Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
55s -
max time network
20s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
05/03/2025, 11:27
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe
Resource
win7-20241010-en
windows7-x64
10 signatures
150 seconds
Behavioral task
behavioral2
Sample
e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
9 signatures
150 seconds
General
-
Target
e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe
-
Size
1.2MB
-
MD5
9db5d4040821aae532be1ff9d305a1a1
-
SHA1
13edbb066c6c66ccec1f1e27e3b7a42d9253e090
-
SHA256
e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0
-
SHA512
1380c0d925cba8cb847b7c8e2edc965583b9eeb48ec0bbd4d5ee078563c32fc9f8912cd2b718bdc75b5dd3e5bdba478e0e682acb6d3928619d42111c40288ed9
-
SSDEEP
24576:Sgb4gu5YyCtCCm0BKh2kkkkK4kXkkkkkkkkhLX3a20R0v50+YR:Cgu5RCtCXbazR0vk
Score
10/10
Malware Config
Extracted
Family
berbew
C2
http://f/wcmd.htm
http://f/ppslog.php
http://f/piplog.php?%s:%i:%i:%s:%09u:%i:%02d:%02d:%02d
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjnhpj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cdooongp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Milcphgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Egnjbfqc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjnhpj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flmglfhk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fkpfjnnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afjbecqb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kdehmb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jnlkkkod.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Afhfpc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jaklei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cljajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bjclfmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fgjpijjb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Jndjoi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjkpjkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjclfmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Dbjonicb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Ffdgef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Hcjpcmjg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Olhfdl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poegde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Njnion32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pdkgcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pnbeacbd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Egmhjm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Lcpecdio.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihjfm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Odnjbibf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cfcajekc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cnfnlk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Gfcjqkbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cfcajekc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohajic32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bakgmgpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Bfliqmjg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Flcjjdpe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khlhiijk.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Llefld32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Cmocjn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fcipaien.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbaflm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pgdcjjom.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lokpcekn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Nihjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pnfkjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Kfiajj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fqkdenfj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Fianpp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kmeknakn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fiomhc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ddeammok.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jinkkgeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Oicfpkci.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Benbbcmf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Iklajp32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cljajh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnjonpgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pkiikm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Feeldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FAA099-1BAE-816E-D711-115290CEE717}" Pdkgcd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lgekdh32.exe -
Berbew family
-
Executes dropped EXE 64 IoCs
pid Process 1248 Cnekcblk.exe 2496 Cnhhia32.exe 2836 Ddfjak32.exe 2868 Dopkai32.exe 2676 Dflpdb32.exe 1920 Epgabhdg.exe 1780 Epinhg32.exe 2084 Ejcohe32.exe 2568 Elbkbh32.exe 1140 Ecnpgj32.exe 1228 Fdpmljan.exe 1232 Ffaeneno.exe 2860 Fianpp32.exe 2364 Ffeoid32.exe 2556 Foacmg32.exe 2092 Gledgkfn.exe 1604 Ghlell32.exe 1568 Cjdonndl.exe 2740 Cofaad32.exe 3024 Cljajh32.exe 1624 Dfecim32.exe 2008 Dblcnngi.exe 1648 Ejnnbpol.exe 2136 Emogdk32.exe 2880 Fijadk32.exe 2936 Flmglfhk.exe 2852 Feeldk32.exe 2028 Fhfdffll.exe 2336 Giogonlb.exe 1708 Geehcoaf.exe 1012 Hgnjlfam.exe 436 Hnjonpgg.exe 2848 Ihhjjm32.exe 2424 Iaqnbb32.exe 2788 Jnlhbb32.exe 1612 Jkpilg32.exe 1596 Jcmjfiab.exe 2712 Jodkkj32.exe 980 Jkklpk32.exe 2040 Kpkali32.exe 1244 Kaojiqej.exe 1576 Kmeknakn.exe 840 Lafpipoa.exe 2780 Ljnebe32.exe 1712 Lfgbmf32.exe 1608 Mddidnqa.exe 1952 Mkqnghfk.exe 524 Mclbkjcf.exe 1932 Nglhghgj.exe 828 Nogmkk32.exe 2528 Nkpjfkhf.exe 2720 Ndhooaog.exe 2916 Odmhjp32.exe 1884 Olhmnb32.exe 2080 Ohajic32.exe 2312 Pidgnc32.exe 2512 Pdkgcd32.exe 1508 Pobhfl32.exe 2620 Pkiikm32.exe 2372 Peandcih.exe 1432 Qpnkjq32.exe 2804 Acldpojj.exe 1852 Aikine32.exe 1636 Aeajcf32.exe -
Loads dropped DLL 64 IoCs
pid Process 2604 e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe 2604 e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe 1248 Cnekcblk.exe 1248 Cnekcblk.exe 2496 Cnhhia32.exe 2496 Cnhhia32.exe 2836 Ddfjak32.exe 2836 Ddfjak32.exe 2868 Dopkai32.exe 2868 Dopkai32.exe 2676 Dflpdb32.exe 2676 Dflpdb32.exe 1920 Epgabhdg.exe 1920 Epgabhdg.exe 1780 Epinhg32.exe 1780 Epinhg32.exe 2084 Ejcohe32.exe 2084 Ejcohe32.exe 2568 Elbkbh32.exe 2568 Elbkbh32.exe 1140 Ecnpgj32.exe 1140 Ecnpgj32.exe 1228 Fdpmljan.exe 1228 Fdpmljan.exe 1232 Ffaeneno.exe 1232 Ffaeneno.exe 2860 Fianpp32.exe 2860 Fianpp32.exe 2364 Ffeoid32.exe 2364 Ffeoid32.exe 2556 Foacmg32.exe 2556 Foacmg32.exe 2092 Gledgkfn.exe 2092 Gledgkfn.exe 1604 Ghlell32.exe 1604 Ghlell32.exe 1568 Cjdonndl.exe 1568 Cjdonndl.exe 2740 Cofaad32.exe 2740 Cofaad32.exe 3024 Cljajh32.exe 3024 Cljajh32.exe 1624 Dfecim32.exe 1624 Dfecim32.exe 2008 Dblcnngi.exe 2008 Dblcnngi.exe 1648 Ejnnbpol.exe 1648 Ejnnbpol.exe 2136 Emogdk32.exe 2136 Emogdk32.exe 2880 Fijadk32.exe 2880 Fijadk32.exe 2936 Flmglfhk.exe 2936 Flmglfhk.exe 2852 Feeldk32.exe 2852 Feeldk32.exe 2028 Fhfdffll.exe 2028 Fhfdffll.exe 2336 Giogonlb.exe 2336 Giogonlb.exe 1708 Geehcoaf.exe 1708 Geehcoaf.exe 1012 Hgnjlfam.exe 1012 Hgnjlfam.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Nlibhhme.exe Nihjfm32.exe File created C:\Windows\SysWOW64\Kloggici.dll Bjjdpdga.exe File created C:\Windows\SysWOW64\Gkhenlcd.exe Ggjmhn32.exe File created C:\Windows\SysWOW64\Bfmkmidp.dll Lhlgaedj.exe File created C:\Windows\SysWOW64\Nldbbbno.exe Mbiadm32.exe File opened for modification C:\Windows\SysWOW64\Ppacfg32.exe Phcbmend.exe File created C:\Windows\SysWOW64\Flmglfhk.exe Fijadk32.exe File opened for modification C:\Windows\SysWOW64\Ajkokgia.exe Aeljmq32.exe File opened for modification C:\Windows\SysWOW64\Kfcoll32.exe Jcpidagc.exe File created C:\Windows\SysWOW64\Caglpoco.dll Oakdkn32.exe File created C:\Windows\SysWOW64\Eijpll32.dll Gkhenlcd.exe File opened for modification C:\Windows\SysWOW64\Diackmif.exe Dhagaj32.exe File opened for modification C:\Windows\SysWOW64\Fddcqm32.exe Flfbfken.exe File opened for modification C:\Windows\SysWOW64\Fcipaien.exe Fqkdenfj.exe File created C:\Windows\SysWOW64\Lodfic32.dll Dfecim32.exe File created C:\Windows\SysWOW64\Ohajic32.exe Olhmnb32.exe File created C:\Windows\SysWOW64\Bfliqmjg.exe Bjclfmfe.exe File created C:\Windows\SysWOW64\Ihhlbegd.exe Ifecen32.exe File opened for modification C:\Windows\SysWOW64\Mnefpq32.exe Lifqbjpk.exe File created C:\Windows\SysWOW64\Ieebfp32.dll Olklmk32.exe File created C:\Windows\SysWOW64\Jndjoi32.exe Jdlefd32.exe File created C:\Windows\SysWOW64\Bblocaik.exe Bfeonq32.exe File opened for modification C:\Windows\SysWOW64\Jodkkj32.exe Jcmjfiab.exe File created C:\Windows\SysWOW64\Fjhjlm32.exe Enajgllm.exe File opened for modification C:\Windows\SysWOW64\Olclimif.exe Opllclcb.exe File created C:\Windows\SysWOW64\Aeljmq32.exe Abkqle32.exe File created C:\Windows\SysWOW64\Oiemejgm.dll Bpdgolml.exe File opened for modification C:\Windows\SysWOW64\Jdipnedn.exe Jnlkkkod.exe File created C:\Windows\SysWOW64\Makhlkel.exe Mcghcgfb.exe File created C:\Windows\SysWOW64\Pkjcgmjl.dll Ggofcmih.exe File created C:\Windows\SysWOW64\Fijadk32.exe Emogdk32.exe File opened for modification C:\Windows\SysWOW64\Cpldjajo.exe Colgpo32.exe File opened for modification C:\Windows\SysWOW64\Pgdcjjom.exe Olhfdl32.exe File opened for modification C:\Windows\SysWOW64\Omqnfiip.exe Oicfpkci.exe File created C:\Windows\SysWOW64\Dhagaj32.exe Clhifj32.exe File created C:\Windows\SysWOW64\Hggegknp.exe Gknhlj32.exe File created C:\Windows\SysWOW64\Ecnpgj32.exe Elbkbh32.exe File created C:\Windows\SysWOW64\Egmhjm32.exe Dkdjol32.exe File opened for modification C:\Windows\SysWOW64\Mjkpjkni.exe Milcphgf.exe File created C:\Windows\SysWOW64\Jodkkj32.exe Jcmjfiab.exe File created C:\Windows\SysWOW64\Bbeaaiga.dll Dcjleq32.exe File created C:\Windows\SysWOW64\Njgjkkhi.dll Gapbbk32.exe File created C:\Windows\SysWOW64\Didpkp32.dll Gepgni32.exe File created C:\Windows\SysWOW64\Pmhcaf32.dll Kqncnjan.exe File opened for modification C:\Windows\SysWOW64\Makhlkel.exe Mcghcgfb.exe File created C:\Windows\SysWOW64\Cojejcno.dll Hafppp32.exe File created C:\Windows\SysWOW64\Nbabfmjp.dll Dblcnngi.exe File created C:\Windows\SysWOW64\Gqebij32.dll Feeldk32.exe File created C:\Windows\SysWOW64\Jcmjfiab.exe Jkpilg32.exe File created C:\Windows\SysWOW64\Edffndco.dll Nkpjfkhf.exe File created C:\Windows\SysWOW64\Imoqbo32.dll Aikine32.exe File created C:\Windows\SysWOW64\Mamngm32.dll Leilnllb.exe File opened for modification C:\Windows\SysWOW64\Lcpecdio.exe Kgienc32.exe File created C:\Windows\SysWOW64\Olklmk32.exe Odnjbibf.exe File created C:\Windows\SysWOW64\Ihhjjm32.exe Hnjonpgg.exe File created C:\Windows\SysWOW64\Pfcfocfd.dll Olhmnb32.exe File created C:\Windows\SysWOW64\Hanoiobl.dll Pidgnc32.exe File created C:\Windows\SysWOW64\Ikafpbon.exe Hhnpih32.exe File created C:\Windows\SysWOW64\Pqolle32.dll Jdlcnkfg.exe File opened for modification C:\Windows\SysWOW64\Pnfkjb32.exe Poldnf32.exe File opened for modification C:\Windows\SysWOW64\Elgmbnfn.exe Dmbpaa32.exe File created C:\Windows\SysWOW64\Fjgapg32.dll Omqnfiip.exe File created C:\Windows\SysWOW64\Dbaflm32.exe Djfagjai.exe File created C:\Windows\SysWOW64\Hfhjfp32.exe Hjaiaolb.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3468 3444 WerFault.exe 298 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Diackmif.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnekcblk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aikine32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjeojnep.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gkhenlcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kaeokg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gknhlj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcnfllcd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qpnkjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Khlhiijk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdfifg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cmocjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fcipaien.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dflpdb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pidgnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dcjleq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eakkkdnm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lhlgaedj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djfagjai.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Enajgllm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ocpakg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbeacbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmheai32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Abkqle32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmaaha32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Milcphgf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qlmnfh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iniebmfg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opllclcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljnebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pobhfl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pgdcjjom.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgienc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcghcgfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Clgpckcb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkklpk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpdnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kfiajj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iidajaiq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jnlhbb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmjfiab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flcjjdpe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdooongp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afhfpc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ianmke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihhlbegd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mnefpq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjkpjkni.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Feeldk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pdkgcd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gapbbk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Makhlkel.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jdlefd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Odmhjp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kceijg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkbnjmhq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kdehmb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjhjlm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mclbkjcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgebcj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnkgjgh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eqjenb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fkpfjnnl.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gkhenlcd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cnhhia32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Iaqnbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Pidgnc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ljbmdmfc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ldhaaefi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ppacfg32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Cahbem32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jdnijidk.dll" Cahbem32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ffeoid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oeakle32.dll" Hfhjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Olhfdl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Alombeqd.dll" Eadejede.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fkgemh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hggegknp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gqebij32.dll" Feeldk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hhnpih32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pnodmd32.dll" Jdipnedn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Acoidhii.dll" Nahhfoij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hmnoih32.dll" Nldbbbno.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Bfliqmjg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Idlgohcl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aefaafcm.dll" Goohckob.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Ldhaaefi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ddfjak32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Phhnkggl.dll" Cljajh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkfbibki.dll" Acldpojj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Lfpebq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Gmhibenb.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hldldq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Dopkai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fjhjlm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Abkqle32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ieoiai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lffhqa32.dll" Cpldjajo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Bpdgolml.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fiomhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fiomhc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mimjpp32.dll" Hbjjfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkkbad32.dll" Hldldq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ggjmhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Mjkpjkni.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Lafpipoa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idoclg32.dll" Pobhfl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkjekf32.dll" Fcckjb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Milcphgf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ihlkogio.dll" Njnion32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Fkgemh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ejldfh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Fianpp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Hhnpih32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Nkfpefme.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qbggqfca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ooabjbdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Qjaejbmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 Ianmke32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ganbem32.dll" Bjclfmfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dnbgonif.dll" Flcjjdpe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Hfhjfp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jlamcqni.dll" Nkfpefme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjjgha32.dll" Fehjcc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Nihjfm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32\ThreadingModel = "Apartment" Peqidn32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2604 wrote to memory of 1248 2604 e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe 29 PID 2604 wrote to memory of 1248 2604 e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe 29 PID 2604 wrote to memory of 1248 2604 e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe 29 PID 2604 wrote to memory of 1248 2604 e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe 29 PID 1248 wrote to memory of 2496 1248 Cnekcblk.exe 30 PID 1248 wrote to memory of 2496 1248 Cnekcblk.exe 30 PID 1248 wrote to memory of 2496 1248 Cnekcblk.exe 30 PID 1248 wrote to memory of 2496 1248 Cnekcblk.exe 30 PID 2496 wrote to memory of 2836 2496 Cnhhia32.exe 31 PID 2496 wrote to memory of 2836 2496 Cnhhia32.exe 31 PID 2496 wrote to memory of 2836 2496 Cnhhia32.exe 31 PID 2496 wrote to memory of 2836 2496 Cnhhia32.exe 31 PID 2836 wrote to memory of 2868 2836 Ddfjak32.exe 32 PID 2836 wrote to memory of 2868 2836 Ddfjak32.exe 32 PID 2836 wrote to memory of 2868 2836 Ddfjak32.exe 32 PID 2836 wrote to memory of 2868 2836 Ddfjak32.exe 32 PID 2868 wrote to memory of 2676 2868 Dopkai32.exe 33 PID 2868 wrote to memory of 2676 2868 Dopkai32.exe 33 PID 2868 wrote to memory of 2676 2868 Dopkai32.exe 33 PID 2868 wrote to memory of 2676 2868 Dopkai32.exe 33 PID 2676 wrote to memory of 1920 2676 Dflpdb32.exe 34 PID 2676 wrote to memory of 1920 2676 Dflpdb32.exe 34 PID 2676 wrote to memory of 1920 2676 Dflpdb32.exe 34 PID 2676 wrote to memory of 1920 2676 Dflpdb32.exe 34 PID 1920 wrote to memory of 1780 1920 Epgabhdg.exe 35 PID 1920 wrote to memory of 1780 1920 Epgabhdg.exe 35 PID 1920 wrote to memory of 1780 1920 Epgabhdg.exe 35 PID 1920 wrote to memory of 1780 1920 Epgabhdg.exe 35 PID 1780 wrote to memory of 2084 1780 Epinhg32.exe 36 PID 1780 wrote to memory of 2084 1780 Epinhg32.exe 36 PID 1780 wrote to memory of 2084 1780 Epinhg32.exe 36 PID 1780 wrote to memory of 2084 1780 Epinhg32.exe 36 PID 2084 wrote to memory of 2568 2084 Ejcohe32.exe 37 PID 2084 wrote to memory of 2568 2084 Ejcohe32.exe 37 PID 2084 wrote to memory of 2568 2084 Ejcohe32.exe 37 PID 2084 wrote to memory of 2568 2084 Ejcohe32.exe 37 PID 2568 wrote to memory of 1140 2568 Elbkbh32.exe 38 PID 2568 wrote to memory of 1140 2568 Elbkbh32.exe 38 PID 2568 wrote to memory of 1140 2568 Elbkbh32.exe 38 PID 2568 wrote to memory of 1140 2568 Elbkbh32.exe 38 PID 1140 wrote to memory of 1228 1140 Ecnpgj32.exe 39 PID 1140 wrote to memory of 1228 1140 Ecnpgj32.exe 39 PID 1140 wrote to memory of 1228 1140 Ecnpgj32.exe 39 PID 1140 wrote to memory of 1228 1140 Ecnpgj32.exe 39 PID 1228 wrote to memory of 1232 1228 Fdpmljan.exe 40 PID 1228 wrote to memory of 1232 1228 Fdpmljan.exe 40 PID 1228 wrote to memory of 1232 1228 Fdpmljan.exe 40 PID 1228 wrote to memory of 1232 1228 Fdpmljan.exe 40 PID 1232 wrote to memory of 2860 1232 Ffaeneno.exe 41 PID 1232 wrote to memory of 2860 1232 Ffaeneno.exe 41 PID 1232 wrote to memory of 2860 1232 Ffaeneno.exe 41 PID 1232 wrote to memory of 2860 1232 Ffaeneno.exe 41 PID 2860 wrote to memory of 2364 2860 Fianpp32.exe 42 PID 2860 wrote to memory of 2364 2860 Fianpp32.exe 42 PID 2860 wrote to memory of 2364 2860 Fianpp32.exe 42 PID 2860 wrote to memory of 2364 2860 Fianpp32.exe 42 PID 2364 wrote to memory of 2556 2364 Ffeoid32.exe 43 PID 2364 wrote to memory of 2556 2364 Ffeoid32.exe 43 PID 2364 wrote to memory of 2556 2364 Ffeoid32.exe 43 PID 2364 wrote to memory of 2556 2364 Ffeoid32.exe 43 PID 2556 wrote to memory of 2092 2556 Foacmg32.exe 44 PID 2556 wrote to memory of 2092 2556 Foacmg32.exe 44 PID 2556 wrote to memory of 2092 2556 Foacmg32.exe 44 PID 2556 wrote to memory of 2092 2556 Foacmg32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe"C:\Users\Admin\AppData\Local\Temp\e0a18ab9cae182b27a32ff15164bfd4b5ef3c3104ac2a68b6de2792d4488c8a0.exe"1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2604 -
C:\Windows\SysWOW64\Cnekcblk.exeC:\Windows\system32\Cnekcblk.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\Ddfjak32.exeC:\Windows\system32\Ddfjak32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SysWOW64\Dopkai32.exeC:\Windows\system32\Dopkai32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\Dflpdb32.exeC:\Windows\system32\Dflpdb32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\Epgabhdg.exeC:\Windows\system32\Epgabhdg.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\Epinhg32.exeC:\Windows\system32\Epinhg32.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\Ejcohe32.exeC:\Windows\system32\Ejcohe32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2084 -
C:\Windows\SysWOW64\Elbkbh32.exeC:\Windows\system32\Elbkbh32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\Ecnpgj32.exeC:\Windows\system32\Ecnpgj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\Fdpmljan.exeC:\Windows\system32\Fdpmljan.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1228 -
C:\Windows\SysWOW64\Ffaeneno.exeC:\Windows\system32\Ffaeneno.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1232 -
C:\Windows\SysWOW64\Fianpp32.exeC:\Windows\system32\Fianpp32.exe14⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\SysWOW64\Ffeoid32.exeC:\Windows\system32\Ffeoid32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\Foacmg32.exeC:\Windows\system32\Foacmg32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Windows\SysWOW64\Gledgkfn.exeC:\Windows\system32\Gledgkfn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Ghlell32.exeC:\Windows\system32\Ghlell32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1604 -
C:\Windows\SysWOW64\Cjdonndl.exeC:\Windows\system32\Cjdonndl.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1568 -
C:\Windows\SysWOW64\Cofaad32.exeC:\Windows\system32\Cofaad32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2740 -
C:\Windows\SysWOW64\Cljajh32.exeC:\Windows\system32\Cljajh32.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:3024 -
C:\Windows\SysWOW64\Dfecim32.exeC:\Windows\system32\Dfecim32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1624 -
C:\Windows\SysWOW64\Dblcnngi.exeC:\Windows\system32\Dblcnngi.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2008 -
C:\Windows\SysWOW64\Ejnnbpol.exeC:\Windows\system32\Ejnnbpol.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1648 -
C:\Windows\SysWOW64\Emogdk32.exeC:\Windows\system32\Emogdk32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2136 -
C:\Windows\SysWOW64\Fijadk32.exeC:\Windows\system32\Fijadk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2880 -
C:\Windows\SysWOW64\Flmglfhk.exeC:\Windows\system32\Flmglfhk.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2936 -
C:\Windows\SysWOW64\Feeldk32.exeC:\Windows\system32\Feeldk32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2852 -
C:\Windows\SysWOW64\Fhfdffll.exeC:\Windows\system32\Fhfdffll.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2028 -
C:\Windows\SysWOW64\Giogonlb.exeC:\Windows\system32\Giogonlb.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2336 -
C:\Windows\SysWOW64\Geehcoaf.exeC:\Windows\system32\Geehcoaf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1708 -
C:\Windows\SysWOW64\Hgnjlfam.exeC:\Windows\system32\Hgnjlfam.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1012 -
C:\Windows\SysWOW64\Hnjonpgg.exeC:\Windows\system32\Hnjonpgg.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:436 -
C:\Windows\SysWOW64\Ihhjjm32.exeC:\Windows\system32\Ihhjjm32.exe34⤵
- Executes dropped EXE
PID:2848 -
C:\Windows\SysWOW64\Iaqnbb32.exeC:\Windows\system32\Iaqnbb32.exe35⤵
- Executes dropped EXE
- Modifies registry class
PID:2424 -
C:\Windows\SysWOW64\Jnlhbb32.exeC:\Windows\system32\Jnlhbb32.exe36⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2788 -
C:\Windows\SysWOW64\Jkpilg32.exeC:\Windows\system32\Jkpilg32.exe37⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1612 -
C:\Windows\SysWOW64\Jcmjfiab.exeC:\Windows\system32\Jcmjfiab.exe38⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1596 -
C:\Windows\SysWOW64\Jodkkj32.exeC:\Windows\system32\Jodkkj32.exe39⤵
- Executes dropped EXE
PID:2712 -
C:\Windows\SysWOW64\Jkklpk32.exeC:\Windows\system32\Jkklpk32.exe40⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:980 -
C:\Windows\SysWOW64\Kpkali32.exeC:\Windows\system32\Kpkali32.exe41⤵
- Executes dropped EXE
PID:2040 -
C:\Windows\SysWOW64\Kaojiqej.exeC:\Windows\system32\Kaojiqej.exe42⤵
- Executes dropped EXE
PID:1244 -
C:\Windows\SysWOW64\Kmeknakn.exeC:\Windows\system32\Kmeknakn.exe43⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1576 -
C:\Windows\SysWOW64\Lafpipoa.exeC:\Windows\system32\Lafpipoa.exe44⤵
- Executes dropped EXE
- Modifies registry class
PID:840 -
C:\Windows\SysWOW64\Ljnebe32.exeC:\Windows\system32\Ljnebe32.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2780 -
C:\Windows\SysWOW64\Lfgbmf32.exeC:\Windows\system32\Lfgbmf32.exe46⤵
- Executes dropped EXE
PID:1712 -
C:\Windows\SysWOW64\Mddidnqa.exeC:\Windows\system32\Mddidnqa.exe47⤵
- Executes dropped EXE
PID:1608 -
C:\Windows\SysWOW64\Mkqnghfk.exeC:\Windows\system32\Mkqnghfk.exe48⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Mclbkjcf.exeC:\Windows\system32\Mclbkjcf.exe49⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:524 -
C:\Windows\SysWOW64\Nglhghgj.exeC:\Windows\system32\Nglhghgj.exe50⤵
- Executes dropped EXE
PID:1932 -
C:\Windows\SysWOW64\Nogmkk32.exeC:\Windows\system32\Nogmkk32.exe51⤵
- Executes dropped EXE
PID:828 -
C:\Windows\SysWOW64\Nkpjfkhf.exeC:\Windows\system32\Nkpjfkhf.exe52⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2528 -
C:\Windows\SysWOW64\Ndhooaog.exeC:\Windows\system32\Ndhooaog.exe53⤵
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Odmhjp32.exeC:\Windows\system32\Odmhjp32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Windows\SysWOW64\Olhmnb32.exeC:\Windows\system32\Olhmnb32.exe55⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1884 -
C:\Windows\SysWOW64\Ohajic32.exeC:\Windows\system32\Ohajic32.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Pidgnc32.exeC:\Windows\system32\Pidgnc32.exe57⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2312 -
C:\Windows\SysWOW64\Pdkgcd32.exeC:\Windows\system32\Pdkgcd32.exe58⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2512 -
C:\Windows\SysWOW64\Pobhfl32.exeC:\Windows\system32\Pobhfl32.exe59⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1508 -
C:\Windows\SysWOW64\Pkiikm32.exeC:\Windows\system32\Pkiikm32.exe60⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Peandcih.exeC:\Windows\system32\Peandcih.exe61⤵
- Executes dropped EXE
PID:2372 -
C:\Windows\SysWOW64\Qpnkjq32.exeC:\Windows\system32\Qpnkjq32.exe62⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1432 -
C:\Windows\SysWOW64\Acldpojj.exeC:\Windows\system32\Acldpojj.exe63⤵
- Executes dropped EXE
- Modifies registry class
PID:2804 -
C:\Windows\SysWOW64\Aikine32.exeC:\Windows\system32\Aikine32.exe64⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1852 -
C:\Windows\SysWOW64\Aeajcf32.exeC:\Windows\system32\Aeajcf32.exe65⤵
- Executes dropped EXE
PID:1636 -
C:\Windows\SysWOW64\Bakgmgpe.exeC:\Windows\system32\Bakgmgpe.exe66⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:608 -
C:\Windows\SysWOW64\Bjclfmfe.exeC:\Windows\system32\Bjclfmfe.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:324 -
C:\Windows\SysWOW64\Bfliqmjg.exeC:\Windows\system32\Bfliqmjg.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2644 -
C:\Windows\SysWOW64\Bpdnjb32.exeC:\Windows\system32\Bpdnjb32.exe69⤵
- System Location Discovery: System Language Discovery
PID:2548 -
C:\Windows\SysWOW64\Colgpo32.exeC:\Windows\system32\Colgpo32.exe70⤵
- Drops file in System32 directory
PID:1752 -
C:\Windows\SysWOW64\Cpldjajo.exeC:\Windows\system32\Cpldjajo.exe71⤵
- Modifies registry class
PID:1448 -
C:\Windows\SysWOW64\Cnfnlk32.exeC:\Windows\system32\Cnfnlk32.exe72⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2256 -
C:\Windows\SysWOW64\Cgnbepjp.exeC:\Windows\system32\Cgnbepjp.exe73⤵PID:1044
-
C:\Windows\SysWOW64\Cnhjbjam.exeC:\Windows\system32\Cnhjbjam.exe74⤵PID:3016
-
C:\Windows\SysWOW64\Dcjleq32.exeC:\Windows\system32\Dcjleq32.exe75⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Djfagjai.exeC:\Windows\system32\Djfagjai.exe76⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1716 -
C:\Windows\SysWOW64\Dbaflm32.exeC:\Windows\system32\Dbaflm32.exe77⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2484 -
C:\Windows\SysWOW64\Enajgllm.exeC:\Windows\system32\Enajgllm.exe78⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:976 -
C:\Windows\SysWOW64\Fjhjlm32.exeC:\Windows\system32\Fjhjlm32.exe79⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2412 -
C:\Windows\SysWOW64\Fcckjb32.exeC:\Windows\system32\Fcckjb32.exe80⤵
- Modifies registry class
PID:2636 -
C:\Windows\SysWOW64\Fpjlpclc.exeC:\Windows\system32\Fpjlpclc.exe81⤵PID:1680
-
C:\Windows\SysWOW64\Flcjjdpe.exeC:\Windows\system32\Flcjjdpe.exe82⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1064 -
C:\Windows\SysWOW64\Gapbbk32.exeC:\Windows\system32\Gapbbk32.exe83⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1704 -
C:\Windows\SysWOW64\Genkhidc.exeC:\Windows\system32\Genkhidc.exe84⤵PID:2036
-
C:\Windows\SysWOW64\Gepgni32.exeC:\Windows\system32\Gepgni32.exe85⤵
- Drops file in System32 directory
PID:2448 -
C:\Windows\SysWOW64\Hjaiaolb.exeC:\Windows\system32\Hjaiaolb.exe86⤵
- Drops file in System32 directory
PID:2400 -
C:\Windows\SysWOW64\Hfhjfp32.exeC:\Windows\system32\Hfhjfp32.exe87⤵
- Modifies registry class
PID:1492 -
C:\Windows\SysWOW64\Hlgodgnk.exeC:\Windows\system32\Hlgodgnk.exe88⤵PID:1016
-
C:\Windows\SysWOW64\Hhnpih32.exeC:\Windows\system32\Hhnpih32.exe89⤵
- Drops file in System32 directory
- Modifies registry class
PID:1700 -
C:\Windows\SysWOW64\Ikafpbon.exeC:\Windows\system32\Ikafpbon.exe90⤵PID:1308
-
C:\Windows\SysWOW64\Idlgohcl.exeC:\Windows\system32\Idlgohcl.exe91⤵
- Modifies registry class
PID:872 -
C:\Windows\SysWOW64\Ipedihgm.exeC:\Windows\system32\Ipedihgm.exe92⤵PID:2884
-
C:\Windows\SysWOW64\Iniebmfg.exeC:\Windows\system32\Iniebmfg.exe93⤵
- System Location Discovery: System Language Discovery
PID:2524 -
C:\Windows\SysWOW64\Jhebij32.exeC:\Windows\system32\Jhebij32.exe94⤵PID:2164
-
C:\Windows\SysWOW64\Jdlcnkfg.exeC:\Windows\system32\Jdlcnkfg.exe95⤵
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Khlhiijk.exeC:\Windows\system32\Khlhiijk.exe96⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2632 -
C:\Windows\SysWOW64\Kceijg32.exeC:\Windows\system32\Kceijg32.exe97⤵
- System Location Discovery: System Language Discovery
PID:2756 -
C:\Windows\SysWOW64\Koogdg32.exeC:\Windows\system32\Koogdg32.exe98⤵PID:1332
-
C:\Windows\SysWOW64\Kqncnjan.exeC:\Windows\system32\Kqncnjan.exe99⤵
- Drops file in System32 directory
PID:2816 -
C:\Windows\SysWOW64\Kiihcmoi.exeC:\Windows\system32\Kiihcmoi.exe100⤵PID:2864
-
C:\Windows\SysWOW64\Lfpebq32.exeC:\Windows\system32\Lfpebq32.exe101⤵
- Modifies registry class
PID:2488 -
C:\Windows\SysWOW64\Lgekdh32.exeC:\Windows\system32\Lgekdh32.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2272 -
C:\Windows\SysWOW64\Leilnllb.exeC:\Windows\system32\Leilnllb.exe103⤵
- Drops file in System32 directory
PID:2196 -
C:\Windows\SysWOW64\Mabihm32.exeC:\Windows\system32\Mabihm32.exe104⤵PID:2912
-
C:\Windows\SysWOW64\Minnmomo.exeC:\Windows\system32\Minnmomo.exe105⤵PID:1972
-
C:\Windows\SysWOW64\Mlacdj32.exeC:\Windows\system32\Mlacdj32.exe106⤵PID:1364
-
C:\Windows\SysWOW64\Nkfpefme.exeC:\Windows\system32\Nkfpefme.exe107⤵
- Modifies registry class
PID:2876 -
C:\Windows\SysWOW64\Nkkjpf32.exeC:\Windows\system32\Nkkjpf32.exe108⤵PID:2948
-
C:\Windows\SysWOW64\Nhojjjhj.exeC:\Windows\system32\Nhojjjhj.exe109⤵PID:1876
-
C:\Windows\SysWOW64\Opllclcb.exeC:\Windows\system32\Opllclcb.exe110⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2668 -
C:\Windows\SysWOW64\Olclimif.exeC:\Windows\system32\Olclimif.exe111⤵PID:2000
-
C:\Windows\SysWOW64\Ocpakg32.exeC:\Windows\system32\Ocpakg32.exe112⤵
- System Location Discovery: System Language Discovery
PID:2140 -
C:\Windows\SysWOW64\Olhfdl32.exeC:\Windows\system32\Olhfdl32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:900 -
C:\Windows\SysWOW64\Pgdcjjom.exeC:\Windows\system32\Pgdcjjom.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2908 -
C:\Windows\SysWOW64\Paihgboc.exeC:\Windows\system32\Paihgboc.exe115⤵PID:1892
-
C:\Windows\SysWOW64\Pnbeacbd.exeC:\Windows\system32\Pnbeacbd.exe116⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\Pfnjfepp.exeC:\Windows\system32\Pfnjfepp.exe117⤵PID:3036
-
C:\Windows\SysWOW64\Qbggqfca.exeC:\Windows\system32\Qbggqfca.exe118⤵
- Modifies registry class
PID:1600 -
C:\Windows\SysWOW64\Qkolil32.exeC:\Windows\system32\Qkolil32.exe119⤵PID:1980
-
C:\Windows\SysWOW64\Abkqle32.exeC:\Windows\system32\Abkqle32.exe120⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1964 -
C:\Windows\SysWOW64\Aeljmq32.exeC:\Windows\system32\Aeljmq32.exe121⤵
- Drops file in System32 directory
PID:2812
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-