Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
22/12/2024, 13:40
Behavioral task
behavioral1
Sample
cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf.exe
Resource
win7-20241023-en
windows7-x64
10 signatures
120 seconds
Behavioral task
behavioral2
Sample
cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
9 signatures
120 seconds
General
-
Target
cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf.exe
-
Size
391KB
-
MD5
6744474d4eb956eb168adbef3e9a8ec9
-
SHA1
449e224c8127d37e59f64073ce8b2b596de4a959
-
SHA256
cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf
-
SHA512
3edc18f8b41382855bb943b00b09ff507a284989e34030481d661b8b64b53fb9c5adf751567fac418fd9c1b1cdd6f57a393bb6ce783f6a4350f082bc05c116a1
-
SSDEEP
6144:ok0D6DZkU+aQbjGaAfbAfNtTAfMAfFAfNPUmKyIxLfYeOO9UmKyIxL4:g5VaQbWmNtuhUNP3cOK3B
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mhhfdo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fafcdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gcokiaji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pojecajj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eeiheo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Mdogedmh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdkjdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ebgclm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kjglkm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkngc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lcofio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nhlgmd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bogjaamh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Degiggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ehgbhbgn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jgaiobjn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qaqnkafa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hblgnkdh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gifaciae.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hnjplo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfqpecma.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnpgeopa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Femeig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gcokiaji.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Edoefl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jmnqje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gonale32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Homclekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nbniid32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jbnjhh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnchhllf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qdlggg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhbdleol.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iebldo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oohqqlei.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbjcqe32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbafjlaa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iejiodbl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bkbaii32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qbnphngk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gpnmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jdhgnf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gkoobhhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dkiefp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddfcje32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jampjian.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bnapnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cblfdg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dgeaoinb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oiafee32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hjfnnajl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nlekia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfeikcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cepfgdnj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kofcbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Qejpoi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lbemfbdk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Abfnpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cllkin32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kbgjkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Npccpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aibcba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dpcmgi32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 828 Ejmebq32.exe 2804 Efcfga32.exe 2640 Figlolbf.exe 2460 Flgeqgog.exe 2540 Fbdjbaea.exe 2224 Fjongcbl.exe 1840 Ghcoqh32.exe 2700 Gfmemc32.exe 1340 Hlljjjnm.exe 1700 Homclekn.exe 1940 Hanlnp32.exe 1416 Hhjapjmi.exe 1560 Iimjmbae.exe 2392 Iedkbc32.exe 2920 Ipjoplgo.exe 2296 Ijbdha32.exe 1648 Jbdonb32.exe 2212 Jqilooij.exe 1992 Jqlhdo32.exe 1576 Jcjdpj32.exe 652 Jfknbe32.exe 1456 Kfmjgeaj.exe 1276 Kilfcpqm.exe 568 Kincipnk.exe 2932 Kohkfj32.exe 2968 Kpjhkjde.exe 2796 Kjdilgpc.exe 2752 Lanaiahq.exe 2716 Llcefjgf.exe 2688 Lndohedg.exe 2572 Lfbpag32.exe 296 Lmlhnagm.exe 336 Mlaeonld.exe 2776 Mbkmlh32.exe 1348 Mhhfdo32.exe 2952 Mbpgggol.exe 1616 Mdcpdp32.exe 1928 Mpjqiq32.exe 1872 Nkpegi32.exe 1824 Nckjkl32.exe 344 Ndjfeo32.exe 2060 Nekbmgcn.exe 884 Nlekia32.exe 996 Ngkogj32.exe 2404 Npccpo32.exe 2292 Ncbplk32.exe 1300 Nilhhdga.exe 1124 Oohqqlei.exe 2088 Ocdmaj32.exe 696 Odeiibdq.exe 2076 Ookmfk32.exe 2616 Oaiibg32.exe 308 Odhfob32.exe 2560 Okanklik.exe 2536 Onpjghhn.exe 2004 Oegbheiq.exe 2840 Oghopm32.exe 2964 Oqacic32.exe 1944 Onecbg32.exe 328 Odoloalf.exe 2240 Ocalkn32.exe 1888 Pqemdbaj.exe 2912 Pcdipnqn.exe 2104 Pjnamh32.exe -
Loads dropped DLL 64 IoCs
pid Process 1596 cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf.exe 1596 cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf.exe 828 Ejmebq32.exe 828 Ejmebq32.exe 2804 Efcfga32.exe 2804 Efcfga32.exe 2640 Figlolbf.exe 2640 Figlolbf.exe 2460 Flgeqgog.exe 2460 Flgeqgog.exe 2540 Fbdjbaea.exe 2540 Fbdjbaea.exe 2224 Fjongcbl.exe 2224 Fjongcbl.exe 1840 Ghcoqh32.exe 1840 Ghcoqh32.exe 2700 Gfmemc32.exe 2700 Gfmemc32.exe 1340 Hlljjjnm.exe 1340 Hlljjjnm.exe 1700 Homclekn.exe 1700 Homclekn.exe 1940 Hanlnp32.exe 1940 Hanlnp32.exe 1416 Hhjapjmi.exe 1416 Hhjapjmi.exe 1560 Iimjmbae.exe 1560 Iimjmbae.exe 2392 Iedkbc32.exe 2392 Iedkbc32.exe 2920 Ipjoplgo.exe 2920 Ipjoplgo.exe 2296 Ijbdha32.exe 2296 Ijbdha32.exe 1648 Jbdonb32.exe 1648 Jbdonb32.exe 2212 Jqilooij.exe 2212 Jqilooij.exe 1992 Jqlhdo32.exe 1992 Jqlhdo32.exe 1576 Jcjdpj32.exe 1576 Jcjdpj32.exe 652 Jfknbe32.exe 652 Jfknbe32.exe 1456 Kfmjgeaj.exe 1456 Kfmjgeaj.exe 1276 Kilfcpqm.exe 1276 Kilfcpqm.exe 568 Kincipnk.exe 568 Kincipnk.exe 2932 Kohkfj32.exe 2932 Kohkfj32.exe 2968 Kpjhkjde.exe 2968 Kpjhkjde.exe 2796 Kjdilgpc.exe 2796 Kjdilgpc.exe 2752 Lanaiahq.exe 2752 Lanaiahq.exe 2716 Llcefjgf.exe 2716 Llcefjgf.exe 2688 Lndohedg.exe 2688 Lndohedg.exe 2572 Lfbpag32.exe 2572 Lfbpag32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Hjacjifm.exe Hgbfnngi.exe File created C:\Windows\SysWOW64\Khjgel32.exe Kapohbfp.exe File created C:\Windows\SysWOW64\Kohkfj32.exe Kincipnk.exe File created C:\Windows\SysWOW64\Dknoaoaj.exe Dphjcf32.exe File created C:\Windows\SysWOW64\Kklikejc.exe Kdbpnk32.exe File created C:\Windows\SysWOW64\Fnndbd32.dll Fcmben32.exe File opened for modification C:\Windows\SysWOW64\Fmegncpp.exe Fhikme32.exe File opened for modification C:\Windows\SysWOW64\Deollamj.exe Dlfgcl32.exe File created C:\Windows\SysWOW64\Dhmhhmlm.exe Deollamj.exe File opened for modification C:\Windows\SysWOW64\Nibqqh32.exe Nfdddm32.exe File created C:\Windows\SysWOW64\Ghkekdhl.dll Oghopm32.exe File opened for modification C:\Windows\SysWOW64\Gihniioc.exe Gnbjlpom.exe File opened for modification C:\Windows\SysWOW64\Kopokehd.exe Jdkjnl32.exe File opened for modification C:\Windows\SysWOW64\Fgfdie32.exe Foolgh32.exe File opened for modification C:\Windows\SysWOW64\Dbabho32.exe Djjjga32.exe File opened for modification C:\Windows\SysWOW64\Emdeok32.exe Efjmbaba.exe File created C:\Windows\SysWOW64\Kqknil32.exe Kfeikcfa.exe File created C:\Windows\SysWOW64\Ldkeee32.dll Nmkncofl.exe File created C:\Windows\SysWOW64\Agljom32.exe Ajhiei32.exe File created C:\Windows\SysWOW64\Dphmloih.exe Dmjqpdje.exe File created C:\Windows\SysWOW64\Jampjian.exe Jhdlad32.exe File created C:\Windows\SysWOW64\Emoldlmc.exe Dhbdleol.exe File created C:\Windows\SysWOW64\Flgeqgog.exe Figlolbf.exe File created C:\Windows\SysWOW64\Jhpjaq32.dll Onecbg32.exe File created C:\Windows\SysWOW64\Lpmfjcln.dll Gacbmk32.exe File opened for modification C:\Windows\SysWOW64\Kqknil32.exe Kfeikcfa.exe File created C:\Windows\SysWOW64\Boegfb32.dll Nbjcqe32.exe File created C:\Windows\SysWOW64\Nbpeoc32.exe Nlfmbibo.exe File opened for modification C:\Windows\SysWOW64\Ecploipa.exe Eihgfd32.exe File opened for modification C:\Windows\SysWOW64\Gkalhgfd.exe Gckdgjeb.exe File created C:\Windows\SysWOW64\Fdoahk32.dll Dkiefp32.exe File created C:\Windows\SysWOW64\Ecnmpa32.exe Elcdcgcc.exe File created C:\Windows\SysWOW64\Ocbomioe.dll Ebgclm32.exe File opened for modification C:\Windows\SysWOW64\Iiqldc32.exe Igoomk32.exe File opened for modification C:\Windows\SysWOW64\Opihgfop.exe Oaghki32.exe File opened for modification C:\Windows\SysWOW64\Ggdcbi32.exe Gagkjbaf.exe File created C:\Windows\SysWOW64\Aeoijidl.exe Qoeamo32.exe File created C:\Windows\SysWOW64\Ebenek32.dll Jipaip32.exe File opened for modification C:\Windows\SysWOW64\Pbkbgjcc.exe Pmojocel.exe File created C:\Windows\SysWOW64\Hppfog32.exe Hfgafadm.exe File opened for modification C:\Windows\SysWOW64\Jlkngc32.exe Jfofol32.exe File opened for modification C:\Windows\SysWOW64\Ojomdoof.exe Opihgfop.exe File opened for modification C:\Windows\SysWOW64\Ldmopa32.exe Lanbdf32.exe File opened for modification C:\Windows\SysWOW64\Gcedad32.exe Fimoiopk.exe File created C:\Windows\SysWOW64\Eiiddiab.dll Ijbdha32.exe File created C:\Windows\SysWOW64\Ldeamlkj.dll Pfgngh32.exe File created C:\Windows\SysWOW64\Codfplej.dll Jkhejkcq.exe File created C:\Windows\SysWOW64\Ddaemh32.exe Djiqdb32.exe File created C:\Windows\SysWOW64\Bieepc32.dll Emoldlmc.exe File created C:\Windows\SysWOW64\Efcfga32.exe Ejmebq32.exe File opened for modification C:\Windows\SysWOW64\Bdkgocpm.exe Bbgnak32.exe File created C:\Windows\SysWOW64\Ianinp32.dll Pakllc32.exe File created C:\Windows\SysWOW64\Ohncbdbd.exe Onfoin32.exe File opened for modification C:\Windows\SysWOW64\Onpjghhn.exe Okanklik.exe File created C:\Windows\SysWOW64\Mejlalji.exe Mkaghg32.exe File created C:\Windows\SysWOW64\Hblgnkdh.exe Hjacjifm.exe File created C:\Windows\SysWOW64\Kaaded32.dll Phcilf32.exe File created C:\Windows\SysWOW64\Dckqmd32.dll Jeclebja.exe File created C:\Windows\SysWOW64\Oiafee32.exe Onlahm32.exe File created C:\Windows\SysWOW64\Mbpgggol.exe Mhhfdo32.exe File created C:\Windows\SysWOW64\Bbgnak32.exe Bfpnmj32.exe File opened for modification C:\Windows\SysWOW64\Imleli32.exe Ijmipn32.exe File created C:\Windows\SysWOW64\Chmihd32.dll Kenoifpb.exe File created C:\Windows\SysWOW64\Khqpfa32.dll Lndohedg.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3320 3724 WerFault.exe 968 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Joiappkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jplkmgol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nigafnck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flclam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jabponba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmahg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Adcdbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pkoicb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Chfpoeja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icifjk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eecafd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dbiocd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gihniioc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbffoabe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcmedli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odbeilbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcckcbgp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oekjjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bieopm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjgehgnh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcgmfgfd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkefbcmf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gajqbakc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qgjqjjll.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lgoboc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qackpado.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hebnlb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohncbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ncfalqpm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnokgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfmjgeaj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nidkmojn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcmben32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iiecgjba.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cglalbbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flnlkgjq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Edqocbkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neqnqofm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jefpeh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Agljom32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bjkhdacm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcbnpgkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkjpggkn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Giahhj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gdboig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phnnho32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjakccop.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcmoda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfbaql32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icfpbl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oaiibg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Delmmigh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iimcclni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcalnii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jjhgbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obokcqhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apppkekc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ckbpqe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khldkllj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bnielm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nhdhif32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcldhnkk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fbegbacp.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mhdqqjhl.dll" Ookmfk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kopokehd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lbogfcjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khlajd32.dll" Mmfdhojb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Edclib32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iijbfecp.dll" Jjbbpmgo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kgigbp32.dll" Fgnadkic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odlhoigp.dll" Oplelf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kaaded32.dll" Phcilf32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhkeohhn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipafocdg.dll" Kkojbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Okanklik.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Odoloalf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kfeikcfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gmhfmm32.dll" Ndnlnm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lhblch32.dll" Fhikme32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pikijafg.dll" Mfjkdh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pdfndl32.dll" Gecpnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Npccpo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Gpnmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffdgjmdh.dll" Ibfaopoi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nnkcpq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Folfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hnjbeh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Chcloo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fklkbele.dll" Cpmjhk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Eklqcl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lhknaf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Jhjbqo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Jieaofmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gbgffb32.dll" Kbcdbp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbajkiof.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Degiggjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gcheib32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Aknngo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kpieengb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Kmmebm32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bnnaoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hgbfnngi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Kocmim32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Iddlde32.dll" Lhcafa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cllkin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qqfdfdee.dll" Bbjmpcab.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Injqmdki.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Femeig32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ngdjaofc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oppkgk32.dll" Qoeamo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bhhpeafc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fgiepced.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kdpkhqmc.dll" Jlhhndno.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ckmnbg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpcmgi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Famaimfe.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hclfag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hnkdiq32.dll" Giahhj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncinl32.dll" Bkbaii32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ciohqa32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Mfeaiime.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ekliqn32.dll" Gkcekfad.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ocalkn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fqcfnhjb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Dpcjnabn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cbepdhgc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1596 wrote to memory of 828 1596 cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf.exe 28 PID 1596 wrote to memory of 828 1596 cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf.exe 28 PID 1596 wrote to memory of 828 1596 cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf.exe 28 PID 1596 wrote to memory of 828 1596 cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf.exe 28 PID 828 wrote to memory of 2804 828 Ejmebq32.exe 29 PID 828 wrote to memory of 2804 828 Ejmebq32.exe 29 PID 828 wrote to memory of 2804 828 Ejmebq32.exe 29 PID 828 wrote to memory of 2804 828 Ejmebq32.exe 29 PID 2804 wrote to memory of 2640 2804 Efcfga32.exe 30 PID 2804 wrote to memory of 2640 2804 Efcfga32.exe 30 PID 2804 wrote to memory of 2640 2804 Efcfga32.exe 30 PID 2804 wrote to memory of 2640 2804 Efcfga32.exe 30 PID 2640 wrote to memory of 2460 2640 Figlolbf.exe 31 PID 2640 wrote to memory of 2460 2640 Figlolbf.exe 31 PID 2640 wrote to memory of 2460 2640 Figlolbf.exe 31 PID 2640 wrote to memory of 2460 2640 Figlolbf.exe 31 PID 2460 wrote to memory of 2540 2460 Flgeqgog.exe 32 PID 2460 wrote to memory of 2540 2460 Flgeqgog.exe 32 PID 2460 wrote to memory of 2540 2460 Flgeqgog.exe 32 PID 2460 wrote to memory of 2540 2460 Flgeqgog.exe 32 PID 2540 wrote to memory of 2224 2540 Fbdjbaea.exe 33 PID 2540 wrote to memory of 2224 2540 Fbdjbaea.exe 33 PID 2540 wrote to memory of 2224 2540 Fbdjbaea.exe 33 PID 2540 wrote to memory of 2224 2540 Fbdjbaea.exe 33 PID 2224 wrote to memory of 1840 2224 Fjongcbl.exe 34 PID 2224 wrote to memory of 1840 2224 Fjongcbl.exe 34 PID 2224 wrote to memory of 1840 2224 Fjongcbl.exe 34 PID 2224 wrote to memory of 1840 2224 Fjongcbl.exe 34 PID 1840 wrote to memory of 2700 1840 Ghcoqh32.exe 35 PID 1840 wrote to memory of 2700 1840 Ghcoqh32.exe 35 PID 1840 wrote to memory of 2700 1840 Ghcoqh32.exe 35 PID 1840 wrote to memory of 2700 1840 Ghcoqh32.exe 35 PID 2700 wrote to memory of 1340 2700 Gfmemc32.exe 36 PID 2700 wrote to memory of 1340 2700 Gfmemc32.exe 36 PID 2700 wrote to memory of 1340 2700 Gfmemc32.exe 36 PID 2700 wrote to memory of 1340 2700 Gfmemc32.exe 36 PID 1340 wrote to memory of 1700 1340 Hlljjjnm.exe 37 PID 1340 wrote to memory of 1700 1340 Hlljjjnm.exe 37 PID 1340 wrote to memory of 1700 1340 Hlljjjnm.exe 37 PID 1340 wrote to memory of 1700 1340 Hlljjjnm.exe 37 PID 1700 wrote to memory of 1940 1700 Homclekn.exe 38 PID 1700 wrote to memory of 1940 1700 Homclekn.exe 38 PID 1700 wrote to memory of 1940 1700 Homclekn.exe 38 PID 1700 wrote to memory of 1940 1700 Homclekn.exe 38 PID 1940 wrote to memory of 1416 1940 Hanlnp32.exe 39 PID 1940 wrote to memory of 1416 1940 Hanlnp32.exe 39 PID 1940 wrote to memory of 1416 1940 Hanlnp32.exe 39 PID 1940 wrote to memory of 1416 1940 Hanlnp32.exe 39 PID 1416 wrote to memory of 1560 1416 Hhjapjmi.exe 40 PID 1416 wrote to memory of 1560 1416 Hhjapjmi.exe 40 PID 1416 wrote to memory of 1560 1416 Hhjapjmi.exe 40 PID 1416 wrote to memory of 1560 1416 Hhjapjmi.exe 40 PID 1560 wrote to memory of 2392 1560 Iimjmbae.exe 41 PID 1560 wrote to memory of 2392 1560 Iimjmbae.exe 41 PID 1560 wrote to memory of 2392 1560 Iimjmbae.exe 41 PID 1560 wrote to memory of 2392 1560 Iimjmbae.exe 41 PID 2392 wrote to memory of 2920 2392 Iedkbc32.exe 42 PID 2392 wrote to memory of 2920 2392 Iedkbc32.exe 42 PID 2392 wrote to memory of 2920 2392 Iedkbc32.exe 42 PID 2392 wrote to memory of 2920 2392 Iedkbc32.exe 42 PID 2920 wrote to memory of 2296 2920 Ipjoplgo.exe 43 PID 2920 wrote to memory of 2296 2920 Ipjoplgo.exe 43 PID 2920 wrote to memory of 2296 2920 Ipjoplgo.exe 43 PID 2920 wrote to memory of 2296 2920 Ipjoplgo.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf.exe"C:\Users\Admin\AppData\Local\Temp\cb8324dcd880688332b510c40f2d577570dcefd509de7df20a758fc59f708ecf.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1596 -
C:\Windows\SysWOW64\Ejmebq32.exeC:\Windows\system32\Ejmebq32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:828 -
C:\Windows\SysWOW64\Efcfga32.exeC:\Windows\system32\Efcfga32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\SysWOW64\Figlolbf.exeC:\Windows\system32\Figlolbf.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\Flgeqgog.exeC:\Windows\system32\Flgeqgog.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Windows\SysWOW64\Fbdjbaea.exeC:\Windows\system32\Fbdjbaea.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Fjongcbl.exeC:\Windows\system32\Fjongcbl.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\SysWOW64\Ghcoqh32.exeC:\Windows\system32\Ghcoqh32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Windows\SysWOW64\Gfmemc32.exeC:\Windows\system32\Gfmemc32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\SysWOW64\Hlljjjnm.exeC:\Windows\system32\Hlljjjnm.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\SysWOW64\Homclekn.exeC:\Windows\system32\Homclekn.exe11⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\Hanlnp32.exeC:\Windows\system32\Hanlnp32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\Hhjapjmi.exeC:\Windows\system32\Hhjapjmi.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\SysWOW64\Iimjmbae.exeC:\Windows\system32\Iimjmbae.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Iedkbc32.exeC:\Windows\system32\Iedkbc32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\Ipjoplgo.exeC:\Windows\system32\Ipjoplgo.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\Ijbdha32.exeC:\Windows\system32\Ijbdha32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2296 -
C:\Windows\SysWOW64\Jbdonb32.exeC:\Windows\system32\Jbdonb32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Jqilooij.exeC:\Windows\system32\Jqilooij.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2212 -
C:\Windows\SysWOW64\Jqlhdo32.exeC:\Windows\system32\Jqlhdo32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1992 -
C:\Windows\SysWOW64\Jcjdpj32.exeC:\Windows\system32\Jcjdpj32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1576 -
C:\Windows\SysWOW64\Jfknbe32.exeC:\Windows\system32\Jfknbe32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:652 -
C:\Windows\SysWOW64\Kfmjgeaj.exeC:\Windows\system32\Kfmjgeaj.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1456 -
C:\Windows\SysWOW64\Kilfcpqm.exeC:\Windows\system32\Kilfcpqm.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1276 -
C:\Windows\SysWOW64\Kincipnk.exeC:\Windows\system32\Kincipnk.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:568 -
C:\Windows\SysWOW64\Kohkfj32.exeC:\Windows\system32\Kohkfj32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2932 -
C:\Windows\SysWOW64\Kpjhkjde.exeC:\Windows\system32\Kpjhkjde.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2968 -
C:\Windows\SysWOW64\Kjdilgpc.exeC:\Windows\system32\Kjdilgpc.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2796 -
C:\Windows\SysWOW64\Lanaiahq.exeC:\Windows\system32\Lanaiahq.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2752 -
C:\Windows\SysWOW64\Llcefjgf.exeC:\Windows\system32\Llcefjgf.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2716 -
C:\Windows\SysWOW64\Lndohedg.exeC:\Windows\system32\Lndohedg.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2688 -
C:\Windows\SysWOW64\Lfbpag32.exeC:\Windows\system32\Lfbpag32.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2572 -
C:\Windows\SysWOW64\Lmlhnagm.exeC:\Windows\system32\Lmlhnagm.exe33⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Mlaeonld.exeC:\Windows\system32\Mlaeonld.exe34⤵
- Executes dropped EXE
PID:336 -
C:\Windows\SysWOW64\Mbkmlh32.exeC:\Windows\system32\Mbkmlh32.exe35⤵
- Executes dropped EXE
PID:2776 -
C:\Windows\SysWOW64\Mhhfdo32.exeC:\Windows\system32\Mhhfdo32.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:1348 -
C:\Windows\SysWOW64\Mbpgggol.exeC:\Windows\system32\Mbpgggol.exe37⤵
- Executes dropped EXE
PID:2952 -
C:\Windows\SysWOW64\Mdcpdp32.exeC:\Windows\system32\Mdcpdp32.exe38⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Mpjqiq32.exeC:\Windows\system32\Mpjqiq32.exe39⤵
- Executes dropped EXE
PID:1928 -
C:\Windows\SysWOW64\Nkpegi32.exeC:\Windows\system32\Nkpegi32.exe40⤵
- Executes dropped EXE
PID:1872 -
C:\Windows\SysWOW64\Nckjkl32.exeC:\Windows\system32\Nckjkl32.exe41⤵
- Executes dropped EXE
PID:1824 -
C:\Windows\SysWOW64\Ndjfeo32.exeC:\Windows\system32\Ndjfeo32.exe42⤵
- Executes dropped EXE
PID:344 -
C:\Windows\SysWOW64\Nekbmgcn.exeC:\Windows\system32\Nekbmgcn.exe43⤵
- Executes dropped EXE
PID:2060 -
C:\Windows\SysWOW64\Nlekia32.exeC:\Windows\system32\Nlekia32.exe44⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:884 -
C:\Windows\SysWOW64\Ngkogj32.exeC:\Windows\system32\Ngkogj32.exe45⤵
- Executes dropped EXE
PID:996 -
C:\Windows\SysWOW64\Npccpo32.exeC:\Windows\system32\Npccpo32.exe46⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Modifies registry class
PID:2404 -
C:\Windows\SysWOW64\Ncbplk32.exeC:\Windows\system32\Ncbplk32.exe47⤵
- Executes dropped EXE
PID:2292 -
C:\Windows\SysWOW64\Nilhhdga.exeC:\Windows\system32\Nilhhdga.exe48⤵
- Executes dropped EXE
PID:1300 -
C:\Windows\SysWOW64\Oohqqlei.exeC:\Windows\system32\Oohqqlei.exe49⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1124 -
C:\Windows\SysWOW64\Ocdmaj32.exeC:\Windows\system32\Ocdmaj32.exe50⤵
- Executes dropped EXE
PID:2088 -
C:\Windows\SysWOW64\Odeiibdq.exeC:\Windows\system32\Odeiibdq.exe51⤵
- Executes dropped EXE
PID:696 -
C:\Windows\SysWOW64\Ookmfk32.exeC:\Windows\system32\Ookmfk32.exe52⤵
- Executes dropped EXE
- Modifies registry class
PID:2076 -
C:\Windows\SysWOW64\Oaiibg32.exeC:\Windows\system32\Oaiibg32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2616 -
C:\Windows\SysWOW64\Odhfob32.exeC:\Windows\system32\Odhfob32.exe54⤵
- Executes dropped EXE
PID:308 -
C:\Windows\SysWOW64\Okanklik.exeC:\Windows\system32\Okanklik.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2560 -
C:\Windows\SysWOW64\Onpjghhn.exeC:\Windows\system32\Onpjghhn.exe56⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Oegbheiq.exeC:\Windows\system32\Oegbheiq.exe57⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Oghopm32.exeC:\Windows\system32\Oghopm32.exe58⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2840 -
C:\Windows\SysWOW64\Oqacic32.exeC:\Windows\system32\Oqacic32.exe59⤵
- Executes dropped EXE
PID:2964 -
C:\Windows\SysWOW64\Onecbg32.exeC:\Windows\system32\Onecbg32.exe60⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1944 -
C:\Windows\SysWOW64\Odoloalf.exeC:\Windows\system32\Odoloalf.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:328 -
C:\Windows\SysWOW64\Ocalkn32.exeC:\Windows\system32\Ocalkn32.exe62⤵
- Executes dropped EXE
- Modifies registry class
PID:2240 -
C:\Windows\SysWOW64\Pqemdbaj.exeC:\Windows\system32\Pqemdbaj.exe63⤵
- Executes dropped EXE
PID:1888 -
C:\Windows\SysWOW64\Pcdipnqn.exeC:\Windows\system32\Pcdipnqn.exe64⤵
- Executes dropped EXE
PID:2912 -
C:\Windows\SysWOW64\Pjnamh32.exeC:\Windows\system32\Pjnamh32.exe65⤵
- Executes dropped EXE
PID:2104 -
C:\Windows\SysWOW64\Pokieo32.exeC:\Windows\system32\Pokieo32.exe66⤵PID:684
-
C:\Windows\SysWOW64\Pjpnbg32.exeC:\Windows\system32\Pjpnbg32.exe67⤵PID:2340
-
C:\Windows\SysWOW64\Pmojocel.exeC:\Windows\system32\Pmojocel.exe68⤵
- Drops file in System32 directory
PID:2344 -
C:\Windows\SysWOW64\Pbkbgjcc.exeC:\Windows\system32\Pbkbgjcc.exe69⤵PID:1524
-
C:\Windows\SysWOW64\Pfgngh32.exeC:\Windows\system32\Pfgngh32.exe70⤵
- Drops file in System32 directory
PID:1676 -
C:\Windows\SysWOW64\Pkdgpo32.exeC:\Windows\system32\Pkdgpo32.exe71⤵PID:2232
-
C:\Windows\SysWOW64\Pbnoliap.exeC:\Windows\system32\Pbnoliap.exe72⤵PID:2608
-
C:\Windows\SysWOW64\Pihgic32.exeC:\Windows\system32\Pihgic32.exe73⤵PID:2956
-
C:\Windows\SysWOW64\Pkfceo32.exeC:\Windows\system32\Pkfceo32.exe74⤵PID:2732
-
C:\Windows\SysWOW64\Qflhbhgg.exeC:\Windows\system32\Qflhbhgg.exe75⤵PID:2652
-
C:\Windows\SysWOW64\Qgmdjp32.exeC:\Windows\system32\Qgmdjp32.exe76⤵PID:2836
-
C:\Windows\SysWOW64\Qngmgjeb.exeC:\Windows\system32\Qngmgjeb.exe77⤵PID:2696
-
C:\Windows\SysWOW64\Qqeicede.exeC:\Windows\system32\Qqeicede.exe78⤵PID:3060
-
C:\Windows\SysWOW64\Qkkmqnck.exeC:\Windows\system32\Qkkmqnck.exe79⤵PID:1952
-
C:\Windows\SysWOW64\Aecaidjl.exeC:\Windows\system32\Aecaidjl.exe80⤵PID:2284
-
C:\Windows\SysWOW64\Aganeoip.exeC:\Windows\system32\Aganeoip.exe81⤵PID:1760
-
C:\Windows\SysWOW64\Ajpjakhc.exeC:\Windows\system32\Ajpjakhc.exe82⤵PID:1868
-
C:\Windows\SysWOW64\Aeenochi.exeC:\Windows\system32\Aeenochi.exe83⤵PID:2916
-
C:\Windows\SysWOW64\Afgkfl32.exeC:\Windows\system32\Afgkfl32.exe84⤵PID:2620
-
C:\Windows\SysWOW64\Annbhi32.exeC:\Windows\system32\Annbhi32.exe85⤵PID:2376
-
C:\Windows\SysWOW64\Apoooa32.exeC:\Windows\system32\Apoooa32.exe86⤵PID:2624
-
C:\Windows\SysWOW64\Ajecmj32.exeC:\Windows\system32\Ajecmj32.exe87⤵PID:1724
-
C:\Windows\SysWOW64\Aigchgkh.exeC:\Windows\system32\Aigchgkh.exe88⤵PID:2900
-
C:\Windows\SysWOW64\Abphal32.exeC:\Windows\system32\Abphal32.exe89⤵PID:832
-
C:\Windows\SysWOW64\Ajgpbj32.exeC:\Windows\system32\Ajgpbj32.exe90⤵PID:2260
-
C:\Windows\SysWOW64\Alhmjbhj.exeC:\Windows\system32\Alhmjbhj.exe91⤵PID:2320
-
C:\Windows\SysWOW64\Bmhideol.exeC:\Windows\system32\Bmhideol.exe92⤵PID:2544
-
C:\Windows\SysWOW64\Bnielm32.exeC:\Windows\system32\Bnielm32.exe93⤵
- System Location Discovery: System Language Discovery
PID:2576 -
C:\Windows\SysWOW64\Bfpnmj32.exeC:\Windows\system32\Bfpnmj32.exe94⤵
- Drops file in System32 directory
PID:2848 -
C:\Windows\SysWOW64\Bbgnak32.exeC:\Windows\system32\Bbgnak32.exe95⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Bdkgocpm.exeC:\Windows\system32\Bdkgocpm.exe96⤵PID:1112
-
C:\Windows\SysWOW64\Boplllob.exeC:\Windows\system32\Boplllob.exe97⤵PID:820
-
C:\Windows\SysWOW64\Bhhpeafc.exeC:\Windows\system32\Bhhpeafc.exe98⤵
- Modifies registry class
PID:2380 -
C:\Windows\SysWOW64\Bkglameg.exeC:\Windows\system32\Bkglameg.exe99⤵PID:992
-
C:\Windows\SysWOW64\Cdoajb32.exeC:\Windows\system32\Cdoajb32.exe100⤵PID:2172
-
C:\Windows\SysWOW64\Cmgechbh.exeC:\Windows\system32\Cmgechbh.exe101⤵PID:1832
-
C:\Windows\SysWOW64\Cklfll32.exeC:\Windows\system32\Cklfll32.exe102⤵PID:1672
-
C:\Windows\SysWOW64\Cbgjqo32.exeC:\Windows\system32\Cbgjqo32.exe103⤵PID:2484
-
C:\Windows\SysWOW64\Ciqcmiei.exeC:\Windows\system32\Ciqcmiei.exe104⤵PID:944
-
C:\Windows\SysWOW64\Conkepdq.exeC:\Windows\system32\Conkepdq.exe105⤵PID:2148
-
C:\Windows\SysWOW64\Chfpoeja.exeC:\Windows\system32\Chfpoeja.exe106⤵
- System Location Discovery: System Language Discovery
PID:1480 -
C:\Windows\SysWOW64\Clalod32.exeC:\Windows\system32\Clalod32.exe107⤵PID:2528
-
C:\Windows\SysWOW64\Chhldeho.exeC:\Windows\system32\Chhldeho.exe108⤵PID:2656
-
C:\Windows\SysWOW64\Delmmigh.exeC:\Windows\system32\Delmmigh.exe109⤵
- System Location Discovery: System Language Discovery
PID:2580 -
C:\Windows\SysWOW64\Dlfejcoe.exeC:\Windows\system32\Dlfejcoe.exe110⤵PID:1844
-
C:\Windows\SysWOW64\Dkiefp32.exeC:\Windows\system32\Dkiefp32.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2020 -
C:\Windows\SysWOW64\Deojci32.exeC:\Windows\system32\Deojci32.exe112⤵PID:2872
-
C:\Windows\SysWOW64\Dgpfkakd.exeC:\Windows\system32\Dgpfkakd.exe113⤵PID:1624
-
C:\Windows\SysWOW64\Dognlnlf.exeC:\Windows\system32\Dognlnlf.exe114⤵PID:3000
-
C:\Windows\SysWOW64\Dphjcf32.exeC:\Windows\system32\Dphjcf32.exe115⤵
- Drops file in System32 directory
PID:1836 -
C:\Windows\SysWOW64\Dknoaoaj.exeC:\Windows\system32\Dknoaoaj.exe116⤵PID:2308
-
C:\Windows\SysWOW64\Ddfcje32.exeC:\Windows\system32\Ddfcje32.exe117⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2352 -
C:\Windows\SysWOW64\Dgdpfp32.exeC:\Windows\system32\Dgdpfp32.exe118⤵PID:792
-
C:\Windows\SysWOW64\Dnnhbjnk.exeC:\Windows\system32\Dnnhbjnk.exe119⤵PID:1200
-
C:\Windows\SysWOW64\Eckpkamb.exeC:\Windows\system32\Eckpkamb.exe120⤵PID:1980
-
C:\Windows\SysWOW64\Ejehgkdp.exeC:\Windows\system32\Ejehgkdp.exe121⤵PID:2400
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-