Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/12/2024, 22:26
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe
-
Size
95KB
-
MD5
9f71da47a82769c177f0341e11c3758a
-
SHA1
856647c26bbcadffe88020cb07c25dae0516881b
-
SHA256
4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92
-
SHA512
68a1916d8440d774af22fc9ccf4cd20661bf92f8e6d1d48887186b45abd1f0a2e7a0a6b374cfa4cc9af931bdb041034bc4ee510cb1c3f47e1a14e8cba62946b3
-
SSDEEP
1536:2aITRNmnUGikhceP5eSE9M31NfTjwqwxnG3MZOM6bOLXi8PmCofGV:qTvmheePJj6xG3MZDrLXfzoeV
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ncfmjc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hkbmil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lmalgq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lkelpd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Apkihofl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhalngad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dakpiajj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Elieipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnkffi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpoaheja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Igpdnlgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fikgda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" 4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Inplqlng.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pbblkaea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckmbdh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccecheeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Efffpjmk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hoalia32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Efmoib32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hecebm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinfli32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhkclc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffmkhe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gmlckehe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fapgblob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kjmoeo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Memlki32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nifgekbm.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qfhddn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nfpnnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njchfc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fnjnkkbk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkppcmjk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kmfpmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Echlmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Onlooh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnhncclq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgbmco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fenphjei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nckmpicl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cpiaipmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dqddmd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hghdjn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lbagpp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkambhgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfodfh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fhjoof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Laodmoep.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Boeoek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gbhcpmkm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Maocekoo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kppldhla.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dlpbna32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmcikd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jaonji32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcpbik32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Blniinac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddbolkac.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgdqpq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jegdgj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgmilmkb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mmcpjfcj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fmlecinf.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 2788 Kmfpmc32.exe 2952 Khldkllj.exe 2928 Kfodfh32.exe 2696 Kbhbai32.exe 1300 Leikbd32.exe 308 Lpnopm32.exe 2028 Lpqlemaj.exe 292 Liipnb32.exe 2460 Ladebd32.exe 1712 Lklikj32.exe 1304 Mgcjpkak.exe 2652 Mhcfjnhm.exe 2188 Mkacfiga.exe 464 Mjfphf32.exe 1704 Mqbejp32.exe 2124 Mcaafk32.exe 548 Nbfnggeo.exe 2440 Nojnql32.exe 1860 Nfdfmfle.exe 2304 Nbkgbg32.exe 2500 Nkclkl32.exe 2484 Nbmdhfog.exe 3008 Ngjlpmnn.exe 2232 Ojkeah32.exe 2800 Oninhgae.exe 1584 Ofdclinq.exe 2692 Ochcem32.exe 2608 Ojblbgdg.exe 2588 Ombddbah.exe 3056 Pbomli32.exe 1000 Pljnkodm.exe 2144 Pbdfgilj.exe 576 Pdecoa32.exe 2452 Paiche32.exe 2276 Pjahakgb.exe 444 Pdjljpnc.exe 788 Qjfalj32.exe 2392 Qlgndbil.exe 2400 Aiknnf32.exe 2204 Apefjqob.exe 880 Ainkcf32.exe 2960 Aaipghcn.exe 1676 Aipgifcp.exe 1756 Akdafn32.exe 2300 Aeiecfga.exe 2132 Akfnkmei.exe 1808 Bdobdc32.exe 1048 Bkhjamcf.exe 2308 Babbng32.exe 2784 Bkkgfm32.exe 2412 Bllcnega.exe 2636 Bdckobhd.exe 1716 Bjpdhifk.exe 2552 Blnpddeo.exe 2456 Bomlppdb.exe 2036 Bheaiekc.exe 2828 Bckefnki.exe 2368 Clciod32.exe 1468 Ccmblnif.exe 2068 Ckhfpp32.exe 2944 Cfnkmi32.exe 1848 Cgogealf.exe 2004 Cnipak32.exe 2076 Cgadja32.exe -
Loads dropped DLL 64 IoCs
pid Process 1088 4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe 1088 4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe 2788 Kmfpmc32.exe 2788 Kmfpmc32.exe 2952 Khldkllj.exe 2952 Khldkllj.exe 2928 Kfodfh32.exe 2928 Kfodfh32.exe 2696 Kbhbai32.exe 2696 Kbhbai32.exe 1300 Leikbd32.exe 1300 Leikbd32.exe 308 Lpnopm32.exe 308 Lpnopm32.exe 2028 Lpqlemaj.exe 2028 Lpqlemaj.exe 292 Liipnb32.exe 292 Liipnb32.exe 2460 Ladebd32.exe 2460 Ladebd32.exe 1712 Lklikj32.exe 1712 Lklikj32.exe 1304 Mgcjpkak.exe 1304 Mgcjpkak.exe 2652 Mhcfjnhm.exe 2652 Mhcfjnhm.exe 2188 Mkacfiga.exe 2188 Mkacfiga.exe 464 Mjfphf32.exe 464 Mjfphf32.exe 1704 Mqbejp32.exe 1704 Mqbejp32.exe 2124 Mcaafk32.exe 2124 Mcaafk32.exe 548 Nbfnggeo.exe 548 Nbfnggeo.exe 2440 Nojnql32.exe 2440 Nojnql32.exe 1860 Nfdfmfle.exe 1860 Nfdfmfle.exe 2304 Nbkgbg32.exe 2304 Nbkgbg32.exe 2500 Nkclkl32.exe 2500 Nkclkl32.exe 2484 Nbmdhfog.exe 2484 Nbmdhfog.exe 3008 Ngjlpmnn.exe 3008 Ngjlpmnn.exe 2232 Ojkeah32.exe 2232 Ojkeah32.exe 2800 Oninhgae.exe 2800 Oninhgae.exe 1584 Ofdclinq.exe 1584 Ofdclinq.exe 2692 Ochcem32.exe 2692 Ochcem32.exe 2608 Ojblbgdg.exe 2608 Ojblbgdg.exe 2588 Ombddbah.exe 2588 Ombddbah.exe 3056 Pbomli32.exe 3056 Pbomli32.exe 1000 Pljnkodm.exe 1000 Pljnkodm.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hkpnjd32.exe Hecebm32.exe File opened for modification C:\Windows\SysWOW64\Albjnplq.exe Aicmadmm.exe File opened for modification C:\Windows\SysWOW64\Kpoejbhe.exe Keiqlihp.exe File created C:\Windows\SysWOW64\Cipleo32.exe Ccecheeb.exe File created C:\Windows\SysWOW64\Jjgonf32.exe Jdjgfomh.exe File opened for modification C:\Windows\SysWOW64\Meljbqna.exe Mneaacno.exe File created C:\Windows\SysWOW64\Bpajjg32.dll Apkihofl.exe File opened for modification C:\Windows\SysWOW64\Eqopfbfn.exe Enpdjfgj.exe File opened for modification C:\Windows\SysWOW64\Jqhdfe32.exe Jbedkhie.exe File created C:\Windows\SysWOW64\Ieppjclf.exe Ilhlan32.exe File created C:\Windows\SysWOW64\Iagaod32.exe Ioheci32.exe File created C:\Windows\SysWOW64\Fjglncdn.dll Jnlbgq32.exe File opened for modification C:\Windows\SysWOW64\Cjhckg32.exe Cgjgol32.exe File opened for modification C:\Windows\SysWOW64\Opccallb.exe Noagjc32.exe File created C:\Windows\SysWOW64\Gjbcnmen.dll Pkmmigjo.exe File created C:\Windows\SysWOW64\Bobleeef.exe Aejglo32.exe File created C:\Windows\SysWOW64\Mmemoe32.exe Miiaogio.exe File created C:\Windows\SysWOW64\Npcika32.exe Mmemoe32.exe File created C:\Windows\SysWOW64\Pljnkodm.exe Pbomli32.exe File created C:\Windows\SysWOW64\Ccqhdmbc.exe Cdngip32.exe File created C:\Windows\SysWOW64\Ecnpdnho.exe Ejfllhao.exe File created C:\Windows\SysWOW64\Kckjmpko.exe Kmabqf32.exe File opened for modification C:\Windows\SysWOW64\Jlekja32.exe Jjgonf32.exe File created C:\Windows\SysWOW64\Bpjnmlel.exe Biqfpb32.exe File created C:\Windows\SysWOW64\Bllcnega.exe Bkkgfm32.exe File created C:\Windows\SysWOW64\Aeelon32.dll Beogaenl.exe File created C:\Windows\SysWOW64\Ffdiiopj.dll Ffjljmla.exe File created C:\Windows\SysWOW64\Jbhhkn32.exe Jcfgoadd.exe File created C:\Windows\SysWOW64\Fglnmheg.dll Peeabm32.exe File created C:\Windows\SysWOW64\Fjejch32.dll Flfkoeoh.exe File opened for modification C:\Windows\SysWOW64\Nckmpicl.exe Nladco32.exe File created C:\Windows\SysWOW64\Fqhclqnc.exe Fiakkcma.exe File created C:\Windows\SysWOW64\Hengep32.exe Hmgodc32.exe File created C:\Windows\SysWOW64\Nqonejfa.dll Lojjfo32.exe File created C:\Windows\SysWOW64\Akfnkmei.exe Aeiecfga.exe File created C:\Windows\SysWOW64\Ldhgnk32.exe Lolofd32.exe File created C:\Windows\SysWOW64\Mmjomogn.exe Mecglbfl.exe File opened for modification C:\Windows\SysWOW64\Jbcgeilh.exe Joekimld.exe File created C:\Windows\SysWOW64\Ooocab32.dll Bhelghol.exe File created C:\Windows\SysWOW64\Mpenafkn.dll Kecmfg32.exe File created C:\Windows\SysWOW64\Qobepmjh.dll Hbknmicj.exe File created C:\Windows\SysWOW64\Ambcgi32.dll Nbfnggeo.exe File created C:\Windows\SysWOW64\Efnodd32.dll Nojnql32.exe File created C:\Windows\SysWOW64\Bjjbkefk.dll Nmggllha.exe File opened for modification C:\Windows\SysWOW64\Binikb32.exe Bkkioeig.exe File opened for modification C:\Windows\SysWOW64\Kjcedj32.exe Kcimhpma.exe File opened for modification C:\Windows\SysWOW64\Kapaaj32.exe Kpoejbhe.exe File created C:\Windows\SysWOW64\Bhalab32.dll Hdkaabnh.exe File created C:\Windows\SysWOW64\Eacehe32.dll Joekimld.exe File created C:\Windows\SysWOW64\Qlgndbil.exe Qjfalj32.exe File opened for modification C:\Windows\SysWOW64\Kaholp32.exe Kpfbegei.exe File opened for modification C:\Windows\SysWOW64\Pbepkh32.exe Padccpal.exe File created C:\Windows\SysWOW64\Fmddgg32.exe Ffjljmla.exe File opened for modification C:\Windows\SysWOW64\Jmdiahco.exe Jkcmjpma.exe File created C:\Windows\SysWOW64\Dcfepmgj.dll Aafnpkii.exe File created C:\Windows\SysWOW64\Nhqhmj32.exe Ninhamne.exe File opened for modification C:\Windows\SysWOW64\Ndjfgkha.exe Nakikpin.exe File created C:\Windows\SysWOW64\Afndjdpe.exe Acohnhab.exe File created C:\Windows\SysWOW64\Nkclkl32.exe Nbkgbg32.exe File created C:\Windows\SysWOW64\Llpoohik.exe Ldhgnk32.exe File created C:\Windows\SysWOW64\Fjhdpk32.exe Fdnlcakk.exe File created C:\Windows\SysWOW64\Hocmpm32.exe Ghidcceo.exe File created C:\Windows\SysWOW64\Mkdbea32.exe Mheeif32.exe File created C:\Windows\SysWOW64\Ddhcbnnn.exe Dnnkec32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3112 3116 WerFault.exe 971 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dijfch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dpfkeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofiopaap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hehafe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Glaiak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofobgc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bihgmdih.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pcmoie32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neohqicc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahcjmkbo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohjmlaci.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbepkh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihqilnig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jahbmlil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oqojhp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beldao32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Miclhpjp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pimkbbpi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heedqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjkpng32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bheaiekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlolnllf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flqkjo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbpnkm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kijmbnpo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Efoifiep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkkioeig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nkbcgnie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aadakl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ainkcf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qncfphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghekhd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkcmjpma.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npiiafpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qjfalj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apefjqob.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhklna32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Igcgnbim.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ollqllod.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dqddmd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhkclc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbcgeilh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cniajdkg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbedkhie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lffmpp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ojpaeq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgfkchmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddhcbnnn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kikokf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjlmkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pjbjjc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jhqeka32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bboahbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hljaigmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djmiejji.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilgjhena.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pioamlkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qcmkhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnklgkap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkkhpadq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfnnlboi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Heonpf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eocfmh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Egfjdchi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mbpmdgef.dll" Aejnfe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Goapjnoo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Adndofcl.dll" Mmndfnpl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Eejanc32.dll" Qanolm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dcpmijqc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ijjhkqme.dll" Ejadibmh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kbppdfmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nqonejfa.dll" Lojjfo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifbpdhee.dll" Mmngof32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dfngll32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jmdiahco.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mjfphf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dphhka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eifobe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mdlfngcc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mcacochk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Blkebebd.dll" Kpgdnp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmckeidj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pglacbbo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qnciiq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fmmjolll.dll" Nhhqfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpgkpogp.dll" Fapgblob.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kcmdjgbh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Godhpb32.dll" Doijcjde.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Meffjjln.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Magbbcbk.dll" Aglmbfdk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aiknnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kngekdnf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Qekbgbpf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Pajeanhf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hiaggm32.dll" Igbqdlea.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bghdmolf.dll" Kjcedj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iioloaac.dll" Hmiljb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Emadmmop.dll" Jempcgad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Oaqeogll.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Agmdmp32.dll" Oninhgae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ckegnj32.dll" Akfnkmei.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dqlceg32.dll" Cqleifna.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pfpgeall.dll" Ebknblho.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ggklka32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmhhae32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odckfb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gnhheo32.dll" Fegjgkla.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Amjpgdik.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Enngdgim.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecmdqkbq.dll" Nahfkigd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Idgjqook.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lmlnjcgg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mqbejp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Opnqffif.dll" Gkpakq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nlohmonb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bbjkmi32.dll" Cdfgmnpa.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpgdnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dbfknmkp.dll" Dcjmcd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ifadmn32.dll" Kkfhglen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aggpokfi.dll" Kmficl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Omhkcnfg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Adgein32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Engplgdp.dll" Fmaqgaae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kmfklepl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lpckce32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qhnmei32.dll" Nhqhmj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ejgeogmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Heonpf32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1088 wrote to memory of 2788 1088 4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe 30 PID 1088 wrote to memory of 2788 1088 4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe 30 PID 1088 wrote to memory of 2788 1088 4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe 30 PID 1088 wrote to memory of 2788 1088 4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe 30 PID 2788 wrote to memory of 2952 2788 Kmfpmc32.exe 31 PID 2788 wrote to memory of 2952 2788 Kmfpmc32.exe 31 PID 2788 wrote to memory of 2952 2788 Kmfpmc32.exe 31 PID 2788 wrote to memory of 2952 2788 Kmfpmc32.exe 31 PID 2952 wrote to memory of 2928 2952 Khldkllj.exe 32 PID 2952 wrote to memory of 2928 2952 Khldkllj.exe 32 PID 2952 wrote to memory of 2928 2952 Khldkllj.exe 32 PID 2952 wrote to memory of 2928 2952 Khldkllj.exe 32 PID 2928 wrote to memory of 2696 2928 Kfodfh32.exe 33 PID 2928 wrote to memory of 2696 2928 Kfodfh32.exe 33 PID 2928 wrote to memory of 2696 2928 Kfodfh32.exe 33 PID 2928 wrote to memory of 2696 2928 Kfodfh32.exe 33 PID 2696 wrote to memory of 1300 2696 Kbhbai32.exe 34 PID 2696 wrote to memory of 1300 2696 Kbhbai32.exe 34 PID 2696 wrote to memory of 1300 2696 Kbhbai32.exe 34 PID 2696 wrote to memory of 1300 2696 Kbhbai32.exe 34 PID 1300 wrote to memory of 308 1300 Leikbd32.exe 35 PID 1300 wrote to memory of 308 1300 Leikbd32.exe 35 PID 1300 wrote to memory of 308 1300 Leikbd32.exe 35 PID 1300 wrote to memory of 308 1300 Leikbd32.exe 35 PID 308 wrote to memory of 2028 308 Lpnopm32.exe 36 PID 308 wrote to memory of 2028 308 Lpnopm32.exe 36 PID 308 wrote to memory of 2028 308 Lpnopm32.exe 36 PID 308 wrote to memory of 2028 308 Lpnopm32.exe 36 PID 2028 wrote to memory of 292 2028 Lpqlemaj.exe 37 PID 2028 wrote to memory of 292 2028 Lpqlemaj.exe 37 PID 2028 wrote to memory of 292 2028 Lpqlemaj.exe 37 PID 2028 wrote to memory of 292 2028 Lpqlemaj.exe 37 PID 292 wrote to memory of 2460 292 Liipnb32.exe 38 PID 292 wrote to memory of 2460 292 Liipnb32.exe 38 PID 292 wrote to memory of 2460 292 Liipnb32.exe 38 PID 292 wrote to memory of 2460 292 Liipnb32.exe 38 PID 2460 wrote to memory of 1712 2460 Ladebd32.exe 39 PID 2460 wrote to memory of 1712 2460 Ladebd32.exe 39 PID 2460 wrote to memory of 1712 2460 Ladebd32.exe 39 PID 2460 wrote to memory of 1712 2460 Ladebd32.exe 39 PID 1712 wrote to memory of 1304 1712 Lklikj32.exe 40 PID 1712 wrote to memory of 1304 1712 Lklikj32.exe 40 PID 1712 wrote to memory of 1304 1712 Lklikj32.exe 40 PID 1712 wrote to memory of 1304 1712 Lklikj32.exe 40 PID 1304 wrote to memory of 2652 1304 Mgcjpkak.exe 41 PID 1304 wrote to memory of 2652 1304 Mgcjpkak.exe 41 PID 1304 wrote to memory of 2652 1304 Mgcjpkak.exe 41 PID 1304 wrote to memory of 2652 1304 Mgcjpkak.exe 41 PID 2652 wrote to memory of 2188 2652 Mhcfjnhm.exe 42 PID 2652 wrote to memory of 2188 2652 Mhcfjnhm.exe 42 PID 2652 wrote to memory of 2188 2652 Mhcfjnhm.exe 42 PID 2652 wrote to memory of 2188 2652 Mhcfjnhm.exe 42 PID 2188 wrote to memory of 464 2188 Mkacfiga.exe 43 PID 2188 wrote to memory of 464 2188 Mkacfiga.exe 43 PID 2188 wrote to memory of 464 2188 Mkacfiga.exe 43 PID 2188 wrote to memory of 464 2188 Mkacfiga.exe 43 PID 464 wrote to memory of 1704 464 Mjfphf32.exe 44 PID 464 wrote to memory of 1704 464 Mjfphf32.exe 44 PID 464 wrote to memory of 1704 464 Mjfphf32.exe 44 PID 464 wrote to memory of 1704 464 Mjfphf32.exe 44 PID 1704 wrote to memory of 2124 1704 Mqbejp32.exe 45 PID 1704 wrote to memory of 2124 1704 Mqbejp32.exe 45 PID 1704 wrote to memory of 2124 1704 Mqbejp32.exe 45 PID 1704 wrote to memory of 2124 1704 Mqbejp32.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe"C:\Users\Admin\AppData\Local\Temp\4e6c368846af1c9749e24f35ec871a73648102cfbc67466248f191458f28fc92.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\Kmfpmc32.exeC:\Windows\system32\Kmfpmc32.exe2⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\Khldkllj.exeC:\Windows\system32\Khldkllj.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\SysWOW64\Kfodfh32.exeC:\Windows\system32\Kfodfh32.exe4⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\Kbhbai32.exeC:\Windows\system32\Kbhbai32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\SysWOW64\Leikbd32.exeC:\Windows\system32\Leikbd32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\SysWOW64\Lpnopm32.exeC:\Windows\system32\Lpnopm32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:308 -
C:\Windows\SysWOW64\Lpqlemaj.exeC:\Windows\system32\Lpqlemaj.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Windows\SysWOW64\Liipnb32.exeC:\Windows\system32\Liipnb32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:292 -
C:\Windows\SysWOW64\Ladebd32.exeC:\Windows\system32\Ladebd32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Lklikj32.exeC:\Windows\system32\Lklikj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\SysWOW64\Mgcjpkak.exeC:\Windows\system32\Mgcjpkak.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Mhcfjnhm.exeC:\Windows\system32\Mhcfjnhm.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Mkacfiga.exeC:\Windows\system32\Mkacfiga.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Windows\SysWOW64\Mjfphf32.exeC:\Windows\system32\Mjfphf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\Mqbejp32.exeC:\Windows\system32\Mqbejp32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\Mcaafk32.exeC:\Windows\system32\Mcaafk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2124 -
C:\Windows\SysWOW64\Nbfnggeo.exeC:\Windows\system32\Nbfnggeo.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:548 -
C:\Windows\SysWOW64\Nojnql32.exeC:\Windows\system32\Nojnql32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2440 -
C:\Windows\SysWOW64\Nfdfmfle.exeC:\Windows\system32\Nfdfmfle.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Nbkgbg32.exeC:\Windows\system32\Nbkgbg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2304 -
C:\Windows\SysWOW64\Nkclkl32.exeC:\Windows\system32\Nkclkl32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500 -
C:\Windows\SysWOW64\Nbmdhfog.exeC:\Windows\system32\Nbmdhfog.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Ngjlpmnn.exeC:\Windows\system32\Ngjlpmnn.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3008 -
C:\Windows\SysWOW64\Ojkeah32.exeC:\Windows\system32\Ojkeah32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2232 -
C:\Windows\SysWOW64\Oninhgae.exeC:\Windows\system32\Oninhgae.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2800 -
C:\Windows\SysWOW64\Ofdclinq.exeC:\Windows\system32\Ofdclinq.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1584 -
C:\Windows\SysWOW64\Ochcem32.exeC:\Windows\system32\Ochcem32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2692 -
C:\Windows\SysWOW64\Ojblbgdg.exeC:\Windows\system32\Ojblbgdg.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2608 -
C:\Windows\SysWOW64\Ombddbah.exeC:\Windows\system32\Ombddbah.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2588 -
C:\Windows\SysWOW64\Pbomli32.exeC:\Windows\system32\Pbomli32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:3056 -
C:\Windows\SysWOW64\Pljnkodm.exeC:\Windows\system32\Pljnkodm.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1000 -
C:\Windows\SysWOW64\Pbdfgilj.exeC:\Windows\system32\Pbdfgilj.exe33⤵
- Executes dropped EXE
PID:2144 -
C:\Windows\SysWOW64\Pdecoa32.exeC:\Windows\system32\Pdecoa32.exe34⤵
- Executes dropped EXE
PID:576 -
C:\Windows\SysWOW64\Paiche32.exeC:\Windows\system32\Paiche32.exe35⤵
- Executes dropped EXE
PID:2452 -
C:\Windows\SysWOW64\Pjahakgb.exeC:\Windows\system32\Pjahakgb.exe36⤵
- Executes dropped EXE
PID:2276 -
C:\Windows\SysWOW64\Pdjljpnc.exeC:\Windows\system32\Pdjljpnc.exe37⤵
- Executes dropped EXE
PID:444 -
C:\Windows\SysWOW64\Qjfalj32.exeC:\Windows\system32\Qjfalj32.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:788 -
C:\Windows\SysWOW64\Qlgndbil.exeC:\Windows\system32\Qlgndbil.exe39⤵
- Executes dropped EXE
PID:2392 -
C:\Windows\SysWOW64\Aiknnf32.exeC:\Windows\system32\Aiknnf32.exe40⤵
- Executes dropped EXE
- Modifies registry class
PID:2400 -
C:\Windows\SysWOW64\Apefjqob.exeC:\Windows\system32\Apefjqob.exe41⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2204 -
C:\Windows\SysWOW64\Ainkcf32.exeC:\Windows\system32\Ainkcf32.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:880 -
C:\Windows\SysWOW64\Aaipghcn.exeC:\Windows\system32\Aaipghcn.exe43⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Aipgifcp.exeC:\Windows\system32\Aipgifcp.exe44⤵
- Executes dropped EXE
PID:1676 -
C:\Windows\SysWOW64\Akdafn32.exeC:\Windows\system32\Akdafn32.exe45⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Aeiecfga.exeC:\Windows\system32\Aeiecfga.exe46⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2300 -
C:\Windows\SysWOW64\Akfnkmei.exeC:\Windows\system32\Akfnkmei.exe47⤵
- Executes dropped EXE
- Modifies registry class
PID:2132 -
C:\Windows\SysWOW64\Bdobdc32.exeC:\Windows\system32\Bdobdc32.exe48⤵
- Executes dropped EXE
PID:1808 -
C:\Windows\SysWOW64\Bkhjamcf.exeC:\Windows\system32\Bkhjamcf.exe49⤵
- Executes dropped EXE
PID:1048 -
C:\Windows\SysWOW64\Babbng32.exeC:\Windows\system32\Babbng32.exe50⤵
- Executes dropped EXE
PID:2308 -
C:\Windows\SysWOW64\Bdaojbjf.exeC:\Windows\system32\Bdaojbjf.exe51⤵PID:2708
-
C:\Windows\SysWOW64\Bkkgfm32.exeC:\Windows\system32\Bkkgfm32.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2784 -
C:\Windows\SysWOW64\Bllcnega.exeC:\Windows\system32\Bllcnega.exe53⤵
- Executes dropped EXE
PID:2412 -
C:\Windows\SysWOW64\Bdckobhd.exeC:\Windows\system32\Bdckobhd.exe54⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Bjpdhifk.exeC:\Windows\system32\Bjpdhifk.exe55⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Blnpddeo.exeC:\Windows\system32\Blnpddeo.exe56⤵
- Executes dropped EXE
PID:2552 -
C:\Windows\SysWOW64\Bomlppdb.exeC:\Windows\system32\Bomlppdb.exe57⤵
- Executes dropped EXE
PID:2456 -
C:\Windows\SysWOW64\Bheaiekc.exeC:\Windows\system32\Bheaiekc.exe58⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\Bckefnki.exeC:\Windows\system32\Bckefnki.exe59⤵
- Executes dropped EXE
PID:2828 -
C:\Windows\SysWOW64\Clciod32.exeC:\Windows\system32\Clciod32.exe60⤵
- Executes dropped EXE
PID:2368 -
C:\Windows\SysWOW64\Ccmblnif.exeC:\Windows\system32\Ccmblnif.exe61⤵
- Executes dropped EXE
PID:1468 -
C:\Windows\SysWOW64\Ckhfpp32.exeC:\Windows\system32\Ckhfpp32.exe62⤵
- Executes dropped EXE
PID:2068 -
C:\Windows\SysWOW64\Cfnkmi32.exeC:\Windows\system32\Cfnkmi32.exe63⤵
- Executes dropped EXE
PID:2944 -
C:\Windows\SysWOW64\Cgogealf.exeC:\Windows\system32\Cgogealf.exe64⤵
- Executes dropped EXE
PID:1848 -
C:\Windows\SysWOW64\Cnipak32.exeC:\Windows\system32\Cnipak32.exe65⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Cgadja32.exeC:\Windows\system32\Cgadja32.exe66⤵
- Executes dropped EXE
PID:2076 -
C:\Windows\SysWOW64\Cnklgkap.exeC:\Windows\system32\Cnklgkap.exe67⤵
- System Location Discovery: System Language Discovery
PID:2156 -
C:\Windows\SysWOW64\Cgdqpq32.exeC:\Windows\system32\Cgdqpq32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1076 -
C:\Windows\SysWOW64\Cnnimkom.exeC:\Windows\system32\Cnnimkom.exe69⤵PID:2964
-
C:\Windows\SysWOW64\Cqleifna.exeC:\Windows\system32\Cqleifna.exe70⤵
- Modifies registry class
PID:2592 -
C:\Windows\SysWOW64\Dgfmep32.exeC:\Windows\system32\Dgfmep32.exe71⤵PID:2920
-
C:\Windows\SysWOW64\Dnpebj32.exeC:\Windows\system32\Dnpebj32.exe72⤵PID:2596
-
C:\Windows\SysWOW64\Doabjbci.exeC:\Windows\system32\Doabjbci.exe73⤵PID:2216
-
C:\Windows\SysWOW64\Dijfch32.exeC:\Windows\system32\Dijfch32.exe74⤵
- System Location Discovery: System Language Discovery
PID:1188 -
C:\Windows\SysWOW64\Dqaode32.exeC:\Windows\system32\Dqaode32.exe75⤵PID:2672
-
C:\Windows\SysWOW64\Docopbaf.exeC:\Windows\system32\Docopbaf.exe76⤵PID:944
-
C:\Windows\SysWOW64\Dfngll32.exeC:\Windows\system32\Dfngll32.exe77⤵
- Modifies registry class
PID:1056 -
C:\Windows\SysWOW64\Dpfkeb32.exeC:\Windows\system32\Dpfkeb32.exe78⤵
- System Location Discovery: System Language Discovery
PID:2244 -
C:\Windows\SysWOW64\Dfpcblfp.exeC:\Windows\system32\Dfpcblfp.exe79⤵PID:2108
-
C:\Windows\SysWOW64\Dinpnged.exeC:\Windows\system32\Dinpnged.exe80⤵PID:680
-
C:\Windows\SysWOW64\Dphhka32.exeC:\Windows\system32\Dphhka32.exe81⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Deeqch32.exeC:\Windows\system32\Deeqch32.exe82⤵PID:1760
-
C:\Windows\SysWOW64\Dgcmod32.exeC:\Windows\system32\Dgcmod32.exe83⤵PID:3012
-
C:\Windows\SysWOW64\Ealahi32.exeC:\Windows\system32\Ealahi32.exe84⤵PID:1632
-
C:\Windows\SysWOW64\Egfjdchi.exeC:\Windows\system32\Egfjdchi.exe85⤵
- System Location Discovery: System Language Discovery
PID:2728 -
C:\Windows\SysWOW64\Ejdfqogm.exeC:\Windows\system32\Ejdfqogm.exe86⤵PID:2772
-
C:\Windows\SysWOW64\Ebknblho.exeC:\Windows\system32\Ebknblho.exe87⤵
- Modifies registry class
PID:2628 -
C:\Windows\SysWOW64\Eldbkbop.exeC:\Windows\system32\Eldbkbop.exe88⤵PID:1416
-
C:\Windows\SysWOW64\Enbogmnc.exeC:\Windows\system32\Enbogmnc.exe89⤵PID:1792
-
C:\Windows\SysWOW64\Eelgcg32.exeC:\Windows\system32\Eelgcg32.exe90⤵PID:1328
-
C:\Windows\SysWOW64\Efmckpko.exeC:\Windows\system32\Efmckpko.exe91⤵PID:1044
-
C:\Windows\SysWOW64\Eacghhkd.exeC:\Windows\system32\Eacghhkd.exe92⤵PID:2176
-
C:\Windows\SysWOW64\Epfhde32.exeC:\Windows\system32\Epfhde32.exe93⤵PID:600
-
C:\Windows\SysWOW64\Emjhmipi.exeC:\Windows\system32\Emjhmipi.exe94⤵PID:2212
-
C:\Windows\SysWOW64\Ephdjeol.exeC:\Windows\system32\Ephdjeol.exe95⤵PID:1536
-
C:\Windows\SysWOW64\Fmlecinf.exeC:\Windows\system32\Fmlecinf.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Fbimkpmm.exeC:\Windows\system32\Fbimkpmm.exe97⤵PID:2164
-
C:\Windows\SysWOW64\Fegjgkla.exeC:\Windows\system32\Fegjgkla.exe98⤵
- Modifies registry class
PID:992 -
C:\Windows\SysWOW64\Fpmned32.exeC:\Windows\system32\Fpmned32.exe99⤵PID:2064
-
C:\Windows\SysWOW64\Fbkjap32.exeC:\Windows\system32\Fbkjap32.exe100⤵PID:2776
-
C:\Windows\SysWOW64\Flcojeak.exeC:\Windows\system32\Flcojeak.exe101⤵PID:2752
-
C:\Windows\SysWOW64\Fapgblob.exeC:\Windows\system32\Fapgblob.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2648 -
C:\Windows\SysWOW64\Fhjoof32.exeC:\Windows\system32\Fhjoof32.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2104 -
C:\Windows\SysWOW64\Flfkoeoh.exeC:\Windows\system32\Flfkoeoh.exe104⤵
- Drops file in System32 directory
PID:348 -
C:\Windows\SysWOW64\Fbpclofe.exeC:\Windows\system32\Fbpclofe.exe105⤵PID:2448
-
C:\Windows\SysWOW64\Fenphjei.exeC:\Windows\system32\Fenphjei.exe106⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2120 -
C:\Windows\SysWOW64\Fkkhpadq.exeC:\Windows\system32\Fkkhpadq.exe107⤵
- System Location Discovery: System Language Discovery
PID:896 -
C:\Windows\SysWOW64\Geqlnjcf.exeC:\Windows\system32\Geqlnjcf.exe108⤵PID:1652
-
C:\Windows\SysWOW64\Ggbieb32.exeC:\Windows\system32\Ggbieb32.exe109⤵PID:2292
-
C:\Windows\SysWOW64\Goiafp32.exeC:\Windows\system32\Goiafp32.exe110⤵PID:2504
-
C:\Windows\SysWOW64\Gpjmnh32.exeC:\Windows\system32\Gpjmnh32.exe111⤵PID:872
-
C:\Windows\SysWOW64\Ghaeoe32.exeC:\Windows\system32\Ghaeoe32.exe112⤵PID:2700
-
C:\Windows\SysWOW64\Gkpakq32.exeC:\Windows\system32\Gkpakq32.exe113⤵
- Modifies registry class
PID:2660 -
C:\Windows\SysWOW64\Gmnngl32.exeC:\Windows\system32\Gmnngl32.exe114⤵PID:2900
-
C:\Windows\SysWOW64\Gckfpc32.exeC:\Windows\system32\Gckfpc32.exe115⤵PID:1592
-
C:\Windows\SysWOW64\Gkbnap32.exeC:\Windows\system32\Gkbnap32.exe116⤵PID:1984
-
C:\Windows\SysWOW64\Glckihcg.exeC:\Windows\system32\Glckihcg.exe117⤵PID:664
-
C:\Windows\SysWOW64\Gcmcebkc.exeC:\Windows\system32\Gcmcebkc.exe118⤵PID:2008
-
C:\Windows\SysWOW64\Gigkbm32.exeC:\Windows\system32\Gigkbm32.exe119⤵PID:988
-
C:\Windows\SysWOW64\Glfgnh32.exeC:\Windows\system32\Glfgnh32.exe120⤵PID:1068
-
C:\Windows\SysWOW64\Ggklka32.exeC:\Windows\system32\Ggklka32.exe121⤵
- Modifies registry class
PID:2720
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-