Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
06/08/2024, 00:30
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2.exe
Resource
win7-20240708-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2.exe
-
Size
107KB
-
MD5
a9e0849675c9216b78a9853368b44b5d
-
SHA1
5dee95ef39aea89cfb1ef8b9c398f38bbe9d3701
-
SHA256
9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2
-
SHA512
a6f900bb0d02f1c87cac8643c587ce8490a298972206864391ae96322984568bbef9da267514e6e49e2b9685feb57b27e1cfa72069c4841a9e98d2ef3b081030
-
SSDEEP
3072:X0cgqP0e7HTsjNMbCL2S5XiXUaMU7uihJ5233y:htDIjNMbg2SdkUni5i3y
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fglfgd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Koflgf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kpieengb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bhmaeg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gaihob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhjbqo32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obbdml32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cmfmojcb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cmkfji32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gekfnoog.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gdegfn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ipjdameg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lanbdf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ndfnecgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Aahfdihn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bogjaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hcjilgdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Imgnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjgiidkl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ikqnlh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gcmamj32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbnjhh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ebckmaec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Fmohco32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaagcpdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Plbkfdba.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Acnlgajg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Dpnladjl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hddmjk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kdbepm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Igmbgk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Khohkamc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pfpibn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dahkok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Faonom32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Kbmome32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jhoklnkg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjldf32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ldmopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Obgnhkkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cehhdkjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jbbccgmp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Apkgpf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Cfehhn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fdpgph32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jmkmjoec.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pfbfhm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mhfjjdjf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jagpdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jndjmifj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Oajndh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gjbpne32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Gqaafn32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lncfcgeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ohdfqbio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fiepea32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ilcalnii.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jeqopcld.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jhahanie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bjedmo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fplllkdc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Modlbmmn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bacihmoo.exe -
Executes dropped EXE 64 IoCs
pid Process 2288 Dbaice32.exe 1936 Djiqdb32.exe 2792 Dljmlj32.exe 2884 Dinneo32.exe 2572 Dphfbiem.exe 2540 Dfbnoc32.exe 3032 Dhckfkbh.exe 1484 Eegkpo32.exe 1356 Elacliin.exe 2328 Ekdchf32.exe 1624 Ekfpmf32.exe 1296 Egmabg32.exe 832 Eodicd32.exe 2892 Egonhf32.exe 1424 Einjdb32.exe 1372 Eipgjaoi.exe 2816 Fdekgjno.exe 2400 Feggob32.exe 2840 Fibcoalf.exe 1928 Fplllkdc.exe 2376 Feiddbbj.exe 2304 Fiepea32.exe 868 Figmjq32.exe 1528 Fodebh32.exe 1216 Fabaocfl.exe 2776 Fennoa32.exe 2644 Flhflleb.exe 2608 Gdcjpncm.exe 2620 Ghofam32.exe 1208 Gagkjbaf.exe 1740 Gdegfn32.exe 1708 Gkoobhhg.exe 264 Gjbpne32.exe 2020 Gaihob32.exe 2444 Gnphdceh.exe 1284 Gcmamj32.exe 2244 Gghmmilh.exe 1804 Gjgiidkl.exe 828 Gmeeepjp.exe 836 Gqaafn32.exe 900 Gconbj32.exe 2004 Gfnjne32.exe 2000 Gjifodii.exe 2216 Gmhbkohm.exe 2108 Gqcnln32.exe 1548 Hcajhi32.exe 1600 Hfpfdeon.exe 2652 Hjlbdc32.exe 2656 Hkmollme.exe 3000 Hcdgmimg.exe 2280 Hbggif32.exe 2032 Hdecea32.exe 1620 Hmlkfo32.exe 480 Hkolakkb.exe 2520 Hnnhngjf.exe 2940 Hfepod32.exe 2584 Hegpjaac.exe 2416 Hgflflqg.exe 2604 Hkahgk32.exe 952 Hnpdcf32.exe 1720 Hqnapb32.exe 2024 Hejmpqop.exe 2904 Hieiqo32.exe 2428 Hjgehgnh.exe -
Loads dropped DLL 64 IoCs
pid Process 536 9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2.exe 536 9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2.exe 2288 Dbaice32.exe 2288 Dbaice32.exe 1936 Djiqdb32.exe 1936 Djiqdb32.exe 2792 Dljmlj32.exe 2792 Dljmlj32.exe 2884 Dinneo32.exe 2884 Dinneo32.exe 2572 Dphfbiem.exe 2572 Dphfbiem.exe 2540 Dfbnoc32.exe 2540 Dfbnoc32.exe 3032 Dhckfkbh.exe 3032 Dhckfkbh.exe 1484 Eegkpo32.exe 1484 Eegkpo32.exe 1356 Elacliin.exe 1356 Elacliin.exe 2328 Ekdchf32.exe 2328 Ekdchf32.exe 1624 Ekfpmf32.exe 1624 Ekfpmf32.exe 1296 Egmabg32.exe 1296 Egmabg32.exe 832 Eodicd32.exe 832 Eodicd32.exe 2892 Egonhf32.exe 2892 Egonhf32.exe 1424 Einjdb32.exe 1424 Einjdb32.exe 1372 Eipgjaoi.exe 1372 Eipgjaoi.exe 2816 Fdekgjno.exe 2816 Fdekgjno.exe 2400 Feggob32.exe 2400 Feggob32.exe 2840 Fibcoalf.exe 2840 Fibcoalf.exe 1928 Fplllkdc.exe 1928 Fplllkdc.exe 2376 Feiddbbj.exe 2376 Feiddbbj.exe 2304 Fiepea32.exe 2304 Fiepea32.exe 868 Figmjq32.exe 868 Figmjq32.exe 1528 Fodebh32.exe 1528 Fodebh32.exe 1216 Fabaocfl.exe 1216 Fabaocfl.exe 2776 Fennoa32.exe 2776 Fennoa32.exe 2644 Flhflleb.exe 2644 Flhflleb.exe 2608 Gdcjpncm.exe 2608 Gdcjpncm.exe 2620 Ghofam32.exe 2620 Ghofam32.exe 1208 Gagkjbaf.exe 1208 Gagkjbaf.exe 1740 Gdegfn32.exe 1740 Gdegfn32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Kpojkp32.exe Kmqmod32.exe File created C:\Windows\SysWOW64\Kglbad32.dll Lnqjnhge.exe File created C:\Windows\SysWOW64\Ebqngb32.exe Epbbkf32.exe File created C:\Windows\SysWOW64\Ahemgiea.dll Epeoaffo.exe File created C:\Windows\SysWOW64\Jjmfenoo.dll Gojhafnb.exe File opened for modification C:\Windows\SysWOW64\Iikkon32.exe Ifmocb32.exe File created C:\Windows\SysWOW64\Dghccddl.dll Kmqmod32.exe File opened for modification C:\Windows\SysWOW64\Legaoehg.exe Lnqjnhge.exe File opened for modification C:\Windows\SysWOW64\Eknpadcn.exe Elkofg32.exe File created C:\Windows\SysWOW64\Dfggnkoj.dll Famaimfe.exe File opened for modification C:\Windows\SysWOW64\Opfegp32.exe Omhhke32.exe File created C:\Windows\SysWOW64\Fbnjjp32.dll Imlhebfc.exe File created C:\Windows\SysWOW64\Ahmefdcp.exe Aeoijidl.exe File created C:\Windows\SysWOW64\Dphfbiem.exe Dinneo32.exe File created C:\Windows\SysWOW64\Dociji32.dll Opialpld.exe File created C:\Windows\SysWOW64\Oiahkhpo.dll Jmfcop32.exe File created C:\Windows\SysWOW64\Imgnjb32.exe Ijibng32.exe File opened for modification C:\Windows\SysWOW64\Jhjbqo32.exe Jigbebhb.exe File opened for modification C:\Windows\SysWOW64\Kgkonj32.exe Kdmban32.exe File opened for modification C:\Windows\SysWOW64\Kmqmod32.exe Jkbaci32.exe File created C:\Windows\SysWOW64\Klcjnl32.dll Olmela32.exe File created C:\Windows\SysWOW64\Onepbd32.dll Dcghkf32.exe File opened for modification C:\Windows\SysWOW64\Fppaej32.exe Famaimfe.exe File opened for modification C:\Windows\SysWOW64\Ahpbkd32.exe Addfkeid.exe File created C:\Windows\SysWOW64\Jbnjhh32.exe Inbnhihl.exe File created C:\Windows\SysWOW64\Hcgmfgfd.exe Hddmjk32.exe File opened for modification C:\Windows\SysWOW64\Gqaafn32.exe Gmeeepjp.exe File opened for modification C:\Windows\SysWOW64\Kbbobkol.exe Kofcbl32.exe File opened for modification C:\Windows\SysWOW64\Hfepod32.exe Hnnhngjf.exe File created C:\Windows\SysWOW64\Clffbc32.dll Hgnokgcc.exe File created C:\Windows\SysWOW64\Jmndgq32.dll Dhckfkbh.exe File opened for modification C:\Windows\SysWOW64\Fplllkdc.exe Fibcoalf.exe File created C:\Windows\SysWOW64\Jlhbje32.dll Cmfmojcb.exe File opened for modification C:\Windows\SysWOW64\Eikfdl32.exe Eeojcmfi.exe File created C:\Windows\SysWOW64\Eickphoo.dll Gonale32.exe File opened for modification C:\Windows\SysWOW64\Ifmocb32.exe Ibacbcgg.exe File opened for modification C:\Windows\SysWOW64\Oiafee32.exe Oajndh32.exe File created C:\Windows\SysWOW64\Pmnpam32.dll Blinefnd.exe File opened for modification C:\Windows\SysWOW64\Ciokijfd.exe Cgnnab32.exe File created C:\Windows\SysWOW64\Pcflap32.dll Dinneo32.exe File created C:\Windows\SysWOW64\Mkkiehdc.dll Pbemboof.exe File created C:\Windows\SysWOW64\Phfoee32.exe Pfebnmcj.exe File created C:\Windows\SysWOW64\Dnjoco32.exe Dfcgbb32.exe File created C:\Windows\SysWOW64\Adpiba32.dll Gdcjpncm.exe File created C:\Windows\SysWOW64\Cjgkoeaq.dll Gdegfn32.exe File created C:\Windows\SysWOW64\Chnlno32.dll Gjbpne32.exe File created C:\Windows\SysWOW64\Epbbkf32.exe Emdeok32.exe File created C:\Windows\SysWOW64\Fmdpgmhn.dll Mgmdapml.exe File created C:\Windows\SysWOW64\Eldiehbk.exe Eifmimch.exe File created C:\Windows\SysWOW64\Hbpmap32.dll Eodicd32.exe File created C:\Windows\SysWOW64\Dmidng32.dll Plbkfdba.exe File opened for modification C:\Windows\SysWOW64\Eicpcm32.exe Ejaphpnp.exe File opened for modification C:\Windows\SysWOW64\Ghibjjnk.exe Gekfnoog.exe File created C:\Windows\SysWOW64\Gkddco32.dll Ijcngenj.exe File created C:\Windows\SysWOW64\Nfnealjn.dll Mdmkoepk.exe File opened for modification C:\Windows\SysWOW64\Fdpgph32.exe Fmfocnjg.exe File created C:\Windows\SysWOW64\Pgejcl32.dll Hjohmbpd.exe File created C:\Windows\SysWOW64\Oiafee32.exe Oajndh32.exe File created C:\Windows\SysWOW64\Dobfbpbc.dll Cmppehkh.exe File opened for modification C:\Windows\SysWOW64\Jdflqo32.exe Jagpdd32.exe File created C:\Windows\SysWOW64\Ikbilijo.dll Jfaeme32.exe File created C:\Windows\SysWOW64\Kgcnahoo.exe Kdeaelok.exe File created C:\Windows\SysWOW64\Aibijk32.dll Hjmlhbbg.exe File created C:\Windows\SysWOW64\Dgmjmajn.dll Hfjbmb32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 6128 5208 WerFault.exe 551 -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Imgnjb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Momfan32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ppfafcpb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hiioin32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fplllkdc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hfpfdeon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bhmaeg32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Eknpadcn.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hqkmplen.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fibcoalf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jmlddeio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lncfcgeb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ageompfe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Afliclij.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jcnoejch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dhckfkbh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ilcalnii.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nnleiipc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dfbnoc32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ibacbcgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mfjkdh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lpflkb32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jfohgepi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jibnop32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jkbaci32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Iacjjacb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mcknhm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Nckkgp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Anogijnb.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hjmlhbbg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ieibdnnp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Lplbjm32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gmhbkohm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hnnhngjf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mgmdapml.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hcajhi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kbjbge32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kpgionie.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hkahgk32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jokqnhpa.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ldmopa32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Opfegp32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phklaacg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jpjifjdg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ifbphh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ipjdameg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hgnokgcc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dinneo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Ohdfqbio.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Bddbjhlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cdmepgce.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Fdpgph32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jggoqimd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Hmlkfo32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Jbpfnh32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Mhcmedli.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Paaddgkj.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qejpoi32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Figmjq32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Cjjnhnbl.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dnjoco32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Qbnphngk.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Dgiaefgg.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Elibpg32.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Omckoi32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Epbbkf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gefmcp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hiioin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pecikhmn.dll" Nnleiipc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdiedagc.dll" Oniebmda.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ifdlng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jndjmifj.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ejaphpnp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Elacliin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hqkmplen.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Nhgofhlp.dll" Ijibng32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Lbnaaeim.dll" Jmlddeio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dnjoco32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Famaimfe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cdlfik32.dll" Paaddgkj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fjjdbf32.dll" Aiaoclgl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Epnhpglg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Giaidnkf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dcjjhc32.dll" Ngpqfp32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Popgboae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lnecigcp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nfgjml32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Eldiehbk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jmfcop32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kijkje32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ohpboqdk.dll" Momfan32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Njbfnjeg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dnjoco32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pncadjah.dll" Hqnjek32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Hkahgk32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nqhepeai.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dgcgbb32.dll" Jcciqi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jefbnacn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Kablnadm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jmipdo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mfnokgjk.dll" Egonhf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bfafae32.dll" Figmjq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Anadojlo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bnlgbnbp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egdpmo32.dll" Bqmpdioa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ogbogkjn.dll" Iinhdmma.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lmmfnb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Lpflkb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jagpdd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kqmidcdi.dll" Kljdkpfl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Iacjjacb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ldmopa32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mfjkdh32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Edidqf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jggoqimd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Oehgjfhi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ahmefdcp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ffbhcq32.dll" Bogjaamh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bgcmiq32.dll" Iediin32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pjkkpmda.dll" Ikfbbjdj.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jaadfcpf.dll" Imgnjb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bpmacdgo.dll" Nnjicjbf.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Blinefnd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cmmcpi32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dgiaefgg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fbnjjp32.dll" Imlhebfc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hddgloho.dll" Mbchni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hoeheonb.dll" Ljldnhid.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 536 wrote to memory of 2288 536 9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2.exe 31 PID 536 wrote to memory of 2288 536 9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2.exe 31 PID 536 wrote to memory of 2288 536 9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2.exe 31 PID 536 wrote to memory of 2288 536 9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2.exe 31 PID 2288 wrote to memory of 1936 2288 Dbaice32.exe 32 PID 2288 wrote to memory of 1936 2288 Dbaice32.exe 32 PID 2288 wrote to memory of 1936 2288 Dbaice32.exe 32 PID 2288 wrote to memory of 1936 2288 Dbaice32.exe 32 PID 1936 wrote to memory of 2792 1936 Djiqdb32.exe 33 PID 1936 wrote to memory of 2792 1936 Djiqdb32.exe 33 PID 1936 wrote to memory of 2792 1936 Djiqdb32.exe 33 PID 1936 wrote to memory of 2792 1936 Djiqdb32.exe 33 PID 2792 wrote to memory of 2884 2792 Dljmlj32.exe 34 PID 2792 wrote to memory of 2884 2792 Dljmlj32.exe 34 PID 2792 wrote to memory of 2884 2792 Dljmlj32.exe 34 PID 2792 wrote to memory of 2884 2792 Dljmlj32.exe 34 PID 2884 wrote to memory of 2572 2884 Dinneo32.exe 35 PID 2884 wrote to memory of 2572 2884 Dinneo32.exe 35 PID 2884 wrote to memory of 2572 2884 Dinneo32.exe 35 PID 2884 wrote to memory of 2572 2884 Dinneo32.exe 35 PID 2572 wrote to memory of 2540 2572 Dphfbiem.exe 36 PID 2572 wrote to memory of 2540 2572 Dphfbiem.exe 36 PID 2572 wrote to memory of 2540 2572 Dphfbiem.exe 36 PID 2572 wrote to memory of 2540 2572 Dphfbiem.exe 36 PID 2540 wrote to memory of 3032 2540 Dfbnoc32.exe 37 PID 2540 wrote to memory of 3032 2540 Dfbnoc32.exe 37 PID 2540 wrote to memory of 3032 2540 Dfbnoc32.exe 37 PID 2540 wrote to memory of 3032 2540 Dfbnoc32.exe 37 PID 3032 wrote to memory of 1484 3032 Dhckfkbh.exe 38 PID 3032 wrote to memory of 1484 3032 Dhckfkbh.exe 38 PID 3032 wrote to memory of 1484 3032 Dhckfkbh.exe 38 PID 3032 wrote to memory of 1484 3032 Dhckfkbh.exe 38 PID 1484 wrote to memory of 1356 1484 Eegkpo32.exe 39 PID 1484 wrote to memory of 1356 1484 Eegkpo32.exe 39 PID 1484 wrote to memory of 1356 1484 Eegkpo32.exe 39 PID 1484 wrote to memory of 1356 1484 Eegkpo32.exe 39 PID 1356 wrote to memory of 2328 1356 Elacliin.exe 40 PID 1356 wrote to memory of 2328 1356 Elacliin.exe 40 PID 1356 wrote to memory of 2328 1356 Elacliin.exe 40 PID 1356 wrote to memory of 2328 1356 Elacliin.exe 40 PID 2328 wrote to memory of 1624 2328 Ekdchf32.exe 41 PID 2328 wrote to memory of 1624 2328 Ekdchf32.exe 41 PID 2328 wrote to memory of 1624 2328 Ekdchf32.exe 41 PID 2328 wrote to memory of 1624 2328 Ekdchf32.exe 41 PID 1624 wrote to memory of 1296 1624 Ekfpmf32.exe 42 PID 1624 wrote to memory of 1296 1624 Ekfpmf32.exe 42 PID 1624 wrote to memory of 1296 1624 Ekfpmf32.exe 42 PID 1624 wrote to memory of 1296 1624 Ekfpmf32.exe 42 PID 1296 wrote to memory of 832 1296 Egmabg32.exe 43 PID 1296 wrote to memory of 832 1296 Egmabg32.exe 43 PID 1296 wrote to memory of 832 1296 Egmabg32.exe 43 PID 1296 wrote to memory of 832 1296 Egmabg32.exe 43 PID 832 wrote to memory of 2892 832 Eodicd32.exe 44 PID 832 wrote to memory of 2892 832 Eodicd32.exe 44 PID 832 wrote to memory of 2892 832 Eodicd32.exe 44 PID 832 wrote to memory of 2892 832 Eodicd32.exe 44 PID 2892 wrote to memory of 1424 2892 Egonhf32.exe 45 PID 2892 wrote to memory of 1424 2892 Egonhf32.exe 45 PID 2892 wrote to memory of 1424 2892 Egonhf32.exe 45 PID 2892 wrote to memory of 1424 2892 Egonhf32.exe 45 PID 1424 wrote to memory of 1372 1424 Einjdb32.exe 46 PID 1424 wrote to memory of 1372 1424 Einjdb32.exe 46 PID 1424 wrote to memory of 1372 1424 Einjdb32.exe 46 PID 1424 wrote to memory of 1372 1424 Einjdb32.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2.exe"C:\Users\Admin\AppData\Local\Temp\9c3fe37c4098607f27597ab84747d50fc8ce7b471b61a5aa0981ada0558aa6a2.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\Dbaice32.exeC:\Windows\system32\Dbaice32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\Djiqdb32.exeC:\Windows\system32\Djiqdb32.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\Dljmlj32.exeC:\Windows\system32\Dljmlj32.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\Dinneo32.exeC:\Windows\system32\Dinneo32.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\Dphfbiem.exeC:\Windows\system32\Dphfbiem.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\Dfbnoc32.exeC:\Windows\system32\Dfbnoc32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\Dhckfkbh.exeC:\Windows\system32\Dhckfkbh.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\Eegkpo32.exeC:\Windows\system32\Eegkpo32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\Elacliin.exeC:\Windows\system32\Elacliin.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1356 -
C:\Windows\SysWOW64\Ekdchf32.exeC:\Windows\system32\Ekdchf32.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\Ekfpmf32.exeC:\Windows\system32\Ekfpmf32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\Egmabg32.exeC:\Windows\system32\Egmabg32.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\SysWOW64\Eodicd32.exeC:\Windows\system32\Eodicd32.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:832 -
C:\Windows\SysWOW64\Egonhf32.exeC:\Windows\system32\Egonhf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Windows\SysWOW64\Einjdb32.exeC:\Windows\system32\Einjdb32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\SysWOW64\Eipgjaoi.exeC:\Windows\system32\Eipgjaoi.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1372 -
C:\Windows\SysWOW64\Fdekgjno.exeC:\Windows\system32\Fdekgjno.exe18⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2816 -
C:\Windows\SysWOW64\Feggob32.exeC:\Windows\system32\Feggob32.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2400 -
C:\Windows\SysWOW64\Fibcoalf.exeC:\Windows\system32\Fibcoalf.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2840 -
C:\Windows\SysWOW64\Fplllkdc.exeC:\Windows\system32\Fplllkdc.exe21⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1928 -
C:\Windows\SysWOW64\Feiddbbj.exeC:\Windows\system32\Feiddbbj.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2376 -
C:\Windows\SysWOW64\Fiepea32.exeC:\Windows\system32\Fiepea32.exe23⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:2304 -
C:\Windows\SysWOW64\Figmjq32.exeC:\Windows\system32\Figmjq32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:868 -
C:\Windows\SysWOW64\Fodebh32.exeC:\Windows\system32\Fodebh32.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1528 -
C:\Windows\SysWOW64\Fabaocfl.exeC:\Windows\system32\Fabaocfl.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1216 -
C:\Windows\SysWOW64\Fennoa32.exeC:\Windows\system32\Fennoa32.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2776 -
C:\Windows\SysWOW64\Flhflleb.exeC:\Windows\system32\Flhflleb.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2644 -
C:\Windows\SysWOW64\Gdcjpncm.exeC:\Windows\system32\Gdcjpncm.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:2608 -
C:\Windows\SysWOW64\Ghofam32.exeC:\Windows\system32\Ghofam32.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2620 -
C:\Windows\SysWOW64\Gagkjbaf.exeC:\Windows\system32\Gagkjbaf.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1208 -
C:\Windows\SysWOW64\Gdegfn32.exeC:\Windows\system32\Gdegfn32.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
PID:1740 -
C:\Windows\SysWOW64\Gkoobhhg.exeC:\Windows\system32\Gkoobhhg.exe33⤵
- Executes dropped EXE
PID:1708 -
C:\Windows\SysWOW64\Gjbpne32.exeC:\Windows\system32\Gjbpne32.exe34⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Drops file in System32 directory
PID:264 -
C:\Windows\SysWOW64\Gaihob32.exeC:\Windows\system32\Gaihob32.exe35⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:2020 -
C:\Windows\SysWOW64\Gnphdceh.exeC:\Windows\system32\Gnphdceh.exe36⤵
- Executes dropped EXE
PID:2444 -
C:\Windows\SysWOW64\Gcmamj32.exeC:\Windows\system32\Gcmamj32.exe37⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1284 -
C:\Windows\SysWOW64\Gghmmilh.exeC:\Windows\system32\Gghmmilh.exe38⤵
- Executes dropped EXE
PID:2244 -
C:\Windows\SysWOW64\Gjgiidkl.exeC:\Windows\system32\Gjgiidkl.exe39⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1804 -
C:\Windows\SysWOW64\Gmeeepjp.exeC:\Windows\system32\Gmeeepjp.exe40⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:828 -
C:\Windows\SysWOW64\Gqaafn32.exeC:\Windows\system32\Gqaafn32.exe41⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:836 -
C:\Windows\SysWOW64\Gconbj32.exeC:\Windows\system32\Gconbj32.exe42⤵
- Executes dropped EXE
PID:900 -
C:\Windows\SysWOW64\Gfnjne32.exeC:\Windows\system32\Gfnjne32.exe43⤵
- Executes dropped EXE
PID:2004 -
C:\Windows\SysWOW64\Gjifodii.exeC:\Windows\system32\Gjifodii.exe44⤵
- Executes dropped EXE
PID:2000 -
C:\Windows\SysWOW64\Gmhbkohm.exeC:\Windows\system32\Gmhbkohm.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2216 -
C:\Windows\SysWOW64\Gqcnln32.exeC:\Windows\system32\Gqcnln32.exe46⤵
- Executes dropped EXE
PID:2108 -
C:\Windows\SysWOW64\Hcajhi32.exeC:\Windows\system32\Hcajhi32.exe47⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1548 -
C:\Windows\SysWOW64\Hfpfdeon.exeC:\Windows\system32\Hfpfdeon.exe48⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1600 -
C:\Windows\SysWOW64\Hjlbdc32.exeC:\Windows\system32\Hjlbdc32.exe49⤵
- Executes dropped EXE
PID:2652 -
C:\Windows\SysWOW64\Hkmollme.exeC:\Windows\system32\Hkmollme.exe50⤵
- Executes dropped EXE
PID:2656 -
C:\Windows\SysWOW64\Hcdgmimg.exeC:\Windows\system32\Hcdgmimg.exe51⤵
- Executes dropped EXE
PID:3000 -
C:\Windows\SysWOW64\Hbggif32.exeC:\Windows\system32\Hbggif32.exe52⤵
- Executes dropped EXE
PID:2280 -
C:\Windows\SysWOW64\Hdecea32.exeC:\Windows\system32\Hdecea32.exe53⤵
- Executes dropped EXE
PID:2032 -
C:\Windows\SysWOW64\Hmlkfo32.exeC:\Windows\system32\Hmlkfo32.exe54⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1620 -
C:\Windows\SysWOW64\Hkolakkb.exeC:\Windows\system32\Hkolakkb.exe55⤵
- Executes dropped EXE
PID:480 -
C:\Windows\SysWOW64\Hnnhngjf.exeC:\Windows\system32\Hnnhngjf.exe56⤵
- Executes dropped EXE
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:2520 -
C:\Windows\SysWOW64\Hfepod32.exeC:\Windows\system32\Hfepod32.exe57⤵
- Executes dropped EXE
PID:2940 -
C:\Windows\SysWOW64\Hegpjaac.exeC:\Windows\system32\Hegpjaac.exe58⤵
- Executes dropped EXE
PID:2584 -
C:\Windows\SysWOW64\Hgflflqg.exeC:\Windows\system32\Hgflflqg.exe59⤵
- Executes dropped EXE
PID:2416 -
C:\Windows\SysWOW64\Hkahgk32.exeC:\Windows\system32\Hkahgk32.exe60⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:2604 -
C:\Windows\SysWOW64\Hnpdcf32.exeC:\Windows\system32\Hnpdcf32.exe61⤵
- Executes dropped EXE
PID:952 -
C:\Windows\SysWOW64\Hqnapb32.exeC:\Windows\system32\Hqnapb32.exe62⤵
- Executes dropped EXE
PID:1720 -
C:\Windows\SysWOW64\Hejmpqop.exeC:\Windows\system32\Hejmpqop.exe63⤵
- Executes dropped EXE
PID:2024 -
C:\Windows\SysWOW64\Hieiqo32.exeC:\Windows\system32\Hieiqo32.exe64⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Hjgehgnh.exeC:\Windows\system32\Hjgehgnh.exe65⤵
- Executes dropped EXE
PID:2428 -
C:\Windows\SysWOW64\Hnbaif32.exeC:\Windows\system32\Hnbaif32.exe66⤵PID:2924
-
C:\Windows\SysWOW64\Haqnea32.exeC:\Windows\system32\Haqnea32.exe67⤵PID:2188
-
C:\Windows\SysWOW64\Hcojam32.exeC:\Windows\system32\Hcojam32.exe68⤵PID:1692
-
C:\Windows\SysWOW64\Ikfbbjdj.exeC:\Windows\system32\Ikfbbjdj.exe69⤵
- Modifies registry class
PID:2712 -
C:\Windows\SysWOW64\Ijibng32.exeC:\Windows\system32\Ijibng32.exe70⤵
- Drops file in System32 directory
- Modifies registry class
PID:2708 -
C:\Windows\SysWOW64\Imgnjb32.exeC:\Windows\system32\Imgnjb32.exe71⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:672 -
C:\Windows\SysWOW64\Iacjjacb.exeC:\Windows\system32\Iacjjacb.exe72⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1100 -
C:\Windows\SysWOW64\Icafgmbe.exeC:\Windows\system32\Icafgmbe.exe73⤵PID:1472
-
C:\Windows\SysWOW64\Igmbgk32.exeC:\Windows\system32\Igmbgk32.exe74⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:580 -
C:\Windows\SysWOW64\Imjkpb32.exeC:\Windows\system32\Imjkpb32.exe75⤵PID:1340
-
C:\Windows\SysWOW64\Iaegpaao.exeC:\Windows\system32\Iaegpaao.exe76⤵PID:2212
-
C:\Windows\SysWOW64\Icdcllpc.exeC:\Windows\system32\Icdcllpc.exe77⤵PID:440
-
C:\Windows\SysWOW64\Ifbphh32.exeC:\Windows\system32\Ifbphh32.exe78⤵
- System Location Discovery: System Language Discovery
PID:1892 -
C:\Windows\SysWOW64\Ijnkifgp.exeC:\Windows\system32\Ijnkifgp.exe79⤵PID:340
-
C:\Windows\SysWOW64\Imlhebfc.exeC:\Windows\system32\Imlhebfc.exe80⤵
- Drops file in System32 directory
- Modifies registry class
PID:1592 -
C:\Windows\SysWOW64\Ipjdameg.exeC:\Windows\system32\Ipjdameg.exe81⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:2064 -
C:\Windows\SysWOW64\Icfpbl32.exeC:\Windows\system32\Icfpbl32.exe82⤵PID:1088
-
C:\Windows\SysWOW64\Ifdlng32.exeC:\Windows\system32\Ifdlng32.exe83⤵
- Modifies registry class
PID:1188 -
C:\Windows\SysWOW64\Iichjc32.exeC:\Windows\system32\Iichjc32.exe84⤵PID:2812
-
C:\Windows\SysWOW64\Iladfn32.exeC:\Windows\system32\Iladfn32.exe85⤵PID:2996
-
C:\Windows\SysWOW64\Ichmgl32.exeC:\Windows\system32\Ichmgl32.exe86⤵PID:2680
-
C:\Windows\SysWOW64\Ibkmchbh.exeC:\Windows\system32\Ibkmchbh.exe87⤵PID:2240
-
C:\Windows\SysWOW64\Ifgicg32.exeC:\Windows\system32\Ifgicg32.exe88⤵PID:1580
-
C:\Windows\SysWOW64\Iieepbje.exeC:\Windows\system32\Iieepbje.exe89⤵PID:1952
-
C:\Windows\SysWOW64\Ilcalnii.exeC:\Windows\system32\Ilcalnii.exe90⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- System Location Discovery: System Language Discovery
PID:1644 -
C:\Windows\SysWOW64\Inbnhihl.exeC:\Windows\system32\Inbnhihl.exe91⤵
- Drops file in System32 directory
PID:2432 -
C:\Windows\SysWOW64\Jbnjhh32.exeC:\Windows\system32\Jbnjhh32.exe92⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2424 -
C:\Windows\SysWOW64\Jigbebhb.exeC:\Windows\system32\Jigbebhb.exe93⤵
- Drops file in System32 directory
PID:1652 -
C:\Windows\SysWOW64\Jhjbqo32.exeC:\Windows\system32\Jhjbqo32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1384 -
C:\Windows\SysWOW64\Jndjmifj.exeC:\Windows\system32\Jndjmifj.exe95⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Modifies registry class
PID:852 -
C:\Windows\SysWOW64\Jbpfnh32.exeC:\Windows\system32\Jbpfnh32.exe96⤵
- System Location Discovery: System Language Discovery
PID:2072 -
C:\Windows\SysWOW64\Jacfidem.exeC:\Windows\system32\Jacfidem.exe97⤵PID:2152
-
C:\Windows\SysWOW64\Jenbjc32.exeC:\Windows\system32\Jenbjc32.exe98⤵PID:1604
-
C:\Windows\SysWOW64\Jlhkgm32.exeC:\Windows\system32\Jlhkgm32.exe99⤵PID:3044
-
C:\Windows\SysWOW64\Jjkkbjln.exeC:\Windows\system32\Jjkkbjln.exe100⤵PID:1780
-
C:\Windows\SysWOW64\Jbbccgmp.exeC:\Windows\system32\Jbbccgmp.exe101⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2464 -
C:\Windows\SysWOW64\Jaecod32.exeC:\Windows\system32\Jaecod32.exe102⤵PID:1960
-
C:\Windows\SysWOW64\Jeqopcld.exeC:\Windows\system32\Jeqopcld.exe103⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1748 -
C:\Windows\SysWOW64\Jdcpkp32.exeC:\Windows\system32\Jdcpkp32.exe104⤵PID:1144
-
C:\Windows\SysWOW64\Jhoklnkg.exeC:\Windows\system32\Jhoklnkg.exe105⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1700 -
C:\Windows\SysWOW64\Jjnhhjjk.exeC:\Windows\system32\Jjnhhjjk.exe106⤵PID:2848
-
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe107⤵
- Modifies registry class
PID:2888 -
C:\Windows\SysWOW64\Jmlddeio.exeC:\Windows\system32\Jmlddeio.exe108⤵
- System Location Discovery: System Language Discovery
PID:2076 -
C:\Windows\SysWOW64\Jagpdd32.exeC:\Windows\system32\Jagpdd32.exe109⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- Modifies registry class
PID:1628 -
C:\Windows\SysWOW64\Jdflqo32.exeC:\Windows\system32\Jdflqo32.exe110⤵PID:3064
-
C:\Windows\SysWOW64\Jhahanie.exeC:\Windows\system32\Jhahanie.exe111⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:1648 -
C:\Windows\SysWOW64\Jfdhmk32.exeC:\Windows\system32\Jfdhmk32.exe112⤵PID:2580
-
C:\Windows\SysWOW64\Jokqnhpa.exeC:\Windows\system32\Jokqnhpa.exe113⤵
- System Location Discovery: System Language Discovery
PID:1084 -
C:\Windows\SysWOW64\Jajmjcoe.exeC:\Windows\system32\Jajmjcoe.exe114⤵PID:2852
-
C:\Windows\SysWOW64\Jfgebjnm.exeC:\Windows\system32\Jfgebjnm.exe115⤵PID:2908
-
C:\Windows\SysWOW64\Jkbaci32.exeC:\Windows\system32\Jkbaci32.exe116⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:1376 -
C:\Windows\SysWOW64\Kmqmod32.exeC:\Windows\system32\Kmqmod32.exe117⤵
- Drops file in System32 directory
PID:2248 -
C:\Windows\SysWOW64\Kpojkp32.exeC:\Windows\system32\Kpojkp32.exe118⤵PID:2480
-
C:\Windows\SysWOW64\Kdkelolf.exeC:\Windows\system32\Kdkelolf.exe119⤵PID:2508
-
C:\Windows\SysWOW64\Kfibhjlj.exeC:\Windows\system32\Kfibhjlj.exe120⤵PID:996
-
C:\Windows\SysWOW64\Kmcjedcg.exeC:\Windows\system32\Kmcjedcg.exe121⤵PID:1524
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-