Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
119s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
25/07/2024, 11:56
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
cdcffba2227040bdb18d3606ccf43df0N.exe
Resource
win7-20240705-en
windows7-x64
8 signatures
120 seconds
Behavioral task
behavioral2
Sample
cdcffba2227040bdb18d3606ccf43df0N.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
120 seconds
General
-
Target
cdcffba2227040bdb18d3606ccf43df0N.exe
-
Size
96KB
-
MD5
cdcffba2227040bdb18d3606ccf43df0
-
SHA1
cdeefa00d25efff02ef4786db22fec8dd6e82793
-
SHA256
df1bae8bc7322f7730ab603f15550193acd02662cc57a896e8466e45c3b0b82c
-
SHA512
eac0c3e20054f533d5d60b32d3a87529209c3b45502f8c378f0336b881bfe28f3a5dcdc5cbb27f80e94a4f55ea941139d247a418d71fbf686e319f8d3dca493e
-
SSDEEP
1536:k+2h6meDt4szo+vDCc4NCBYajUABmkP6Mq7rllqUOcyoh/NR4+G:4Ytr7jFBxjUSmkCMQ/9h/NRa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pegqpacp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oippjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imleli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Mhonngce.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aggiigmn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bnqned32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dknajh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bdcifi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ccjoli32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idcacc32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kgkleabc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kglehp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ldbofgme.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lohccp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nibqqh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nbmaon32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijmipn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pcdkif32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hphidanj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cchbgi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Iafnjg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbadjg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hfjpdjjo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nedhjj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bmlael32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhlmmfef.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pckajebj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Egikjh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Goplilpf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cocphf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noffdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dgbeiiqe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Npaich32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eppcmncq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ggnmbn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jlkngc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Loefnpnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Alnalh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hhcmhdke.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jpjngh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhbold32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amaelomh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jdpjba32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Anjlebjc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oippjl32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihhcbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Phhjblpa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Nbniid32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmmfaa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Knbhlkkc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gfhgpg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Npjlhcmd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Akcomepg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbffoabe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gegabegc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hmoofdea.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lboiol32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Agpcihcf.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqhhanig.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bejfao32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gmpcgace.exe -
Executes dropped EXE 64 IoCs
pid Process 1728 Foojop32.exe 1304 Fjdnlhco.exe 2032 Fmcjhdbc.exe 3012 Ffkoai32.exe 2708 Fhikme32.exe 1756 Foccjood.exe 2608 Fbbofjnh.exe 2148 Filgbdfd.exe 548 Fkjdopeh.exe 1968 Fbdlkj32.exe 332 Fdbhge32.exe 1740 Fgadda32.exe 1528 Gnkmqkbi.exe 2932 Gqiimfam.exe 2548 Ggcaiqhj.exe 664 Gnmifk32.exe 1808 Gqlebf32.exe 3032 Gqlebf32.exe 1608 Gegabegc.exe 1040 Gjdjklek.exe 1388 Gnpflj32.exe 1684 Gqnbhf32.exe 2868 Gcmoda32.exe 2092 Gfkkpmko.exe 2484 Gjfgqk32.exe 1596 Gaqomeke.exe 808 Gcokiaji.exe 2816 Gildahhp.exe 2900 Gmgpbf32.exe 2824 Gcahoqhf.exe 2240 Gcahoqhf.exe 2756 Hmjlhfof.exe 2908 Hphidanj.exe 2160 Heealhla.exe 568 Hhcmhdke.exe 2884 Hloiib32.exe 1948 Hbiaemkk.exe 1952 Hlafnbal.exe 284 Hnpbjnpo.exe 2864 Hbknkl32.exe 2688 Hlccdboi.exe 2440 Hnbopmnm.exe 2364 Hapklimq.exe 296 Hfmddp32.exe 624 Hmglajcd.exe 2468 Iabhah32.exe 2284 Ihmpobck.exe 3048 Ijklknbn.exe 2340 Imiigiab.exe 2500 Iaeegh32.exe 2080 Idcacc32.exe 2892 Idcacc32.exe 2812 Ibfaopoi.exe 2720 Ijmipn32.exe 2636 Iipiljgf.exe 2312 Imleli32.exe 1864 Ilofhffj.exe 328 Idfnicfl.exe 1992 Ibhndp32.exe 1904 Iegjqk32.exe 1760 Imnbbi32.exe 1816 Iplnnd32.exe 2296 Ibkkjp32.exe 2568 Ifffkncm.exe -
Loads dropped DLL 64 IoCs
pid Process 2044 cdcffba2227040bdb18d3606ccf43df0N.exe 2044 cdcffba2227040bdb18d3606ccf43df0N.exe 1728 Foojop32.exe 1728 Foojop32.exe 1304 Fjdnlhco.exe 1304 Fjdnlhco.exe 2032 Fmcjhdbc.exe 2032 Fmcjhdbc.exe 3012 Ffkoai32.exe 3012 Ffkoai32.exe 2708 Fhikme32.exe 2708 Fhikme32.exe 1756 Foccjood.exe 1756 Foccjood.exe 2608 Fbbofjnh.exe 2608 Fbbofjnh.exe 2148 Filgbdfd.exe 2148 Filgbdfd.exe 548 Fkjdopeh.exe 548 Fkjdopeh.exe 1968 Fbdlkj32.exe 1968 Fbdlkj32.exe 332 Fdbhge32.exe 332 Fdbhge32.exe 1740 Fgadda32.exe 1740 Fgadda32.exe 1528 Gnkmqkbi.exe 1528 Gnkmqkbi.exe 2932 Gqiimfam.exe 2932 Gqiimfam.exe 2548 Ggcaiqhj.exe 2548 Ggcaiqhj.exe 664 Gnmifk32.exe 664 Gnmifk32.exe 1808 Gqlebf32.exe 1808 Gqlebf32.exe 3032 Gqlebf32.exe 3032 Gqlebf32.exe 1608 Gegabegc.exe 1608 Gegabegc.exe 1040 Gjdjklek.exe 1040 Gjdjklek.exe 1388 Gnpflj32.exe 1388 Gnpflj32.exe 1684 Gqnbhf32.exe 1684 Gqnbhf32.exe 2868 Gcmoda32.exe 2868 Gcmoda32.exe 2092 Gfkkpmko.exe 2092 Gfkkpmko.exe 2484 Gjfgqk32.exe 2484 Gjfgqk32.exe 1596 Gaqomeke.exe 1596 Gaqomeke.exe 808 Gcokiaji.exe 808 Gcokiaji.exe 2816 Gildahhp.exe 2816 Gildahhp.exe 2900 Gmgpbf32.exe 2900 Gmgpbf32.exe 2824 Gcahoqhf.exe 2824 Gcahoqhf.exe 2240 Gcahoqhf.exe 2240 Gcahoqhf.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Ghajacmo.exe Gfcnegnk.exe File opened for modification C:\Windows\SysWOW64\Ahbekjcf.exe Afdiondb.exe File created C:\Windows\SysWOW64\Cfmhdpnc.exe Cbblda32.exe File opened for modification C:\Windows\SysWOW64\Behilopf.exe Bammlq32.exe File created C:\Windows\SysWOW64\Dppllabf.dll Famope32.exe File created C:\Windows\SysWOW64\Fdiogq32.exe Fpmbfbgo.exe File created C:\Windows\SysWOW64\Nefdpjkl.exe Nbhhdnlh.exe File created C:\Windows\SysWOW64\Daofpchf.exe Cblfdg32.exe File opened for modification C:\Windows\SysWOW64\Eobchk32.exe Eppcmncq.exe File opened for modification C:\Windows\SysWOW64\Bgblmk32.exe Becpap32.exe File created C:\Windows\SysWOW64\Ihglhp32.exe Idkpganf.exe File created C:\Windows\SysWOW64\Bplkhj32.dll Nlhjhi32.exe File opened for modification C:\Windows\SysWOW64\Pecgea32.exe Pcdkif32.exe File opened for modification C:\Windows\SysWOW64\Gqiimfam.exe Gnkmqkbi.exe File opened for modification C:\Windows\SysWOW64\Qqfkln32.exe Qngopb32.exe File opened for modification C:\Windows\SysWOW64\Obdojcef.exe Ooicid32.exe File created C:\Windows\SysWOW64\Fpmbfbgo.exe Fnofjfhk.exe File opened for modification C:\Windows\SysWOW64\Pnbojmmp.exe Pkcbnanl.exe File created C:\Windows\SysWOW64\Daddfpbk.dll Idfnicfl.exe File created C:\Windows\SysWOW64\Idfaqoma.dll Ielclkhe.exe File created C:\Windows\SysWOW64\Ibmcpifp.dll Jlelhe32.exe File opened for modification C:\Windows\SysWOW64\Qaqnkafa.exe Qobbofgn.exe File opened for modification C:\Windows\SysWOW64\Dknajh32.exe Dgbeiiqe.exe File created C:\Windows\SysWOW64\Hfjckino.dll Jdnmma32.exe File created C:\Windows\SysWOW64\Cocphf32.exe Ckhdggom.exe File opened for modification C:\Windows\SysWOW64\Gcmoda32.exe Gqnbhf32.exe File created C:\Windows\SysWOW64\Ibmgpoia.exe Ilcoce32.exe File opened for modification C:\Windows\SysWOW64\Folfoj32.exe Edfbaabj.exe File created C:\Windows\SysWOW64\Dgdfdnfj.dll Gncldi32.exe File opened for modification C:\Windows\SysWOW64\Nabopjmj.exe Nncbdomg.exe File created C:\Windows\SysWOW64\Adlcfjgh.exe Abmgjo32.exe File opened for modification C:\Windows\SysWOW64\Ldjpbign.exe Lblcfnhj.exe File opened for modification C:\Windows\SysWOW64\Nijnln32.exe Nfkapb32.exe File created C:\Windows\SysWOW64\Kaajei32.exe Knfndjdp.exe File created C:\Windows\SysWOW64\Ppkhhjei.exe Phcpgm32.exe File created C:\Windows\SysWOW64\Knqcbd32.dll Mbcoio32.exe File created C:\Windows\SysWOW64\Aaddfb32.dll Cbppnbhm.exe File created C:\Windows\SysWOW64\Hlmdnf32.dll Ddpobo32.exe File created C:\Windows\SysWOW64\Lcpkhoab.dll Fcnkhmdp.exe File created C:\Windows\SysWOW64\Hhhgcm32.dll Ieomef32.exe File opened for modification C:\Windows\SysWOW64\Cbppnbhm.exe Ccmpce32.exe File created C:\Windows\SysWOW64\Jodhdp32.exe Jlelhe32.exe File opened for modification C:\Windows\SysWOW64\Aqjdgmgd.exe Amohfo32.exe File created C:\Windows\SysWOW64\Mndmoaog.exe Mlfacfpc.exe File opened for modification C:\Windows\SysWOW64\Kjahej32.exe Kcgphp32.exe File created C:\Windows\SysWOW64\Lnpfoc32.dll Qododfek.exe File opened for modification C:\Windows\SysWOW64\Agpcihcf.exe Qdaglmcb.exe File opened for modification C:\Windows\SysWOW64\Bnnaoe32.exe Bkpeci32.exe File opened for modification C:\Windows\SysWOW64\Oekjjl32.exe Ofhjopbg.exe File opened for modification C:\Windows\SysWOW64\Bkegah32.exe Bmbgfkje.exe File opened for modification C:\Windows\SysWOW64\Cpfmmf32.exe Ckjamgmk.exe File created C:\Windows\SysWOW64\Mejlalji.exe Mfglep32.exe File opened for modification C:\Windows\SysWOW64\Miehak32.exe Mejlalji.exe File opened for modification C:\Windows\SysWOW64\Nidmfh32.exe Nlqmmd32.exe File opened for modification C:\Windows\SysWOW64\Phqmgg32.exe Pdeqfhjd.exe File opened for modification C:\Windows\SysWOW64\Lnpgeopa.exe Lkakicam.exe File created C:\Windows\SysWOW64\Mbkpeake.exe Mpmcielb.exe File opened for modification C:\Windows\SysWOW64\Lhpglecl.exe Lddlkg32.exe File created C:\Windows\SysWOW64\Ednoihel.dll Cocphf32.exe File created C:\Windows\SysWOW64\Omqlpp32.exe Okbpde32.exe File created C:\Windows\SysWOW64\Cmlcld32.dll Eoiiijcc.exe File created C:\Windows\SysWOW64\Ghcicglo.dll Panaeb32.exe File opened for modification C:\Windows\SysWOW64\Ajgbkbjp.exe Aflfjc32.exe File opened for modification C:\Windows\SysWOW64\Jbhcim32.exe Jpigma32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 7268 7232 WerFault.exe 783 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Idcacc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Amfognic.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kkeecogo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgnbnpkp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Obokcqhk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pplaki32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bgaebe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhcmhdke.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljkaeo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mpmcielb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mbcoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbbpenco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gqlebf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qdojgmfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Goplilpf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kgqocoin.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knmdeioh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Klpdaf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljddjj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjhjdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fjdnlhco.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifffkncm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oiljam32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eihgfd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eklqcl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gnaooi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnjcomcf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afffenbp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bmbgfkje.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbblda32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cbdiia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knbhlkkc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lqcmmjko.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lmjnak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Macilmnk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cehfkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eaheeecg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmoofdea.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akkoig32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Knkgpi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mjcaimgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Aoojnc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jenpajfb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mlfacfpc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmalldcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Calcpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ofcqcp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okdmjdol.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Panaeb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dklddhka.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Folfoj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gonocmbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieomef32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljfapjbi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pnbojmmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Akfkbd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ccmpce32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghajacmo.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gcahoqhf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohhmcinf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bimoloog.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bkmhnjlh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhpemm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elipgofb.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hgiekfhg.dll" Ijqoilii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qggfio32.dll" Mgjnhaco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nabopjmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Qdlggg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kmapmi32.dll" Bkhhhd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dllgcqbk.dll" Fkjdopeh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mdoljh32.dll" Idcacc32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Iihiphln.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kgqocoin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Abmgjo32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anjlebjc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hhhgcm32.dll" Ieomef32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lmljgj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cbpdaj32.dll" Fgldnkkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jkchmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kblikadd.dll" Pidfdofi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Filgbdfd.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Kpadhg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Apoldh32.dll" Gdmdacnn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kgqocoin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lonpma32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lcfbdd32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qododfek.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqcjjk32.dll" Ppnnai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgnenf32.dll" Bnknoogp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njekpl32.dll" Fmcjhdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ojmpooah.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hlmdnf32.dll" Ddpobo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Imokehhl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lgqkbb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Offmipej.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akcomepg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nlhhkjkc.dll" Agbpnh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bjnalhgb.dll" Cmjdaqgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckjamgmk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Piicpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Aohdmdoh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmibbi32.dll" Bkpeci32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nncbdomg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pojecajj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lbnpkmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Phcpgm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Olnldn32.dll" Hmdhad32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnjeilhc.dll" Lfhhjklc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pdjjag32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pcljmdmj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Adifpk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oaoplfhc.dll" Bqgmfkhg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Nlhjhi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oaqbln32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Clnoge32.dll" Mccbmh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Chdndgcj.dll" Lbafdlod.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Alihaioe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ielclkhe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mpebmc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fchook32.dll" Bkegah32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Odhhgkib.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pkcbnanl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eobchk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Khoqme32.dll" Apgagg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hnbopmnm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jhjphfgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Akiobk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bmcnqama.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2044 wrote to memory of 1728 2044 cdcffba2227040bdb18d3606ccf43df0N.exe 30 PID 2044 wrote to memory of 1728 2044 cdcffba2227040bdb18d3606ccf43df0N.exe 30 PID 2044 wrote to memory of 1728 2044 cdcffba2227040bdb18d3606ccf43df0N.exe 30 PID 2044 wrote to memory of 1728 2044 cdcffba2227040bdb18d3606ccf43df0N.exe 30 PID 1728 wrote to memory of 1304 1728 Foojop32.exe 31 PID 1728 wrote to memory of 1304 1728 Foojop32.exe 31 PID 1728 wrote to memory of 1304 1728 Foojop32.exe 31 PID 1728 wrote to memory of 1304 1728 Foojop32.exe 31 PID 1304 wrote to memory of 2032 1304 Fjdnlhco.exe 32 PID 1304 wrote to memory of 2032 1304 Fjdnlhco.exe 32 PID 1304 wrote to memory of 2032 1304 Fjdnlhco.exe 32 PID 1304 wrote to memory of 2032 1304 Fjdnlhco.exe 32 PID 2032 wrote to memory of 3012 2032 Fmcjhdbc.exe 33 PID 2032 wrote to memory of 3012 2032 Fmcjhdbc.exe 33 PID 2032 wrote to memory of 3012 2032 Fmcjhdbc.exe 33 PID 2032 wrote to memory of 3012 2032 Fmcjhdbc.exe 33 PID 3012 wrote to memory of 2708 3012 Ffkoai32.exe 34 PID 3012 wrote to memory of 2708 3012 Ffkoai32.exe 34 PID 3012 wrote to memory of 2708 3012 Ffkoai32.exe 34 PID 3012 wrote to memory of 2708 3012 Ffkoai32.exe 34 PID 2708 wrote to memory of 1756 2708 Fhikme32.exe 35 PID 2708 wrote to memory of 1756 2708 Fhikme32.exe 35 PID 2708 wrote to memory of 1756 2708 Fhikme32.exe 35 PID 2708 wrote to memory of 1756 2708 Fhikme32.exe 35 PID 1756 wrote to memory of 2608 1756 Foccjood.exe 36 PID 1756 wrote to memory of 2608 1756 Foccjood.exe 36 PID 1756 wrote to memory of 2608 1756 Foccjood.exe 36 PID 1756 wrote to memory of 2608 1756 Foccjood.exe 36 PID 2608 wrote to memory of 2148 2608 Fbbofjnh.exe 37 PID 2608 wrote to memory of 2148 2608 Fbbofjnh.exe 37 PID 2608 wrote to memory of 2148 2608 Fbbofjnh.exe 37 PID 2608 wrote to memory of 2148 2608 Fbbofjnh.exe 37 PID 2148 wrote to memory of 548 2148 Filgbdfd.exe 38 PID 2148 wrote to memory of 548 2148 Filgbdfd.exe 38 PID 2148 wrote to memory of 548 2148 Filgbdfd.exe 38 PID 2148 wrote to memory of 548 2148 Filgbdfd.exe 38 PID 548 wrote to memory of 1968 548 Fkjdopeh.exe 39 PID 548 wrote to memory of 1968 548 Fkjdopeh.exe 39 PID 548 wrote to memory of 1968 548 Fkjdopeh.exe 39 PID 548 wrote to memory of 1968 548 Fkjdopeh.exe 39 PID 1968 wrote to memory of 332 1968 Fbdlkj32.exe 40 PID 1968 wrote to memory of 332 1968 Fbdlkj32.exe 40 PID 1968 wrote to memory of 332 1968 Fbdlkj32.exe 40 PID 1968 wrote to memory of 332 1968 Fbdlkj32.exe 40 PID 332 wrote to memory of 1740 332 Fdbhge32.exe 41 PID 332 wrote to memory of 1740 332 Fdbhge32.exe 41 PID 332 wrote to memory of 1740 332 Fdbhge32.exe 41 PID 332 wrote to memory of 1740 332 Fdbhge32.exe 41 PID 1740 wrote to memory of 1528 1740 Fgadda32.exe 42 PID 1740 wrote to memory of 1528 1740 Fgadda32.exe 42 PID 1740 wrote to memory of 1528 1740 Fgadda32.exe 42 PID 1740 wrote to memory of 1528 1740 Fgadda32.exe 42 PID 1528 wrote to memory of 2932 1528 Gnkmqkbi.exe 43 PID 1528 wrote to memory of 2932 1528 Gnkmqkbi.exe 43 PID 1528 wrote to memory of 2932 1528 Gnkmqkbi.exe 43 PID 1528 wrote to memory of 2932 1528 Gnkmqkbi.exe 43 PID 2932 wrote to memory of 2548 2932 Gqiimfam.exe 44 PID 2932 wrote to memory of 2548 2932 Gqiimfam.exe 44 PID 2932 wrote to memory of 2548 2932 Gqiimfam.exe 44 PID 2932 wrote to memory of 2548 2932 Gqiimfam.exe 44 PID 2548 wrote to memory of 664 2548 Ggcaiqhj.exe 45 PID 2548 wrote to memory of 664 2548 Ggcaiqhj.exe 45 PID 2548 wrote to memory of 664 2548 Ggcaiqhj.exe 45 PID 2548 wrote to memory of 664 2548 Ggcaiqhj.exe 45
Processes
-
C:\Users\Admin\AppData\Local\Temp\cdcffba2227040bdb18d3606ccf43df0N.exe"C:\Users\Admin\AppData\Local\Temp\cdcffba2227040bdb18d3606ccf43df0N.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Windows\SysWOW64\Foojop32.exeC:\Windows\system32\Foojop32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\Fjdnlhco.exeC:\Windows\system32\Fjdnlhco.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\Fmcjhdbc.exeC:\Windows\system32\Fmcjhdbc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\Ffkoai32.exeC:\Windows\system32\Ffkoai32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Windows\SysWOW64\Fhikme32.exeC:\Windows\system32\Fhikme32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\SysWOW64\Foccjood.exeC:\Windows\system32\Foccjood.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\SysWOW64\Fbbofjnh.exeC:\Windows\system32\Fbbofjnh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Filgbdfd.exeC:\Windows\system32\Filgbdfd.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\SysWOW64\Fkjdopeh.exeC:\Windows\system32\Fkjdopeh.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\Fbdlkj32.exeC:\Windows\system32\Fbdlkj32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\Fdbhge32.exeC:\Windows\system32\Fdbhge32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:332 -
C:\Windows\SysWOW64\Fgadda32.exeC:\Windows\system32\Fgadda32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Windows\SysWOW64\Gnkmqkbi.exeC:\Windows\system32\Gnkmqkbi.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\Gqiimfam.exeC:\Windows\system32\Gqiimfam.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\SysWOW64\Ggcaiqhj.exeC:\Windows\system32\Ggcaiqhj.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2548 -
C:\Windows\SysWOW64\Gnmifk32.exeC:\Windows\system32\Gnmifk32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:664 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1808 -
C:\Windows\SysWOW64\Gqlebf32.exeC:\Windows\system32\Gqlebf32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3032 -
C:\Windows\SysWOW64\Gegabegc.exeC:\Windows\system32\Gegabegc.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1608 -
C:\Windows\SysWOW64\Gjdjklek.exeC:\Windows\system32\Gjdjklek.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1040 -
C:\Windows\SysWOW64\Gnpflj32.exeC:\Windows\system32\Gnpflj32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1388 -
C:\Windows\SysWOW64\Gqnbhf32.exeC:\Windows\system32\Gqnbhf32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1684 -
C:\Windows\SysWOW64\Gcmoda32.exeC:\Windows\system32\Gcmoda32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2868 -
C:\Windows\SysWOW64\Gfkkpmko.exeC:\Windows\system32\Gfkkpmko.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2092 -
C:\Windows\SysWOW64\Gjfgqk32.exeC:\Windows\system32\Gjfgqk32.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2484 -
C:\Windows\SysWOW64\Gaqomeke.exeC:\Windows\system32\Gaqomeke.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\Gcokiaji.exeC:\Windows\system32\Gcokiaji.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:808 -
C:\Windows\SysWOW64\Gildahhp.exeC:\Windows\system32\Gildahhp.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Gmgpbf32.exeC:\Windows\system32\Gmgpbf32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2900 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2824 -
C:\Windows\SysWOW64\Gcahoqhf.exeC:\Windows\system32\Gcahoqhf.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2240 -
C:\Windows\SysWOW64\Hmjlhfof.exeC:\Windows\system32\Hmjlhfof.exe33⤵
- Executes dropped EXE
PID:2756 -
C:\Windows\SysWOW64\Hphidanj.exeC:\Windows\system32\Hphidanj.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2908 -
C:\Windows\SysWOW64\Heealhla.exeC:\Windows\system32\Heealhla.exe35⤵
- Executes dropped EXE
PID:2160 -
C:\Windows\SysWOW64\Hhcmhdke.exeC:\Windows\system32\Hhcmhdke.exe36⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:568 -
C:\Windows\SysWOW64\Hloiib32.exeC:\Windows\system32\Hloiib32.exe37⤵
- Executes dropped EXE
PID:2884 -
C:\Windows\SysWOW64\Hbiaemkk.exeC:\Windows\system32\Hbiaemkk.exe38⤵
- Executes dropped EXE
PID:1948 -
C:\Windows\SysWOW64\Hlafnbal.exeC:\Windows\system32\Hlafnbal.exe39⤵
- Executes dropped EXE
PID:1952 -
C:\Windows\SysWOW64\Hnpbjnpo.exeC:\Windows\system32\Hnpbjnpo.exe40⤵
- Executes dropped EXE
PID:284 -
C:\Windows\SysWOW64\Hbknkl32.exeC:\Windows\system32\Hbknkl32.exe41⤵
- Executes dropped EXE
PID:2864 -
C:\Windows\SysWOW64\Hlccdboi.exeC:\Windows\system32\Hlccdboi.exe42⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Hnbopmnm.exeC:\Windows\system32\Hnbopmnm.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:2440 -
C:\Windows\SysWOW64\Hapklimq.exeC:\Windows\system32\Hapklimq.exe44⤵
- Executes dropped EXE
PID:2364 -
C:\Windows\SysWOW64\Hfmddp32.exeC:\Windows\system32\Hfmddp32.exe45⤵
- Executes dropped EXE
PID:296 -
C:\Windows\SysWOW64\Hmglajcd.exeC:\Windows\system32\Hmglajcd.exe46⤵
- Executes dropped EXE
PID:624 -
C:\Windows\SysWOW64\Iabhah32.exeC:\Windows\system32\Iabhah32.exe47⤵
- Executes dropped EXE
PID:2468 -
C:\Windows\SysWOW64\Ihmpobck.exeC:\Windows\system32\Ihmpobck.exe48⤵
- Executes dropped EXE
PID:2284 -
C:\Windows\SysWOW64\Ijklknbn.exeC:\Windows\system32\Ijklknbn.exe49⤵
- Executes dropped EXE
PID:3048 -
C:\Windows\SysWOW64\Imiigiab.exeC:\Windows\system32\Imiigiab.exe50⤵
- Executes dropped EXE
PID:2340 -
C:\Windows\SysWOW64\Iaeegh32.exeC:\Windows\system32\Iaeegh32.exe51⤵
- Executes dropped EXE
PID:2500 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe52⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2080 -
C:\Windows\SysWOW64\Idcacc32.exeC:\Windows\system32\Idcacc32.exe53⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2892 -
C:\Windows\SysWOW64\Ibfaopoi.exeC:\Windows\system32\Ibfaopoi.exe54⤵
- Executes dropped EXE
PID:2812 -
C:\Windows\SysWOW64\Ijmipn32.exeC:\Windows\system32\Ijmipn32.exe55⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2720 -
C:\Windows\SysWOW64\Iipiljgf.exeC:\Windows\system32\Iipiljgf.exe56⤵
- Executes dropped EXE
PID:2636 -
C:\Windows\SysWOW64\Imleli32.exeC:\Windows\system32\Imleli32.exe57⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2312 -
C:\Windows\SysWOW64\Ilofhffj.exeC:\Windows\system32\Ilofhffj.exe58⤵
- Executes dropped EXE
PID:1864 -
C:\Windows\SysWOW64\Idfnicfl.exeC:\Windows\system32\Idfnicfl.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:328 -
C:\Windows\SysWOW64\Ibhndp32.exeC:\Windows\system32\Ibhndp32.exe60⤵
- Executes dropped EXE
PID:1992 -
C:\Windows\SysWOW64\Iegjqk32.exeC:\Windows\system32\Iegjqk32.exe61⤵
- Executes dropped EXE
PID:1904 -
C:\Windows\SysWOW64\Imnbbi32.exeC:\Windows\system32\Imnbbi32.exe62⤵
- Executes dropped EXE
PID:1760 -
C:\Windows\SysWOW64\Iplnnd32.exeC:\Windows\system32\Iplnnd32.exe63⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Ibkkjp32.exeC:\Windows\system32\Ibkkjp32.exe64⤵
- Executes dropped EXE
PID:2296 -
C:\Windows\SysWOW64\Ifffkncm.exeC:\Windows\system32\Ifffkncm.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568 -
C:\Windows\SysWOW64\Ieigfk32.exeC:\Windows\system32\Ieigfk32.exe66⤵PID:1892
-
C:\Windows\SysWOW64\Iiecgjba.exeC:\Windows\system32\Iiecgjba.exe67⤵PID:764
-
C:\Windows\SysWOW64\Ihhcbf32.exeC:\Windows\system32\Ihhcbf32.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1212 -
C:\Windows\SysWOW64\Ilcoce32.exeC:\Windows\system32\Ilcoce32.exe69⤵
- Drops file in System32 directory
PID:3044 -
C:\Windows\SysWOW64\Ibmgpoia.exeC:\Windows\system32\Ibmgpoia.exe70⤵PID:2476
-
C:\Windows\SysWOW64\Iapgkl32.exeC:\Windows\system32\Iapgkl32.exe71⤵PID:1248
-
C:\Windows\SysWOW64\Ielclkhe.exeC:\Windows\system32\Ielclkhe.exe72⤵
- Drops file in System32 directory
- Modifies registry class
PID:2748 -
C:\Windows\SysWOW64\Jhjphfgi.exeC:\Windows\system32\Jhjphfgi.exe73⤵
- Modifies registry class
PID:2596 -
C:\Windows\SysWOW64\Jlelhe32.exeC:\Windows\system32\Jlelhe32.exe74⤵
- Drops file in System32 directory
PID:2976 -
C:\Windows\SysWOW64\Jodhdp32.exeC:\Windows\system32\Jodhdp32.exe75⤵PID:2144
-
C:\Windows\SysWOW64\Jabdql32.exeC:\Windows\system32\Jabdql32.exe76⤵PID:1988
-
C:\Windows\SysWOW64\Jenpajfb.exeC:\Windows\system32\Jenpajfb.exe77⤵
- System Location Discovery: System Language Discovery
PID:2496 -
C:\Windows\SysWOW64\Jhlmmfef.exeC:\Windows\system32\Jhlmmfef.exe78⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1628 -
C:\Windows\SysWOW64\Jkkija32.exeC:\Windows\system32\Jkkija32.exe79⤵PID:1644
-
C:\Windows\SysWOW64\Jofejpmc.exeC:\Windows\system32\Jofejpmc.exe80⤵PID:1616
-
C:\Windows\SysWOW64\Jaeafklf.exeC:\Windows\system32\Jaeafklf.exe81⤵PID:1664
-
C:\Windows\SysWOW64\Jdcmbgkj.exeC:\Windows\system32\Jdcmbgkj.exe82⤵PID:3020
-
C:\Windows\SysWOW64\Jgaiobjn.exeC:\Windows\system32\Jgaiobjn.exe83⤵PID:916
-
C:\Windows\SysWOW64\Jkmeoa32.exeC:\Windows\system32\Jkmeoa32.exe84⤵PID:3040
-
C:\Windows\SysWOW64\Jnkakl32.exeC:\Windows\system32\Jnkakl32.exe85⤵PID:1696
-
C:\Windows\SysWOW64\Jpjngh32.exeC:\Windows\system32\Jpjngh32.exe86⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1984 -
C:\Windows\SysWOW64\Jdejhfig.exeC:\Windows\system32\Jdejhfig.exe87⤵PID:2828
-
C:\Windows\SysWOW64\Jkpbdq32.exeC:\Windows\system32\Jkpbdq32.exe88⤵PID:2224
-
C:\Windows\SysWOW64\Jjbbpmgo.exeC:\Windows\system32\Jjbbpmgo.exe89⤵PID:1636
-
C:\Windows\SysWOW64\Jnnnalph.exeC:\Windows\system32\Jnnnalph.exe90⤵PID:1308
-
C:\Windows\SysWOW64\Jdhgnf32.exeC:\Windows\system32\Jdhgnf32.exe91⤵PID:2988
-
C:\Windows\SysWOW64\Jgfcja32.exeC:\Windows\system32\Jgfcja32.exe92⤵PID:2288
-
C:\Windows\SysWOW64\Jjdofm32.exeC:\Windows\system32\Jjdofm32.exe93⤵PID:1320
-
C:\Windows\SysWOW64\Jpogbgmi.exeC:\Windows\system32\Jpogbgmi.exe94⤵PID:1680
-
C:\Windows\SysWOW64\Kcmcoblm.exeC:\Windows\system32\Kcmcoblm.exe95⤵PID:1380
-
C:\Windows\SysWOW64\Kfkpknkq.exeC:\Windows\system32\Kfkpknkq.exe96⤵PID:572
-
C:\Windows\SysWOW64\Knbhlkkc.exeC:\Windows\system32\Knbhlkkc.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2324 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe98⤵
- Modifies registry class
PID:2736 -
C:\Windows\SysWOW64\Kpadhg32.exeC:\Windows\system32\Kpadhg32.exe99⤵PID:2656
-
C:\Windows\SysWOW64\Koddccaa.exeC:\Windows\system32\Koddccaa.exe100⤵PID:1520
-
C:\Windows\SysWOW64\Kcopdb32.exeC:\Windows\system32\Kcopdb32.exe101⤵PID:1036
-
C:\Windows\SysWOW64\Kgkleabc.exeC:\Windows\system32\Kgkleabc.exe102⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2836 -
C:\Windows\SysWOW64\Kjihalag.exeC:\Windows\system32\Kjihalag.exe103⤵PID:2176
-
C:\Windows\SysWOW64\Khlili32.exeC:\Windows\system32\Khlili32.exe104⤵PID:2980
-
C:\Windows\SysWOW64\Klhemhpk.exeC:\Windows\system32\Klhemhpk.exe105⤵PID:1276
-
C:\Windows\SysWOW64\Kpcqnf32.exeC:\Windows\system32\Kpcqnf32.exe106⤵PID:1940
-
C:\Windows\SysWOW64\Kofaicon.exeC:\Windows\system32\Kofaicon.exe107⤵PID:2164
-
C:\Windows\SysWOW64\Kfpifm32.exeC:\Windows\system32\Kfpifm32.exe108⤵PID:2684
-
C:\Windows\SysWOW64\Khoebi32.exeC:\Windows\system32\Khoebi32.exe109⤵PID:2716
-
C:\Windows\SysWOW64\Kohnoc32.exeC:\Windows\system32\Kohnoc32.exe110⤵PID:1424
-
C:\Windows\SysWOW64\Kcdjoaee.exeC:\Windows\system32\Kcdjoaee.exe111⤵PID:924
-
C:\Windows\SysWOW64\Kbgjkn32.exeC:\Windows\system32\Kbgjkn32.exe112⤵PID:1956
-
C:\Windows\SysWOW64\Kdefgj32.exeC:\Windows\system32\Kdefgj32.exe113⤵PID:588
-
C:\Windows\SysWOW64\Khabghdl.exeC:\Windows\system32\Khabghdl.exe114⤵PID:1668
-
C:\Windows\SysWOW64\Kkoncdcp.exeC:\Windows\system32\Kkoncdcp.exe115⤵PID:2848
-
C:\Windows\SysWOW64\Kokjdb32.exeC:\Windows\system32\Kokjdb32.exe116⤵PID:2136
-
C:\Windows\SysWOW64\Knnkpobc.exeC:\Windows\system32\Knnkpobc.exe117⤵PID:1544
-
C:\Windows\SysWOW64\Kfebambf.exeC:\Windows\system32\Kfebambf.exe118⤵PID:2072
-
C:\Windows\SysWOW64\Kgfoie32.exeC:\Windows\system32\Kgfoie32.exe119⤵PID:2204
-
C:\Windows\SysWOW64\Lkakicam.exeC:\Windows\system32\Lkakicam.exe120⤵
- Drops file in System32 directory
PID:2612 -
C:\Windows\SysWOW64\Lnpgeopa.exeC:\Windows\system32\Lnpgeopa.exe121⤵PID:536
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-