Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
85s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
27/07/2024, 18:21
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe
Resource
win7-20240704-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe
-
Size
259KB
-
MD5
8a65d6f8dabcd9b9e215d0a9a0da37ee
-
SHA1
2fbc1b3bef2c5ad8b89d4b7408ecef53a33e7bf0
-
SHA256
05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd
-
SHA512
c5e5d900d7fd3e21697a9d8f77dd71c1e302099f6f0974e60dbd09ce5afb579e7082c0dd0b547cf94fe3236610546964b42f3621453db245cef2a1fba5b9c0ca
-
SSDEEP
3072:AC4t7yc8/3KeC/FJ9IDlRxyhTbhgu+tAcrzkAqSxYIhOmTsF93UYfwC6GIoutz5s:Aec8/C/FsDshsrYIcm4FmowdHoSa
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oooeeb32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cgpmbgai.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kiolio32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fefdhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjdlkeln.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlfebcnd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mognco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jibcja32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Opohil32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mjlgdaad.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Coacdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gocpcfeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lhnlqjha.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nihgndip.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ljjnpo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jlkigbef.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hkkcbdhc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fefdhj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hebqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lalchnfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Epnkfq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gidgdcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Boakgapg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gigjch32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eqhfoj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fffabman.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ikfokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikfokb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kgcbpemp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Njjbjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Oqcffi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jnfbcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amjkgbhe.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ahbqliap.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lejbhbpn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bnmmjd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ihhehoci.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmigdend.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bilkhbcl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Poqniegj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ijnbpm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hacoio32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Okgpfjbo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Eomfiobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbmdig32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Omfoko32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jckiolgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bdpgai32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pghklq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnkjfcik.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mlgjce32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ckebbgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Flpkll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kkbbqjgb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chickknc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Chiedc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eohedi32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hjqpcq32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lalchnfl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Blcacnhh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Eccdmmpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjomoo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apheke32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Amfeodoh.exe -
Executes dropped EXE 64 IoCs
pid Process 2176 Dfpcdh32.exe 2608 Eccdmmpk.exe 3060 Emlhfb32.exe 2760 Eigbfb32.exe 2532 Fillabde.exe 2572 Fbdpjgjf.exe 612 Fhcehngk.exe 2504 Giikkehc.exe 2816 Gngdadoj.exe 1068 Glongpao.exe 844 Hkdkhl32.exe 1800 Hbblpf32.exe 1272 Hmlmacfn.exe 2340 Ifikehii.exe 1464 Ibplji32.exe 2356 Ieaekdkn.exe 1084 Jcmhmp32.exe 2428 Jmelfeqn.exe 1552 Jlkigbef.exe 236 Keekeg32.exe 812 Kpkocpjj.exe 848 Klapha32.exe 2044 Kkglim32.exe 2432 Kfnmnojj.exe 2456 Lbgkhoml.exe 1956 Mlfebcnd.exe 2052 Mognco32.exe 1592 Mgbcha32.exe 2184 Majdkifd.exe 2916 Mqoqlfkl.exe 2644 Nqamaeii.exe 2560 Njjbjk32.exe 2528 Noighakn.exe 988 Nmmgafjh.exe 1616 Nidhfgpl.exe 2820 Oblmom32.exe 1816 Ogkbmcba.exe 1600 Oqcffi32.exe 2852 Ocdohdfc.exe 1508 Opkpme32.exe 2328 Plbaafak.exe 320 Pifakj32.exe 2200 Phknlfem.exe 1772 Peooek32.exe 2332 Pbcooo32.exe 1716 Pjndca32.exe 1660 Qfedhb32.exe 2016 Qdieaf32.exe 1340 Aamekk32.exe 2040 Afjncabj.exe 2960 Apbblg32.exe 592 Amfcfk32.exe 2300 Afngoand.exe 2724 Apglgfde.exe 2704 Ahbqliap.exe 2536 Abgeiaaf.exe 2524 Bambjnfn.exe 2808 Bdknfiea.exe 980 Baoopndk.exe 1624 Bglghdbc.exe 1488 Bdpgai32.exe 1992 Bpfhfjgq.exe 568 Bjomoo32.exe 1776 Cfemdp32.exe -
Loads dropped DLL 64 IoCs
pid Process 2240 05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe 2240 05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe 2176 Dfpcdh32.exe 2176 Dfpcdh32.exe 2608 Eccdmmpk.exe 2608 Eccdmmpk.exe 3060 Emlhfb32.exe 3060 Emlhfb32.exe 2760 Eigbfb32.exe 2760 Eigbfb32.exe 2532 Fillabde.exe 2532 Fillabde.exe 2572 Fbdpjgjf.exe 2572 Fbdpjgjf.exe 612 Fhcehngk.exe 612 Fhcehngk.exe 2504 Giikkehc.exe 2504 Giikkehc.exe 2816 Gngdadoj.exe 2816 Gngdadoj.exe 1068 Glongpao.exe 1068 Glongpao.exe 844 Hkdkhl32.exe 844 Hkdkhl32.exe 1800 Hbblpf32.exe 1800 Hbblpf32.exe 1272 Hmlmacfn.exe 1272 Hmlmacfn.exe 2340 Ifikehii.exe 2340 Ifikehii.exe 1464 Ibplji32.exe 1464 Ibplji32.exe 2356 Ieaekdkn.exe 2356 Ieaekdkn.exe 1084 Jcmhmp32.exe 1084 Jcmhmp32.exe 2428 Jmelfeqn.exe 2428 Jmelfeqn.exe 1552 Jlkigbef.exe 1552 Jlkigbef.exe 236 Keekeg32.exe 236 Keekeg32.exe 812 Kpkocpjj.exe 812 Kpkocpjj.exe 848 Klapha32.exe 848 Klapha32.exe 2044 Kkglim32.exe 2044 Kkglim32.exe 2432 Kfnmnojj.exe 2432 Kfnmnojj.exe 2456 Lbgkhoml.exe 2456 Lbgkhoml.exe 1956 Mlfebcnd.exe 1956 Mlfebcnd.exe 2052 Mognco32.exe 2052 Mognco32.exe 1592 Mgbcha32.exe 1592 Mgbcha32.exe 2184 Majdkifd.exe 2184 Majdkifd.exe 2916 Mqoqlfkl.exe 2916 Mqoqlfkl.exe 2644 Nqamaeii.exe 2644 Nqamaeii.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Fgdhfbpi.dll Lqfbbh32.exe File opened for modification C:\Windows\SysWOW64\Ckeekp32.exe Campbj32.exe File created C:\Windows\SysWOW64\Qjoheb32.exe Pqfdlmic.exe File created C:\Windows\SysWOW64\Jlcmhann.exe Jckiolgm.exe File opened for modification C:\Windows\SysWOW64\Meiedg32.exe Mlqakaqi.exe File created C:\Windows\SysWOW64\Ggicdo32.exe Gmcogf32.exe File created C:\Windows\SysWOW64\Afngoand.exe Amfcfk32.exe File opened for modification C:\Windows\SysWOW64\Gbihmcqp.exe Giaddm32.exe File created C:\Windows\SysWOW64\Pojmiihd.dll Oleinmgd.exe File created C:\Windows\SysWOW64\Hmmjhgce.dll Dcdlpklh.exe File created C:\Windows\SysWOW64\Emcqpjhh.exe Epopff32.exe File created C:\Windows\SysWOW64\Goompeid.dll Hacoio32.exe File created C:\Windows\SysWOW64\Enloogna.dll Lhnlqjha.exe File created C:\Windows\SysWOW64\Mknaahhn.exe Mmjqhd32.exe File created C:\Windows\SysWOW64\Nohcedje.dll Nldgdpjf.exe File created C:\Windows\SysWOW64\Nglcbafp.dll Ehnknfdn.exe File opened for modification C:\Windows\SysWOW64\Pjdlkeln.exe Phcpdm32.exe File opened for modification C:\Windows\SysWOW64\Kfnmnojj.exe Kkglim32.exe File created C:\Windows\SysWOW64\Hmalaioi.dll Gemhpq32.exe File created C:\Windows\SysWOW64\Kfclji32.dll Fmkpchmp.exe File created C:\Windows\SysWOW64\Heefcm32.dll Acdcdm32.exe File created C:\Windows\SysWOW64\Ppaimb32.dll Ocedieek.exe File created C:\Windows\SysWOW64\Icbjjdmb.dll Gepeep32.exe File opened for modification C:\Windows\SysWOW64\Pjafbfca.exe Oqibjq32.exe File created C:\Windows\SysWOW64\Ekkppkpf.exe Engpfgql.exe File opened for modification C:\Windows\SysWOW64\Bglhcihn.exe Bjhgjdjd.exe File created C:\Windows\SysWOW64\Jggiah32.exe Jnnehb32.exe File created C:\Windows\SysWOW64\Imgija32.exe Icnealbb.exe File created C:\Windows\SysWOW64\Modieece.dll Kidlodkj.exe File opened for modification C:\Windows\SysWOW64\Pfpflenm.exe Pnebgcqb.exe File opened for modification C:\Windows\SysWOW64\Fobodn32.exe Ebnokjpf.exe File created C:\Windows\SysWOW64\Cfcajekc.exe Cpjimk32.exe File created C:\Windows\SysWOW64\Iopqoi32.exe Ialpfeno.exe File opened for modification C:\Windows\SysWOW64\Dmbpaa32.exe Dpnogmbl.exe File created C:\Windows\SysWOW64\Cpjimk32.exe Bglhcihn.exe File created C:\Windows\SysWOW64\Kkmddmop.exe Kgoknohj.exe File opened for modification C:\Windows\SysWOW64\Emlhfb32.exe Eccdmmpk.exe File created C:\Windows\SysWOW64\Hkdkhl32.exe Glongpao.exe File opened for modification C:\Windows\SysWOW64\Hjqpcq32.exe Hphljkfk.exe File opened for modification C:\Windows\SysWOW64\Kejfio32.exe Kkbbqjgb.exe File created C:\Windows\SysWOW64\Lnpcabef.exe Lalchnfl.exe File opened for modification C:\Windows\SysWOW64\Hjbljh32.exe Gaigab32.exe File created C:\Windows\SysWOW64\Hpnikb32.dll Bdknfiea.exe File created C:\Windows\SysWOW64\Jnfbcg32.exe Jennjblp.exe File created C:\Windows\SysWOW64\Bbkkbpjc.exe Aibfik32.exe File opened for modification C:\Windows\SysWOW64\Bhdpjaga.exe Ajqoqm32.exe File opened for modification C:\Windows\SysWOW64\Opbnbj32.exe Okefjcle.exe File opened for modification C:\Windows\SysWOW64\Fcfjik32.exe Fhpflblk.exe File created C:\Windows\SysWOW64\Ahhgkdfo.exe Qnpbbn32.exe File created C:\Windows\SysWOW64\Liqnclia.exe Lnkjfcik.exe File created C:\Windows\SysWOW64\Jfmede32.dll Nfjnja32.exe File opened for modification C:\Windows\SysWOW64\Fbeimf32.exe Efllcf32.exe File created C:\Windows\SysWOW64\Mbjjjlll.dll Jmhkdnfp.exe File created C:\Windows\SysWOW64\Cffpbe32.dll Iebmaoed.exe File created C:\Windows\SysWOW64\Ghqobdnq.dll Oiepmajb.exe File opened for modification C:\Windows\SysWOW64\Mlgjce32.exe Mncijanc.exe File created C:\Windows\SysWOW64\Dciekjhc.exe Diqabd32.exe File created C:\Windows\SysWOW64\Acjjch32.exe Qkoeoe32.exe File opened for modification C:\Windows\SysWOW64\Glongpao.exe Gngdadoj.exe File created C:\Windows\SysWOW64\Jeidob32.exe Jibcja32.exe File created C:\Windows\SysWOW64\Pncock32.dll Llbnpm32.exe File created C:\Windows\SysWOW64\Ddjjlj32.dll Mknaahhn.exe File created C:\Windows\SysWOW64\Ekndpa32.exe Efakhk32.exe File created C:\Windows\SysWOW64\Bbobdolj.dll Jddfbf32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2452 3772 WerFault.exe 601 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Pbdhbnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Djddbkck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acdcdm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Acjjch32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihedan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oilgje32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Flhnqf32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kqlgikcq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ekcpdi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dknehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbgqbdbd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ljadqn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmbpaa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phknlfem.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bpfhfjgq.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddfjak32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ihopjl32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcmjfiab.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bbpffhnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ahbqliap.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hhkakonn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Icadpd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hacoio32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fodljn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cnhhia32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbajci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Allbpqcp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Okefjcle.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bglhcihn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lnhmqc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Oleinmgd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eomoohoi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hbajjiml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkfdlclg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdhlphff.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kjfhgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mipjbokm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmjehe32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Niopgljl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dkookd32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ddgcdjip.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gjomlp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Beccgi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Campbj32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Alfpab32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cfpinnfj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llbnpm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Danblfmk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fhcehngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpkocpjj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ghpngkhm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohikeegf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Npbpjn32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lfmhla32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Plbaafak.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dmfhqmge.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Neojknfh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ialpfeno.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Llefld32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iopqoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jlodma32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Apheke32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Boakgapg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dblcnngi.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gfgfbj32.dll" Gidgdcli.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fadcae32.dll" Ndqokc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jciikigk.dll" Mkihfi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hebqbl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jddfbf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jaklei32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pkdicckk.dll" Cbagdq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ahjlfmkh.dll" Fbeimf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ggfgoo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Idgegk32.dll" Dghekobe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjpipkgi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iankbldh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hdjnje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Npoomg32.dll" Nhlndj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lcbbidgl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cboljemb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bglghdbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Coknmp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gpiogbmb.dll" Okmceiii.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hafngggd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mllcodig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dcjleq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ebcfiddj.dll" Napibq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kobamdkg.dll" Afjncabj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Napibq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Npbbcgga.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kicmee32.dll" Aoqjhiie.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID 05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jgnflmia.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cijkaehj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ckebbgoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mlacdj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dfmbmkgm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lnnaoldi.dll" Hldpfnij.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Qpfpde32.dll" Qcgkeonp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ihmcelkk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bdfpdj32.dll" Fqbbig32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlacdj32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Eohedi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fdldmokn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kppgjl32.dll" Ahhgkdfo.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oqfeda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lifqbjpk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mncijanc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Oimpppoj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ekcpdi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lanmde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cajmbd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pqfdlmic.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfmkddkn.dll" Qkoeoe32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jnfbcg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfdklc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Aennhcpi.dll" Eggajb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cfcajekc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Cfemdp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Pldobjec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Njhhid32.dll" Gocpcfeb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gobhbe32.dll" Fbpihafp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kqgmnk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Pifakj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ojinqngj.dll" Bepmokco.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ohikeegf.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Micnbe32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Apbeeppo.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2240 wrote to memory of 2176 2240 05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe 28 PID 2240 wrote to memory of 2176 2240 05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe 28 PID 2240 wrote to memory of 2176 2240 05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe 28 PID 2240 wrote to memory of 2176 2240 05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe 28 PID 2176 wrote to memory of 2608 2176 Dfpcdh32.exe 29 PID 2176 wrote to memory of 2608 2176 Dfpcdh32.exe 29 PID 2176 wrote to memory of 2608 2176 Dfpcdh32.exe 29 PID 2176 wrote to memory of 2608 2176 Dfpcdh32.exe 29 PID 2608 wrote to memory of 3060 2608 Eccdmmpk.exe 30 PID 2608 wrote to memory of 3060 2608 Eccdmmpk.exe 30 PID 2608 wrote to memory of 3060 2608 Eccdmmpk.exe 30 PID 2608 wrote to memory of 3060 2608 Eccdmmpk.exe 30 PID 3060 wrote to memory of 2760 3060 Emlhfb32.exe 31 PID 3060 wrote to memory of 2760 3060 Emlhfb32.exe 31 PID 3060 wrote to memory of 2760 3060 Emlhfb32.exe 31 PID 3060 wrote to memory of 2760 3060 Emlhfb32.exe 31 PID 2760 wrote to memory of 2532 2760 Eigbfb32.exe 32 PID 2760 wrote to memory of 2532 2760 Eigbfb32.exe 32 PID 2760 wrote to memory of 2532 2760 Eigbfb32.exe 32 PID 2760 wrote to memory of 2532 2760 Eigbfb32.exe 32 PID 2532 wrote to memory of 2572 2532 Fillabde.exe 33 PID 2532 wrote to memory of 2572 2532 Fillabde.exe 33 PID 2532 wrote to memory of 2572 2532 Fillabde.exe 33 PID 2532 wrote to memory of 2572 2532 Fillabde.exe 33 PID 2572 wrote to memory of 612 2572 Fbdpjgjf.exe 34 PID 2572 wrote to memory of 612 2572 Fbdpjgjf.exe 34 PID 2572 wrote to memory of 612 2572 Fbdpjgjf.exe 34 PID 2572 wrote to memory of 612 2572 Fbdpjgjf.exe 34 PID 612 wrote to memory of 2504 612 Fhcehngk.exe 35 PID 612 wrote to memory of 2504 612 Fhcehngk.exe 35 PID 612 wrote to memory of 2504 612 Fhcehngk.exe 35 PID 612 wrote to memory of 2504 612 Fhcehngk.exe 35 PID 2504 wrote to memory of 2816 2504 Giikkehc.exe 36 PID 2504 wrote to memory of 2816 2504 Giikkehc.exe 36 PID 2504 wrote to memory of 2816 2504 Giikkehc.exe 36 PID 2504 wrote to memory of 2816 2504 Giikkehc.exe 36 PID 2816 wrote to memory of 1068 2816 Gngdadoj.exe 37 PID 2816 wrote to memory of 1068 2816 Gngdadoj.exe 37 PID 2816 wrote to memory of 1068 2816 Gngdadoj.exe 37 PID 2816 wrote to memory of 1068 2816 Gngdadoj.exe 37 PID 1068 wrote to memory of 844 1068 Glongpao.exe 38 PID 1068 wrote to memory of 844 1068 Glongpao.exe 38 PID 1068 wrote to memory of 844 1068 Glongpao.exe 38 PID 1068 wrote to memory of 844 1068 Glongpao.exe 38 PID 844 wrote to memory of 1800 844 Hkdkhl32.exe 39 PID 844 wrote to memory of 1800 844 Hkdkhl32.exe 39 PID 844 wrote to memory of 1800 844 Hkdkhl32.exe 39 PID 844 wrote to memory of 1800 844 Hkdkhl32.exe 39 PID 1800 wrote to memory of 1272 1800 Hbblpf32.exe 40 PID 1800 wrote to memory of 1272 1800 Hbblpf32.exe 40 PID 1800 wrote to memory of 1272 1800 Hbblpf32.exe 40 PID 1800 wrote to memory of 1272 1800 Hbblpf32.exe 40 PID 1272 wrote to memory of 2340 1272 Hmlmacfn.exe 41 PID 1272 wrote to memory of 2340 1272 Hmlmacfn.exe 41 PID 1272 wrote to memory of 2340 1272 Hmlmacfn.exe 41 PID 1272 wrote to memory of 2340 1272 Hmlmacfn.exe 41 PID 2340 wrote to memory of 1464 2340 Ifikehii.exe 42 PID 2340 wrote to memory of 1464 2340 Ifikehii.exe 42 PID 2340 wrote to memory of 1464 2340 Ifikehii.exe 42 PID 2340 wrote to memory of 1464 2340 Ifikehii.exe 42 PID 1464 wrote to memory of 2356 1464 Ibplji32.exe 43 PID 1464 wrote to memory of 2356 1464 Ibplji32.exe 43 PID 1464 wrote to memory of 2356 1464 Ibplji32.exe 43 PID 1464 wrote to memory of 2356 1464 Ibplji32.exe 43
Processes
-
C:\Users\Admin\AppData\Local\Temp\05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe"C:\Users\Admin\AppData\Local\Temp\05a17ec030fe933b812e0736e4ecfa306867a47a808fc8600914461532d6e7dd.exe"1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\Dfpcdh32.exeC:\Windows\system32\Dfpcdh32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\Eccdmmpk.exeC:\Windows\system32\Eccdmmpk.exe3⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2608 -
C:\Windows\SysWOW64\Emlhfb32.exeC:\Windows\system32\Emlhfb32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\Eigbfb32.exeC:\Windows\system32\Eigbfb32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\Fillabde.exeC:\Windows\system32\Fillabde.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2532 -
C:\Windows\SysWOW64\Fbdpjgjf.exeC:\Windows\system32\Fbdpjgjf.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Fhcehngk.exeC:\Windows\system32\Fhcehngk.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:612 -
C:\Windows\SysWOW64\Giikkehc.exeC:\Windows\system32\Giikkehc.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2504 -
C:\Windows\SysWOW64\Gngdadoj.exeC:\Windows\system32\Gngdadoj.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\SysWOW64\Glongpao.exeC:\Windows\system32\Glongpao.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\SysWOW64\Hkdkhl32.exeC:\Windows\system32\Hkdkhl32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:844 -
C:\Windows\SysWOW64\Hbblpf32.exeC:\Windows\system32\Hbblpf32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Windows\SysWOW64\Hmlmacfn.exeC:\Windows\system32\Hmlmacfn.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\SysWOW64\Ifikehii.exeC:\Windows\system32\Ifikehii.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Ibplji32.exeC:\Windows\system32\Ibplji32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\Ieaekdkn.exeC:\Windows\system32\Ieaekdkn.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2356 -
C:\Windows\SysWOW64\Jcmhmp32.exeC:\Windows\system32\Jcmhmp32.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1084 -
C:\Windows\SysWOW64\Jmelfeqn.exeC:\Windows\system32\Jmelfeqn.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2428 -
C:\Windows\SysWOW64\Jlkigbef.exeC:\Windows\system32\Jlkigbef.exe20⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1552 -
C:\Windows\SysWOW64\Keekeg32.exeC:\Windows\system32\Keekeg32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:236 -
C:\Windows\SysWOW64\Kpkocpjj.exeC:\Windows\system32\Kpkocpjj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:812 -
C:\Windows\SysWOW64\Klapha32.exeC:\Windows\system32\Klapha32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:848 -
C:\Windows\SysWOW64\Kkglim32.exeC:\Windows\system32\Kkglim32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2044 -
C:\Windows\SysWOW64\Kfnmnojj.exeC:\Windows\system32\Kfnmnojj.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2432 -
C:\Windows\SysWOW64\Lbgkhoml.exeC:\Windows\system32\Lbgkhoml.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2456 -
C:\Windows\SysWOW64\Mlfebcnd.exeC:\Windows\system32\Mlfebcnd.exe27⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1956 -
C:\Windows\SysWOW64\Mognco32.exeC:\Windows\system32\Mognco32.exe28⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\Mgbcha32.exeC:\Windows\system32\Mgbcha32.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Majdkifd.exeC:\Windows\system32\Majdkifd.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2184 -
C:\Windows\SysWOW64\Mqoqlfkl.exeC:\Windows\system32\Mqoqlfkl.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2916 -
C:\Windows\SysWOW64\Nqamaeii.exeC:\Windows\system32\Nqamaeii.exe32⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Njjbjk32.exeC:\Windows\system32\Njjbjk32.exe33⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Noighakn.exeC:\Windows\system32\Noighakn.exe34⤵
- Executes dropped EXE
PID:2528 -
C:\Windows\SysWOW64\Nmmgafjh.exeC:\Windows\system32\Nmmgafjh.exe35⤵
- Executes dropped EXE
PID:988 -
C:\Windows\SysWOW64\Nidhfgpl.exeC:\Windows\system32\Nidhfgpl.exe36⤵
- Executes dropped EXE
PID:1616 -
C:\Windows\SysWOW64\Oblmom32.exeC:\Windows\system32\Oblmom32.exe37⤵
- Executes dropped EXE
PID:2820 -
C:\Windows\SysWOW64\Ogkbmcba.exeC:\Windows\system32\Ogkbmcba.exe38⤵
- Executes dropped EXE
PID:1816 -
C:\Windows\SysWOW64\Oqcffi32.exeC:\Windows\system32\Oqcffi32.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1600 -
C:\Windows\SysWOW64\Ocdohdfc.exeC:\Windows\system32\Ocdohdfc.exe40⤵
- Executes dropped EXE
PID:2852 -
C:\Windows\SysWOW64\Opkpme32.exeC:\Windows\system32\Opkpme32.exe41⤵
- Executes dropped EXE
PID:1508 -
C:\Windows\SysWOW64\Plbaafak.exeC:\Windows\system32\Plbaafak.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2328 -
C:\Windows\SysWOW64\Pifakj32.exeC:\Windows\system32\Pifakj32.exe43⤵
- Executes dropped EXE
- Modifies registry class
PID:320 -
C:\Windows\SysWOW64\Phknlfem.exeC:\Windows\system32\Phknlfem.exe44⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2200 -
C:\Windows\SysWOW64\Peooek32.exeC:\Windows\system32\Peooek32.exe45⤵
- Executes dropped EXE
PID:1772 -
C:\Windows\SysWOW64\Pbcooo32.exeC:\Windows\system32\Pbcooo32.exe46⤵
- Executes dropped EXE
PID:2332 -
C:\Windows\SysWOW64\Pjndca32.exeC:\Windows\system32\Pjndca32.exe47⤵
- Executes dropped EXE
PID:1716 -
C:\Windows\SysWOW64\Qfedhb32.exeC:\Windows\system32\Qfedhb32.exe48⤵
- Executes dropped EXE
PID:1660 -
C:\Windows\SysWOW64\Qdieaf32.exeC:\Windows\system32\Qdieaf32.exe49⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\Aamekk32.exeC:\Windows\system32\Aamekk32.exe50⤵
- Executes dropped EXE
PID:1340 -
C:\Windows\SysWOW64\Afjncabj.exeC:\Windows\system32\Afjncabj.exe51⤵
- Executes dropped EXE
- Modifies registry class
PID:2040 -
C:\Windows\SysWOW64\Apbblg32.exeC:\Windows\system32\Apbblg32.exe52⤵
- Executes dropped EXE
PID:2960 -
C:\Windows\SysWOW64\Amfcfk32.exeC:\Windows\system32\Amfcfk32.exe53⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:592 -
C:\Windows\SysWOW64\Afngoand.exeC:\Windows\system32\Afngoand.exe54⤵
- Executes dropped EXE
PID:2300 -
C:\Windows\SysWOW64\Apglgfde.exeC:\Windows\system32\Apglgfde.exe55⤵
- Executes dropped EXE
PID:2724 -
C:\Windows\SysWOW64\Ahbqliap.exeC:\Windows\system32\Ahbqliap.exe56⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704 -
C:\Windows\SysWOW64\Abgeiaaf.exeC:\Windows\system32\Abgeiaaf.exe57⤵
- Executes dropped EXE
PID:2536 -
C:\Windows\SysWOW64\Bambjnfn.exeC:\Windows\system32\Bambjnfn.exe58⤵
- Executes dropped EXE
PID:2524 -
C:\Windows\SysWOW64\Bdknfiea.exeC:\Windows\system32\Bdknfiea.exe59⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2808 -
C:\Windows\SysWOW64\Baoopndk.exeC:\Windows\system32\Baoopndk.exe60⤵
- Executes dropped EXE
PID:980 -
C:\Windows\SysWOW64\Bglghdbc.exeC:\Windows\system32\Bglghdbc.exe61⤵
- Executes dropped EXE
- Modifies registry class
PID:1624 -
C:\Windows\SysWOW64\Bdpgai32.exeC:\Windows\system32\Bdpgai32.exe62⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1488 -
C:\Windows\SysWOW64\Bpfhfjgq.exeC:\Windows\system32\Bpfhfjgq.exe63⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1992 -
C:\Windows\SysWOW64\Bjomoo32.exeC:\Windows\system32\Bjomoo32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:568 -
C:\Windows\SysWOW64\Cfemdp32.exeC:\Windows\system32\Cfemdp32.exe65⤵
- Executes dropped EXE
- Modifies registry class
PID:1776 -
C:\Windows\SysWOW64\Ccinnd32.exeC:\Windows\system32\Ccinnd32.exe66⤵PID:1972
-
C:\Windows\SysWOW64\Ckebbgoj.exeC:\Windows\system32\Ckebbgoj.exe67⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1812 -
C:\Windows\SysWOW64\Chickknc.exeC:\Windows\system32\Chickknc.exe68⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1176 -
C:\Windows\SysWOW64\Cbagdq32.exeC:\Windows\system32\Cbagdq32.exe69⤵
- Modifies registry class
PID:1404 -
C:\Windows\SysWOW64\Cnhhia32.exeC:\Windows\system32\Cnhhia32.exe70⤵
- System Location Discovery: System Language Discovery
PID:3036 -
C:\Windows\SysWOW64\Cgpmbgai.exeC:\Windows\system32\Cgpmbgai.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:3032 -
C:\Windows\SysWOW64\Dbfaopqo.exeC:\Windows\system32\Dbfaopqo.exe72⤵PID:2952
-
C:\Windows\SysWOW64\Dknehe32.exeC:\Windows\system32\Dknehe32.exe73⤵
- System Location Discovery: System Language Discovery
PID:1792 -
C:\Windows\SysWOW64\Ddfjak32.exeC:\Windows\system32\Ddfjak32.exe74⤵
- System Location Discovery: System Language Discovery
PID:2452 -
C:\Windows\SysWOW64\Djcbib32.exeC:\Windows\system32\Djcbib32.exe75⤵PID:2660
-
C:\Windows\SysWOW64\Dfjcncak.exeC:\Windows\system32\Dfjcncak.exe76⤵PID:2804
-
C:\Windows\SysWOW64\Dpbgghhl.exeC:\Windows\system32\Dpbgghhl.exe77⤵PID:2588
-
C:\Windows\SysWOW64\Dflpdb32.exeC:\Windows\system32\Dflpdb32.exe78⤵PID:2992
-
C:\Windows\SysWOW64\Dmfhqmge.exeC:\Windows\system32\Dmfhqmge.exe79⤵
- System Location Discovery: System Language Discovery
PID:2888 -
C:\Windows\SysWOW64\Eimien32.exeC:\Windows\system32\Eimien32.exe80⤵PID:2584
-
C:\Windows\SysWOW64\Ebjfiboe.exeC:\Windows\system32\Ebjfiboe.exe81⤵PID:1684
-
C:\Windows\SysWOW64\Eapcjo32.exeC:\Windows\system32\Eapcjo32.exe82⤵PID:1832
-
C:\Windows\SysWOW64\Efllcf32.exeC:\Windows\system32\Efllcf32.exe83⤵
- Drops file in System32 directory
PID:2236 -
C:\Windows\SysWOW64\Fbeimf32.exeC:\Windows\system32\Fbeimf32.exe84⤵
- Modifies registry class
PID:2420 -
C:\Windows\SysWOW64\Flnnfllf.exeC:\Windows\system32\Flnnfllf.exe85⤵PID:2348
-
C:\Windows\SysWOW64\Fefboabg.exeC:\Windows\system32\Fefboabg.exe86⤵PID:2180
-
C:\Windows\SysWOW64\Flpkll32.exeC:\Windows\system32\Flpkll32.exe87⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1608 -
C:\Windows\SysWOW64\Fbjchfaq.exeC:\Windows\system32\Fbjchfaq.exe88⤵PID:2440
-
C:\Windows\SysWOW64\Flbgak32.exeC:\Windows\system32\Flbgak32.exe89⤵PID:2316
-
C:\Windows\SysWOW64\Gifhkpgk.exeC:\Windows\system32\Gifhkpgk.exe90⤵PID:2676
-
C:\Windows\SysWOW64\Gocpcfeb.exeC:\Windows\system32\Gocpcfeb.exe91⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2476 -
C:\Windows\SysWOW64\Gemhpq32.exeC:\Windows\system32\Gemhpq32.exe92⤵
- Drops file in System32 directory
PID:2580 -
C:\Windows\SysWOW64\Gepeep32.exeC:\Windows\system32\Gepeep32.exe93⤵
- Drops file in System32 directory
PID:1580 -
C:\Windows\SysWOW64\Gklnmgic.exeC:\Windows\system32\Gklnmgic.exe94⤵PID:1096
-
C:\Windows\SysWOW64\Ghpngkhm.exeC:\Windows\system32\Ghpngkhm.exe95⤵
- System Location Discovery: System Language Discovery
PID:2864 -
C:\Windows\SysWOW64\Gaibpa32.exeC:\Windows\system32\Gaibpa32.exe96⤵PID:584
-
C:\Windows\SysWOW64\Gidgdcli.exeC:\Windows\system32\Gidgdcli.exe97⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:1396 -
C:\Windows\SysWOW64\Hekhid32.exeC:\Windows\system32\Hekhid32.exe98⤵PID:1784
-
C:\Windows\SysWOW64\Hldpfnij.exeC:\Windows\system32\Hldpfnij.exe99⤵
- Modifies registry class
PID:2924 -
C:\Windows\SysWOW64\Hhkakonn.exeC:\Windows\system32\Hhkakonn.exe100⤵
- System Location Discovery: System Language Discovery
PID:1380 -
C:\Windows\SysWOW64\Hadece32.exeC:\Windows\system32\Hadece32.exe101⤵PID:272
-
C:\Windows\SysWOW64\Hccbnhla.exeC:\Windows\system32\Hccbnhla.exe102⤵PID:108
-
C:\Windows\SysWOW64\Hllffmbb.exeC:\Windows\system32\Hllffmbb.exe103⤵PID:1296
-
C:\Windows\SysWOW64\Hfdkoc32.exeC:\Windows\system32\Hfdkoc32.exe104⤵PID:2964
-
C:\Windows\SysWOW64\Iolohhpc.exeC:\Windows\system32\Iolohhpc.exe105⤵PID:2484
-
C:\Windows\SysWOW64\Ihedan32.exeC:\Windows\system32\Ihedan32.exe106⤵
- System Location Discovery: System Language Discovery
PID:596 -
C:\Windows\SysWOW64\Inaliedk.exeC:\Windows\system32\Inaliedk.exe107⤵PID:2788
-
C:\Windows\SysWOW64\Icnealbb.exeC:\Windows\system32\Icnealbb.exe108⤵
- Drops file in System32 directory
PID:2556 -
C:\Windows\SysWOW64\Imgija32.exeC:\Windows\system32\Imgija32.exe109⤵PID:2716
-
C:\Windows\SysWOW64\Icqagkqp.exeC:\Windows\system32\Icqagkqp.exe110⤵PID:2884
-
C:\Windows\SysWOW64\Iccnmk32.exeC:\Windows\system32\Iccnmk32.exe111⤵PID:1804
-
C:\Windows\SysWOW64\Iojoalda.exeC:\Windows\system32\Iojoalda.exe112⤵PID:1368
-
C:\Windows\SysWOW64\Jibcja32.exeC:\Windows\system32\Jibcja32.exe113⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
PID:2108 -
C:\Windows\SysWOW64\Jeidob32.exeC:\Windows\system32\Jeidob32.exe114⤵PID:1332
-
C:\Windows\SysWOW64\Jbmdig32.exeC:\Windows\system32\Jbmdig32.exe115⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1532 -
C:\Windows\SysWOW64\Jkeialfp.exeC:\Windows\system32\Jkeialfp.exe116⤵PID:1664
-
C:\Windows\SysWOW64\Jennjblp.exeC:\Windows\system32\Jennjblp.exe117⤵
- Drops file in System32 directory
PID:2500 -
C:\Windows\SysWOW64\Jnfbcg32.exeC:\Windows\system32\Jnfbcg32.exe118⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:2364 -
C:\Windows\SysWOW64\Jgnflmia.exeC:\Windows\system32\Jgnflmia.exe119⤵
- Modifies registry class
PID:2684 -
C:\Windows\SysWOW64\Kebgea32.exeC:\Windows\system32\Kebgea32.exe120⤵PID:780
-
C:\Windows\SysWOW64\Knkkngol.exeC:\Windows\system32\Knkkngol.exe121⤵PID:560
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-