm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdlggg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qemldifo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieibdnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fmkilb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obhdcanc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Emdmjamj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kablnadm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmmfnb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdflqo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohbikbkb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbpqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Omioekbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkahgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iieepbje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmdeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohiffh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icdcllpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kddomchg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ggagmjbq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdecea32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eemnnn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lcadghnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abpcooea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hdbpekam.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cpkmcldj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmhdkdlg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eddeladm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jolghndm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neiaeiii.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nbngca32.dll" Pegqpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Epmfgo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iidgma32.dll" Hfegij32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Mgjnhaco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Obhdcanc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lonibk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lgkkmm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Deimbclh.dll" Ndcapd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qjqkek32.dll" Acicla32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Koflgf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Oflpgnld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lemdncoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oljomn32.dll" Golbnm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ibcnojnp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Pofkha32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ahgofi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikijafg.dll" Mobomnoq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Iogpag32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eihgfd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fnflke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Anbkipok.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oabhggjd.dll" Bdcifi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Edcnakpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egjfigdn.dll" Fnflke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Iahkpg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Jmfafgbd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hohkmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhgcm32.dll" Ieomef32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Neiaeiii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nekkhdgo.dll" Nqjaeeog.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apjlggne.dll" Nihcog32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Boifga32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Kmkihbho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apldjp32.dll" Gblkoham.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hmalldcn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Nlcibc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Lcadghnk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eggndi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Flhmfbim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adpiba32.dll" Fepjea32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fgnadkic.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Gdmdacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Hemqpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlemad32.dll" Mclebc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Nbjeinje.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Dpcmgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Eopphehb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Cqfbjhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jbdhhp32.dll" Kmimcbja.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Ciihklpj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Cgcnghpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Gqodqodl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eeebpcpj.dll" Ponklpcg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaoobkci.dll" Aknngo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kpachc32.dll" Fhbpkh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Fajbke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Golbnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Ljfapjbi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ThreadingModel = "Apartment" Fcmdnfad.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Jbnjhh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32 Pioeoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79ECA078-17FF-726B-E811-213280E5C831}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcmbji32.dll" Hjacjifm.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2428 wrote to memory of 1732 2428 21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe 30 PID 2428 wrote to memory of 1732 2428 21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe 30 PID 2428 wrote to memory of 1732 2428 21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe 30 PID 2428 wrote to memory of 1732 2428 21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe 30 PID 1732 wrote to memory of 2924 1732 Njbdea32.exe 31 PID 1732 wrote to memory of 2924 1732 Njbdea32.exe 31 PID 1732 wrote to memory of 2924 1732 Njbdea32.exe 31 PID 1732 wrote to memory of 2924 1732 Njbdea32.exe 31 PID 2924 wrote to memory of 2732 2924 Ndkhngdd.exe 32 PID 2924 wrote to memory of 2732 2924 Ndkhngdd.exe 32 PID 2924 wrote to memory of 2732 2924 Ndkhngdd.exe 32 PID 2924 wrote to memory of 2732 2924 Ndkhngdd.exe 32 PID 2732 wrote to memory of 3060 2732 Ndmecgba.exe 33 PID 2732 wrote to memory of 3060 2732 Ndmecgba.exe 33 PID 2732 wrote to memory of 3060 2732 Ndmecgba.exe 33 PID 2732 wrote to memory of 3060 2732 Ndmecgba.exe 33 PID 3060 wrote to memory of 2788 3060 Nmejllia.exe 34 PID 3060 wrote to memory of 2788 3060 Nmejllia.exe 34 PID 3060 wrote to memory of 2788 3060 Nmejllia.exe 34 PID 3060 wrote to memory of 2788 3060 Nmejllia.exe 34 PID 2788 wrote to memory of 2764 2788 Nfnneb32.exe 35 PID 2788 wrote to memory of 2764 2788 Nfnneb32.exe 35 PID 2788 wrote to memory of 2764 2788 Nfnneb32.exe 35 PID 2788 wrote to memory of 2764 2788 Nfnneb32.exe 35 PID 2764 wrote to memory of 2700 2764 Ooicid32.exe 36 PID 2764 wrote to memory of 2700 2764 Ooicid32.exe 36 PID 2764 wrote to memory of 2700 2764 Ooicid32.exe 36 PID 2764 wrote to memory of 2700 2764 Ooicid32.exe 36 PID 2700 wrote to memory of 684 2700 Oeckfndj.exe 37 PID 2700 wrote to memory of 684 2700 Oeckfndj.exe 37 PID 2700 wrote to memory of 684 2700 Oeckfndj.exe 37 PID 2700 wrote to memory of 684 2700 Oeckfndj.exe 37 PID 684 wrote to memory of 1028 684 Oajlkojn.exe 38 PID 684 wrote to memory of 1028 684 Oajlkojn.exe 38 PID 684 wrote to memory of 1028 684 Oajlkojn.exe 38 PID 684 wrote to memory of 1028 684 Oajlkojn.exe 38 PID 1028 wrote to memory of 1544 1028 Olophhjd.exe 39 PID 1028 wrote to memory of 1544 1028 Olophhjd.exe 39 PID 1028 wrote to memory of 1544 1028 Olophhjd.exe 39 PID 1028 wrote to memory of 1544 1028 Olophhjd.exe 39 PID 1544 wrote to memory of 2120 1544 Oehdan32.exe 40 PID 1544 wrote to memory of 2120 1544 Oehdan32.exe 40 PID 1544 wrote to memory of 2120 1544 Oehdan32.exe 40 PID 1544 wrote to memory of 2120 1544 Oehdan32.exe 40 PID 2120 wrote to memory of 1760 2120 Oopijc32.exe 41 PID 2120 wrote to memory of 1760 2120 Oopijc32.exe 41 PID 2120 wrote to memory of 1760 2120 Oopijc32.exe 41 PID 2120 wrote to memory of 1760 2120 Oopijc32.exe 41 PID 1760 wrote to memory of 3028 1760 Opaebkmc.exe 42 PID 1760 wrote to memory of 3028 1760 Opaebkmc.exe 42 PID 1760 wrote to memory of 3028 1760 Opaebkmc.exe 42 PID 1760 wrote to memory of 3028 1760 Opaebkmc.exe 42 PID 3028 wrote to memory of 2504 3028 Ohhmcinf.exe 43 PID 3028 wrote to memory of 2504 3028 Ohhmcinf.exe 43 PID 3028 wrote to memory of 2504 3028 Ohhmcinf.exe 43 PID 3028 wrote to memory of 2504 3028 Ohhmcinf.exe 43 PID 2504 wrote to memory of 2112 2504 Ppfomk32.exe 44 PID 2504 wrote to memory of 2112 2504 Ppfomk32.exe 44 PID 2504 wrote to memory of 2112 2504 Ppfomk32.exe 44 PID 2504 wrote to memory of 2112 2504 Ppfomk32.exe 44 PID 2112 wrote to memory of 1000 2112 Pgpgjepk.exe 45 PID 2112 wrote to memory of 1000 2112 Pgpgjepk.exe 45 PID 2112 wrote to memory of 1000 2112 Pgpgjepk.exe 45 PID 2112 wrote to memory of 1000 2112 Pgpgjepk.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe"C:\Users\Admin\AppData\Local\Temp\21a6a30d034ea3bdeb37a2c86f3301086b3de7ea8650d2dccb5d6fc35491cfb2N.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\SysWOW64\Njbdea32.exeC:\Windows\system32\Njbdea32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\Ndkhngdd.exeC:\Windows\system32\Ndkhngdd.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\Ndmecgba.exeC:\Windows\system32\Ndmecgba.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\Nmejllia.exeC:\Windows\system32\Nmejllia.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Nfnneb32.exeC:\Windows\system32\Nfnneb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Ooicid32.exeC:\Windows\system32\Ooicid32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\SysWOW64\Oeckfndj.exeC:\Windows\system32\Oeckfndj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Oajlkojn.exeC:\Windows\system32\Oajlkojn.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:684 -
C:\Windows\SysWOW64\Olophhjd.exeC:\Windows\system32\Olophhjd.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\Oehdan32.exeC:\Windows\system32\Oehdan32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\Oopijc32.exeC:\Windows\system32\Oopijc32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\SysWOW64\Opaebkmc.exeC:\Windows\system32\Opaebkmc.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1760 -
C:\Windows\SysWOW64\Ohhmcinf.exeC:\Windows\system32\Ohhmcinf.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Windows\SysWOW64\Ppfomk32.exeC:\Windows\system32\Ppfomk32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Pgpgjepk.exeC:\Windows\system32\Pgpgjepk.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\Peedka32.exeC:\Windows\system32\Peedka32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Phcpgm32.exeC:\Windows\system32\Phcpgm32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:844 -
C:\Windows\SysWOW64\Pegqpacp.exeC:\Windows\system32\Pegqpacp.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1916 -
C:\Windows\SysWOW64\Phfmllbd.exeC:\Windows\system32\Phfmllbd.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2224 -
C:\Windows\SysWOW64\Panaeb32.exeC:\Windows\system32\Panaeb32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2612 -
C:\Windows\SysWOW64\Pdmnam32.exeC:\Windows\system32\Pdmnam32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3052 -
C:\Windows\SysWOW64\Qobbofgn.exeC:\Windows\system32\Qobbofgn.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1912 -
C:\Windows\SysWOW64\Qnebjc32.exeC:\Windows\system32\Qnebjc32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2268 -
C:\Windows\SysWOW64\Qhjfgl32.exeC:\Windows\system32\Qhjfgl32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Qgmfchei.exeC:\Windows\system32\Qgmfchei.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2256 -
C:\Windows\SysWOW64\Qackpado.exeC:\Windows\system32\Qackpado.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:780 -
C:\Windows\SysWOW64\Qdaglmcb.exeC:\Windows\system32\Qdaglmcb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2736 -
C:\Windows\SysWOW64\Ajnpecbj.exeC:\Windows\system32\Ajnpecbj.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2780 -
C:\Windows\SysWOW64\Abegfa32.exeC:\Windows\system32\Abegfa32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2744 -
C:\Windows\SysWOW64\Agbpnh32.exeC:\Windows\system32\Agbpnh32.exe31⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1888 -
C:\Windows\SysWOW64\Anlhkbhq.exeC:\Windows\system32\Anlhkbhq.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2680 -
C:\Windows\SysWOW64\Afgmodel.exeC:\Windows\system32\Afgmodel.exe33⤵
- Executes dropped EXE
PID:1684 -
C:\Windows\SysWOW64\Ajcipc32.exeC:\Windows\system32\Ajcipc32.exe34⤵
- Executes dropped EXE
PID:2728 -
C:\Windows\SysWOW64\Amaelomh.exeC:\Windows\system32\Amaelomh.exe35⤵
- Executes dropped EXE
PID:1204 -
C:\Windows\SysWOW64\Ackmih32.exeC:\Windows\system32\Ackmih32.exe36⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Aqonbm32.exeC:\Windows\system32\Aqonbm32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716 -
C:\Windows\SysWOW64\Acnjnh32.exeC:\Windows\system32\Acnjnh32.exe38⤵
- Executes dropped EXE
PID:1348 -
C:\Windows\SysWOW64\Abpjjeim.exeC:\Windows\system32\Abpjjeim.exe39⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Akiobk32.exeC:\Windows\system32\Akiobk32.exe40⤵
- Executes dropped EXE
PID:2152 -
C:\Windows\SysWOW64\Beackp32.exeC:\Windows\system32\Beackp32.exe41⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Bkklhjnk.exeC:\Windows\system32\Bkklhjnk.exe42⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:272 -
C:\Windows\SysWOW64\Bofgii32.exeC:\Windows\system32\Bofgii32.exe43⤵
- Executes dropped EXE
PID:1408 -
C:\Windows\SysWOW64\Bbeded32.exeC:\Windows\system32\Bbeded32.exe44⤵
- Executes dropped EXE
PID:2176 -
C:\Windows\SysWOW64\Becpap32.exeC:\Windows\system32\Becpap32.exe45⤵
- Executes dropped EXE
PID:2236 -
C:\Windows\SysWOW64\Biolanld.exeC:\Windows\system32\Biolanld.exe46⤵
- Executes dropped EXE
PID:1908 -
C:\Windows\SysWOW64\Bkmhnjlh.exeC:\Windows\system32\Bkmhnjlh.exe47⤵
- Executes dropped EXE
PID:2520 -
C:\Windows\SysWOW64\Bbgqjdce.exeC:\Windows\system32\Bbgqjdce.exe48⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Biaign32.exeC:\Windows\system32\Biaign32.exe49⤵
- Executes dropped EXE
PID:1724 -
C:\Windows\SysWOW64\Bgdibkam.exeC:\Windows\system32\Bgdibkam.exe50⤵
- Executes dropped EXE
PID:2772 -
C:\Windows\SysWOW64\Bbjmpcab.exeC:\Windows\system32\Bbjmpcab.exe51⤵
- Executes dropped EXE
PID:2752 -
C:\Windows\SysWOW64\Bammlq32.exeC:\Windows\system32\Bammlq32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2636 -
C:\Windows\SysWOW64\Bgffhkoj.exeC:\Windows\system32\Bgffhkoj.exe53⤵
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Bmcnqama.exeC:\Windows\system32\Bmcnqama.exe54⤵
- Executes dropped EXE
PID:2692 -
C:\Windows\SysWOW64\Baojapfj.exeC:\Windows\system32\Baojapfj.exe55⤵
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Bcmfmlen.exeC:\Windows\system32\Bcmfmlen.exe56⤵
- Executes dropped EXE
PID:236 -
C:\Windows\SysWOW64\Cjgoje32.exeC:\Windows\system32\Cjgoje32.exe57⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Cmfkfa32.exeC:\Windows\system32\Cmfkfa32.exe58⤵
- Executes dropped EXE
PID:1512 -
C:\Windows\SysWOW64\Cpdgbm32.exeC:\Windows\system32\Cpdgbm32.exe59⤵
- Executes dropped EXE
PID:3036 -
C:\Windows\SysWOW64\Ccpcckck.exeC:\Windows\system32\Ccpcckck.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\Cgkocj32.exeC:\Windows\system32\Cgkocj32.exe61⤵
- Executes dropped EXE
PID:1940 -
C:\Windows\SysWOW64\Cjjkpe32.exeC:\Windows\system32\Cjjkpe32.exe62⤵
- Executes dropped EXE
PID:1308 -
C:\Windows\SysWOW64\Cmhglq32.exeC:\Windows\system32\Cmhglq32.exe63⤵
- Executes dropped EXE
PID:604 -
C:\Windows\SysWOW64\Cacclpae.exeC:\Windows\system32\Cacclpae.exe64⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Cfpldf32.exeC:\Windows\system32\Cfpldf32.exe65⤵
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Ciohqa32.exeC:\Windows\system32\Ciohqa32.exe66⤵PID:1716
-
C:\Windows\SysWOW64\Clmdmm32.exeC:\Windows\system32\Clmdmm32.exe67⤵
- System Location Discovery: System Language Discovery
PID:1404 -
C:\Windows\SysWOW64\Ccdmnj32.exeC:\Windows\system32\Ccdmnj32.exe68⤵PID:2080
-
C:\Windows\SysWOW64\Cfcijf32.exeC:\Windows\system32\Cfcijf32.exe69⤵PID:2992
-
C:\Windows\SysWOW64\Clpabm32.exeC:\Windows\system32\Clpabm32.exe70⤵PID:2444
-
C:\Windows\SysWOW64\Cpkmcldj.exeC:\Windows\system32\Cpkmcldj.exe71⤵
- System Location Discovery: System Language Discovery
PID:2644 -
C:\Windows\SysWOW64\Cbiiog32.exeC:\Windows\system32\Cbiiog32.exe72⤵PID:2868
-
C:\Windows\SysWOW64\Cehfkb32.exeC:\Windows\system32\Cehfkb32.exe73⤵PID:2888
-
C:\Windows\SysWOW64\Chfbgn32.exeC:\Windows\system32\Chfbgn32.exe74⤵PID:1316
-
C:\Windows\SysWOW64\Cpmjhk32.exeC:\Windows\system32\Cpmjhk32.exe75⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2064 -
C:\Windows\SysWOW64\Daofpchf.exeC:\Windows\system32\Daofpchf.exe76⤵PID:2344
-
C:\Windows\SysWOW64\Dejbqb32.exeC:\Windows\system32\Dejbqb32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2140 -
C:\Windows\SysWOW64\Dhiomn32.exeC:\Windows\system32\Dhiomn32.exe78⤵PID:760
-
C:\Windows\SysWOW64\Dldkmlhl.exeC:\Windows\system32\Dldkmlhl.exe79⤵PID:276
-
C:\Windows\SysWOW64\Djgkii32.exeC:\Windows\system32\Djgkii32.exe80⤵PID:2264
-
C:\Windows\SysWOW64\Demofaol.exeC:\Windows\system32\Demofaol.exe81⤵PID:2188
-
C:\Windows\SysWOW64\Dhkkbmnp.exeC:\Windows\system32\Dhkkbmnp.exe82⤵PID:1688
-
C:\Windows\SysWOW64\Dlfgcl32.exeC:\Windows\system32\Dlfgcl32.exe83⤵PID:2552
-
C:\Windows\SysWOW64\Dkigoimd.exeC:\Windows\system32\Dkigoimd.exe84⤵PID:2844
-
C:\Windows\SysWOW64\Dmhdkdlg.exeC:\Windows\system32\Dmhdkdlg.exe85⤵
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Deollamj.exeC:\Windows\system32\Deollamj.exe86⤵PID:2860
-
C:\Windows\SysWOW64\Dfphcj32.exeC:\Windows\system32\Dfphcj32.exe87⤵PID:2676
-
C:\Windows\SysWOW64\Dogpdg32.exeC:\Windows\system32\Dogpdg32.exe88⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:572 -
C:\Windows\SysWOW64\Dmjqpdje.exeC:\Windows\system32\Dmjqpdje.exe89⤵PID:2984
-
C:\Windows\SysWOW64\Dafmqb32.exeC:\Windows\system32\Dafmqb32.exe90⤵PID:2804
-
C:\Windows\SysWOW64\Dddimn32.exeC:\Windows\system32\Dddimn32.exe91⤵PID:1964
-
C:\Windows\SysWOW64\Dgbeiiqe.exeC:\Windows\system32\Dgbeiiqe.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:112 -
C:\Windows\SysWOW64\Dahifbpk.exeC:\Windows\system32\Dahifbpk.exe93⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2200 -
C:\Windows\SysWOW64\Dpkibo32.exeC:\Windows\system32\Dpkibo32.exe94⤵PID:3064
-
C:\Windows\SysWOW64\Dbifnj32.exeC:\Windows\system32\Dbifnj32.exe95⤵PID:896
-
C:\Windows\SysWOW64\Dkqnoh32.exeC:\Windows\system32\Dkqnoh32.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1136 -
C:\Windows\SysWOW64\Elajgpmj.exeC:\Windows\system32\Elajgpmj.exe97⤵PID:336
-
C:\Windows\SysWOW64\Epmfgo32.exeC:\Windows\system32\Epmfgo32.exe98⤵
- Modifies registry class
PID:2336 -
C:\Windows\SysWOW64\Eclbcj32.exeC:\Windows\system32\Eclbcj32.exe99⤵PID:1296
-
C:\Windows\SysWOW64\Eggndi32.exeC:\Windows\system32\Eggndi32.exe100⤵
- Modifies registry class
PID:1496 -
C:\Windows\SysWOW64\Emagacdm.exeC:\Windows\system32\Emagacdm.exe101⤵PID:3004
-
C:\Windows\SysWOW64\Eppcmncq.exeC:\Windows\system32\Eppcmncq.exe102⤵PID:2272
-
C:\Windows\SysWOW64\Eobchk32.exeC:\Windows\system32\Eobchk32.exe103⤵PID:3016
-
C:\Windows\SysWOW64\Eelkeeah.exeC:\Windows\system32\Eelkeeah.exe104⤵PID:2132
-
C:\Windows\SysWOW64\Eihgfd32.exeC:\Windows\system32\Eihgfd32.exe105⤵
- Modifies registry class
PID:1956 -
C:\Windows\SysWOW64\Elfcbo32.exeC:\Windows\system32\Elfcbo32.exe106⤵PID:2468
-
C:\Windows\SysWOW64\Ecploipa.exeC:\Windows\system32\Ecploipa.exe107⤵PID:1692
-
C:\Windows\SysWOW64\Eeohkeoe.exeC:\Windows\system32\Eeohkeoe.exe108⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2712 -
C:\Windows\SysWOW64\Elipgofb.exeC:\Windows\system32\Elipgofb.exe109⤵PID:2228
-
C:\Windows\SysWOW64\Eklqcl32.exeC:\Windows\system32\Eklqcl32.exe110⤵PID:2848
-
C:\Windows\SysWOW64\Ecbhdi32.exeC:\Windows\system32\Ecbhdi32.exe111⤵PID:2056
-
C:\Windows\SysWOW64\Eddeladm.exeC:\Windows\system32\Eddeladm.exe112⤵
- System Location Discovery: System Language Discovery
PID:3012 -
C:\Windows\SysWOW64\Eknmhk32.exeC:\Windows\system32\Eknmhk32.exe113⤵PID:2052
-
C:\Windows\SysWOW64\Eaheeecg.exeC:\Windows\system32\Eaheeecg.exe114⤵PID:1516
-
C:\Windows\SysWOW64\Edfbaabj.exeC:\Windows\system32\Edfbaabj.exe115⤵PID:2184
-
C:\Windows\SysWOW64\Fgdnnl32.exeC:\Windows\system32\Fgdnnl32.exe116⤵
- Drops file in System32 directory
PID:900 -
C:\Windows\SysWOW64\Folfoj32.exeC:\Windows\system32\Folfoj32.exe117⤵PID:1876
-
C:\Windows\SysWOW64\Fajbke32.exeC:\Windows\system32\Fajbke32.exe118⤵
- Modifies registry class
PID:2388 -
C:\Windows\SysWOW64\Fhdjgoha.exeC:\Windows\system32\Fhdjgoha.exe119⤵PID:2324
-
C:\Windows\SysWOW64\Fggkcl32.exeC:\Windows\system32\Fggkcl32.exe120⤵PID:2632
-
C:\Windows\SysWOW64\Fkbgckgd.exeC:\Windows\system32\Fkbgckgd.exe121⤵PID:2584
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-